diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index 761b4c8..eea7c5c 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -5,9 +5,6 @@ on:
     branches: ["main"]
   pull_request:
 
-permissions:
-  pull-requests: read # allows SonarCloud to decorate PRs with analysis results
-
 jobs:
   build:
     strategy:
@@ -41,6 +38,8 @@ jobs:
     name: Run eslint and sonar scanning
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      pull-requests: read # allows SonarCloud to decorate PRs with analysis results
     steps:
       - name: Checkout code
         uses: actions/checkout@v6