diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 002d045e2..f084467cf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
   packages: read
 
 jobs:
diff --git a/.github/workflows/upload.yml b/.github/workflows/upload.yml
index 29deed488..594c29c61 100644
--- a/.github/workflows/upload.yml
+++ b/.github/workflows/upload.yml
@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   release:
@@ -26,11 +27,6 @@ jobs:
         with:
           path: downloads
           key: plugin-downloads
-      - name: Download Plugins
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        run: |
-          go run ./cmd/download-plugins downloads
         # uses https://cloud.google.com/iam/docs/workload-identity-federation to
         # swap a GitHub OIDC token for GCP service account credentials, allowing
         # this workflow to manage the buf-plugins bucket
@@ -41,5 +37,10 @@ jobs:
           service_account: buf-plugins-1-publisher@buf-plugins-1.iam.gserviceaccount.com
       - name: Setup gcloud
         uses: google-github-actions/setup-gcloud@d51b5346f85640ec2aa2fa057354d2b82c2fcbce
+      - name: Download Plugins
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          go run ./cmd/download-plugins downloads
       - name: Upload To Release Bucket
         run: gsutil rsync -r downloads gs://buf-plugins