diff --git a/.github/workflows/make-v2-release.yml b/.github/workflows/make-v2-release.yml
index 356fdf2bad..a6b4e3366f 100644
--- a/.github/workflows/make-v2-release.yml
+++ b/.github/workflows/make-v2-release.yml
@@ -15,7 +15,6 @@ jobs:
     # Needed as recommended by npm docs on publishing with provenance https://docs.npmjs.com/generating-provenance-statements
     permissions:
       id-token: write
-      contents: write
     environment: Release
     runs-on: ubuntu-latest
     outputs:
diff --git a/.github/workflows/on_doc_merge.yml b/.github/workflows/on_doc_merge.yml
index bcea9b0d7b..b0115b755c 100644
--- a/.github/workflows/on_doc_merge.yml
+++ b/.github/workflows/on_doc_merge.yml
@@ -14,10 +14,9 @@ permissions:
 jobs:
   release-docs:
     permissions:
-      actions: write
-      id-token: write
+      id-token: write  # trade JWT token for AWS credentials in AWS Docs account
     secrets: inherit
-    uses: ./.github/workflows/reusable-publish-docs.yml
+    uses: ./.github/workflows/reusable_publish_docs.yml
     with:
       version: main
       alias: stage
\ No newline at end of file
diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml
index b72b59abd6..7b178e9c1d 100644
--- a/.github/workflows/publish_layer.yml
+++ b/.github/workflows/publish_layer.yml
@@ -1,9 +1,7 @@
 name: Deploy layer to all regions
 
 permissions:
-  id-token: write
   contents: write
-  pages: write
 
 on:
   # Manual trigger
@@ -57,6 +55,8 @@ jobs:
     needs:
       - build-layer
     uses: ./.github/workflows/reusable_deploy_layer_stack.yml
+    permissions:
+      id-token: write
     with:
       stage: "BETA"
       artifact-name: "cdk-layer-artifact"
@@ -69,6 +69,8 @@ jobs:
     needs:
       - deploy-beta
     uses: ./.github/workflows/reusable_deploy_layer_stack.yml
+    permissions:
+      id-token: write
     with:
       stage: "PROD"
       artifact-name: "cdk-layer-artifact"
@@ -95,11 +97,9 @@ jobs:
   release-docs:
     needs: [ deploy-prod, prepare_docs_alias ]
     permissions:
-      contents: write
-      pages: write
       id-token: write
     secrets: inherit
-    uses: ./.github/workflows/reusable-publish-docs.yml
+    uses: ./.github/workflows/reusable_publish_docs.yml
     with:
       version: ${{ inputs.latest_published_version }}
       alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }}
diff --git a/.github/workflows/rebuild_latest_docs.yml b/.github/workflows/rebuild_latest_docs.yml
index 9b1f0b8908..b943dea3bc 100644
--- a/.github/workflows/rebuild_latest_docs.yml
+++ b/.github/workflows/rebuild_latest_docs.yml
@@ -28,7 +28,6 @@ permissions:
 jobs:
   release-docs:
     permissions:
-      actions: write # upload artifacts (for debugging issues with the docs build)
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
     secrets: inherit
     uses: ./.github/workflows/reusable_publish_docs.yml
diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml
index 542dc6ac48..cc44046321 100644
--- a/.github/workflows/reusable_publish_docs.yml
+++ b/.github/workflows/reusable_publish_docs.yml
@@ -47,7 +47,6 @@ jobs:
     runs-on: ubuntu-latest
     environment: Docs
     permissions:
-      actions: write # upload artifacts (for debugging issues with the docs build)
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
     steps:
       - name: Checkout code