diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
index 724019c094..594c4b6770 100644
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@@ -8,6 +8,9 @@ jobs:
     name: Build
     permissions:
       id-token: write # required for AWS assume role
+      # This is because the permission block is replacive instead of additive so setting
+      # id-token removes any other permissions the job has and goreleaser need to write contents
+      contents: write
     runs-on: ubuntu-latest
     strategy:
       matrix: