diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f9b5edb9b..9659cacd2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -74,8 +74,15 @@ jobs:
   smoke:
     name: Smoke test (release gate)
     uses: ./.github/workflows/smoke-test.yml
-    permissions:
-      contents: read
+    # No job-level `permissions:` block — `scripts/lib/release-readiness.ts`
+    # `diagnosticsForPermissions` enforces strict equality between job-level
+    # and top-level permission values (line ~852: "is `<actual>` but must be
+    # `<expected>`"). A `contents: read` override here failed Layer 1
+    # readiness on the v0.8.0-rc.1 dispatch (run 25639883562). The smoke job
+    # therefore inherits the top-level `{ contents: write, attestations:
+    # write, id-token: write }` block. The reusable smoke-test workflow is
+    # read-only in practice (npm pack + install + CLI smoke); the inherited
+    # write scopes are unused.
 
   release:
     name: Manual GitHub Release