diff --git a/.github/workflows/deploy-web.yml b/.github/workflows/deploy-web.yml
index 5aa0918048b..1deeea12f88 100644
--- a/.github/workflows/deploy-web.yml
+++ b/.github/workflows/deploy-web.yml
@@ -54,8 +54,7 @@ on:
         type: string
         required: false
 
-permissions:
-  deployments: write
+permissions: {}
 
 jobs:
   setup:
@@ -373,10 +372,16 @@ jobs:
 
       - name: Login to Azure
         uses: bitwarden/gh-actions/azure-login@main
+        env:
+          # The following 2 values are ignored in Zizmor, because they have to be dynamically mapped from secrets
+          # The only way around this is to create separate steps per environment with static secret references, which is not maintainable
+          SUBSCRIPTION_ID: ${{ secrets[ needs.setup.outputs.azure_login_subscription_id_key_name ] }} # zizmor: ignore[overprovisioned-secrets]
+          CLIENT_ID: ${{ secrets[ needs.setup.outputs.azure_login_client_key_name ] }} # zizmor: ignore[overprovisioned-secrets]
+          TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
         with:
-          subscription_id: ${{ secrets[needs.setup.outputs.azure_login_subscription_id_key_name] }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets[needs.setup.outputs.azure_login_client_key_name] }}
+          subscription_id: ${{ env.SUBSCRIPTION_ID }}
+          tenant_id: ${{ env.TENANT_ID }}
+          client_id: ${{ env.CLIENT_ID }}
 
       - name: Retrieve Storage Account name
         id: retrieve-secrets-azcopy