diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml
index ec2a628..7692be0 100644
--- a/.github/workflows/semantic-release.yml
+++ b/.github/workflows/semantic-release.yml
@@ -2,11 +2,10 @@ name: Semantic Release
 
 on:
   workflow_call:
-
-permissions:
-  contents: write
-  issues: write
-  pull-requests: write
+    secrets:
+      GH_TOKEN:
+        description: 'PAT with repo access, required to trigger workflows on tag push'
+        required: true
 
 jobs:
   release:
@@ -18,6 +17,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           fetch-depth: 0
+          token: ${{ secrets.GH_TOKEN }}
 
       - name: Setup semantic-release
         uses: https://gitea.ldpt.fr/actions/semantic-release/setup-semrel@main
@@ -25,4 +25,6 @@ jobs:
           node-version: "24"
 
       - name: Run semantic-release
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
         run: semantic-release
\ No newline at end of file