diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 8b85331..95e9086 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -26,5 +26,6 @@ on:
   pull_request:
   push:
     branches: [main]
+  workflow_call:
 permissions:
   contents: read
diff --git a/.github/workflows/stale_action.yml b/.github/workflows/stale_action.yml
index 6f955ad..4909e0c 100644
--- a/.github/workflows/stale_action.yml
+++ b/.github/workflows/stale_action.yml
@@ -4,6 +4,9 @@ env:
   stale-close-label: Auto-closed - Stale
 jobs:
   stale:
+    permissions:
+      issues: write # required to comment on and close stale issues
+      pull-requests: write # required to comment on and close stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
@@ -29,6 +32,4 @@ jobs:
             Remove the Stale label or comment or this will be closed in ${{ env.days-before-close }} days.
 name: Close stale issues and PRs
 on: workflow_call
-permissions:
-  issues: write
-  pull-requests: write
+permissions: {}
diff --git a/.github/workflows/tag_release.yml b/.github/workflows/tag_release.yml
index 9e10f6e..45c55c5 100644
--- a/.github/workflows/tag_release.yml
+++ b/.github/workflows/tag_release.yml
@@ -2,6 +2,8 @@ jobs:
   release_tag:
     if: "startsWith(github.event.head_commit.message, 'Merge pull request #') && contains(github.event.head_commit.message, format(' from {0}/prepare_release_v', github.repository_owner))"
     name: Tag Release
+    permissions:
+      contents: write # required to create the draft GitHub release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -32,5 +34,4 @@ jobs:
           gh release create "v$version" "${args[@]}"
 name: Tag Release
 on: workflow_call
-permissions:
-  contents: write
+permissions: {}