diff --git a/.github/workflows/manual-release.yml b/.github/workflows/manual-release.yml
index c890ce2..81e422a 100644
--- a/.github/workflows/manual-release.yml
+++ b/.github/workflows/manual-release.yml
@@ -11,5 +11,4 @@ jobs:
   manual-release:
     uses: ./.github/workflows/release.yml
     with:
-      token: ${{ secrets.GITHUB_TOKEN }}
       tag: ${{ inputs.tag }}
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 1d694fb..2e6cde6 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -20,11 +20,8 @@ jobs:
           target-branch: v2
 
   release-sdk-test-harness:
-    permissions:
-      contents: write
     needs: release-please
     if: needs.release-please.outputs.release_created == 'true'
     uses: ./.github/workflows/release.yml
     with:
-      token: ${{ secrets.GITHUB_TOKEN }}
       tag: ${{ needs.release-please.outputs.tag_name }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6cd9230..4290e34 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,11 +1,9 @@
 on:
   workflow_call:
     inputs:
-      token:
-        required: true
-        type: string
       tag:
         required: true
+        description: 'The tag to upload release artifacts to.'
         type: string
 
 jobs:
@@ -15,10 +13,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0 # Needed for goreleaser to inspect tags.
     - uses: ./.github/actions/ci
       with:
         run_linter: 'false'
     - uses: ./.github/actions/publish
       with:
-        token: ${{ github.event.inputs.token }}
+        token: ${{ secrets.GITHUB_TOKEN }}
         tag: ${{ github.event.inputs.tag }}