diff --git a/.github/workflows/commit-to-main.yml b/.github/workflows/commit-to-main.yml
index ab381689f..1a1d05e4a 100644
--- a/.github/workflows/commit-to-main.yml
+++ b/.github/workflows/commit-to-main.yml
@@ -14,6 +14,8 @@ jobs:
 
   scorecard:
     uses: ./.github/workflows/scorecard.yml
+    secrets: inherit
 
   basic-downstream:
     uses: ./.github/workflows/downstream-basic.yml
+    secrets: inherit
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 30053e068..014677dbf 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -21,3 +21,4 @@ jobs:
   scorecard:
     needs: basic-checks
     uses: ./.github/workflows/scorecard.yml
+    secrets: inherit
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 3d0669954..df5b5eef6 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -30,3 +30,4 @@ jobs:
     needs: basic-checks
     if: contains( github.event.head_commit.message, '[trigger downstream]' )
     uses: ./.github/workflows/downstream-release.yml
+    secrets: inherit
diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml
index c1c3c3a98..cc815ea36 100644
--- a/.github/workflows/weekly.yml
+++ b/.github/workflows/weekly.yml
@@ -13,6 +13,7 @@ jobs:
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   scorecard:
     uses: ./.github/workflows/scorecard.yml
+    secrets: inherit
 
   extended-tests:
     uses: ./.github/workflows/extended.yml
diff --git a/CI.md b/CI.md
index 58387fe54..95ad9c2cb 100644
--- a/CI.md
+++ b/CI.md
@@ -87,13 +87,19 @@ Currently, these include
 - [`liboqs-go`](https://github.com/open-quantum-safe/liboqs-go)
 - [`liboqs-python`](https://github.com/open-quantum-safe/liboqs-python)
 
+Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow.
+
 #### <a name="downstream-release.yml"></a> Downstream release trigger (`downstream-release.yml`)
 
-This workflow triggers release tests for a selection of projects that depend on `liboqs`. Currently, this is only the [`OQS OpenSSL3 provider`](https://github.com/open-quantum-safe/oqs-provider).
+This workflow triggers release tests for a selection of projects that depend on `liboqs`.
+Currently, this is only the [`OQS OpenSSL3 provider`](https://github.com/open-quantum-safe/oqs-provider).
+Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow.
 
 #### <a name="scorecard.yml"></a> OpenSSF scorecard analysis (`scorecard.yml`)
 
-This workflow runs the [OpenSSF scorecard](https://github.com/ossf/scorecard) tool. It is additionally triggered automatically when branch protection rules are changed.
+This workflow runs the [OpenSSF scorecard](https://github.com/ossf/scorecard) tool.
+It is additionally triggered automatically when branch protection rules are changed.
+Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow.
 
 ## Travis CI