diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
index 214954e2..a302131d 100644
--- a/.github/workflows/backend.yml
+++ b/.github/workflows/backend.yml
@@ -2,12 +2,10 @@ name: CI
 
 permissions:
   packages: read
+  contents: read
 
 on:
-  pull_request:
-  push:
-    branches:
-      - main
+  workflow_call:
 
 jobs:
   backend-ci:
@@ -15,8 +13,6 @@ jobs:
     defaults:
       run:
         working-directory: backend
-    env:
-      backend_path: ${{ github.workspace }}/backend
     steps:
     - uses: actions/checkout@v4
     - run: pipx install poetry==1.7.1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1c80a742..e425cb1b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,7 @@ on:
 
 permissions:
   packages: write
+  contents: write
 
 jobs:
   backend-ci:
diff --git a/.github/workflows/db.yml b/.github/workflows/db.yml
index 26bf9b84..a987580f 100644
--- a/.github/workflows/db.yml
+++ b/.github/workflows/db.yml
@@ -7,6 +7,10 @@ on:
           required: true
           type: string
 
+permissions:
+  packages: write
+  contents: read
+
 jobs:
   build-db:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/kv.yml b/.github/workflows/kv.yml
index 9e835dd9..feb5a093 100644
--- a/.github/workflows/kv.yml
+++ b/.github/workflows/kv.yml
@@ -7,6 +7,10 @@ on:
           required: true
           type: string
 
+permissions:
+  packages: write
+  contents: read
+
 jobs:
   build-kv:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/server.yml b/.github/workflows/server.yml
index faae68b0..133ec238 100644
--- a/.github/workflows/server.yml
+++ b/.github/workflows/server.yml
@@ -7,6 +7,10 @@ on:
           required: true
           type: string
 
+permissions:
+  packages: write
+  contents: read
+
 jobs:
   build-server:
     runs-on: ubuntu-latest