diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 9853ba3..2cfa65d 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -107,11 +107,14 @@ jobs:
   doubletfinder-install:
     if: github.event_name == 'workflow_dispatch' && inputs.run_doubletfinder_install
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         shell: bash -el {0}
     env:
       SNAKEMAKE_CONDA_FRONTEND: mamba
+      GITHUB_PAT: ${{ github.token }}
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
diff --git a/tests/test_conda_container_validation.py b/tests/test_conda_container_validation.py
index ceb5140..f3893bb 100644
--- a/tests/test_conda_container_validation.py
+++ b/tests/test_conda_container_validation.py
@@ -158,6 +158,15 @@ def test_conda_env_solves_and_key_packages_import(tmp_path, pytestconfig, env_na
         assert imports.returncode == 0, combined_output(imports)
 
 
+def test_doubletfinder_github_action_exports_token_for_remotes():
+    root = repo_root()
+    workflow = read_yaml(root / ".github/workflows/tests.yml")
+    job = workflow["jobs"]["doubletfinder-install"]
+
+    assert job.get("permissions", {}).get("contents") == "read"
+    assert job.get("env", {}).get("GITHUB_PAT") == "${{ github.token }}"
+
+
 def test_cellbender_container_can_be_pulled(tmp_path, pytestconfig):
     if not pytestconfig.getoption("--run-container-validation"):
         pytest.skip("use --run-container-validation to pull workflow containers")