diff --git a/.github/workflows/gh-aw-create-pr-from-issue.lock.yml b/.github/workflows/gh-aw-create-pr-from-issue.lock.yml
index df2cfe5c..14abc62d 100644
--- a/.github/workflows/gh-aw-create-pr-from-issue.lock.yml
+++ b/.github/workflows/gh-aw-create-pr-from-issue.lock.yml
@@ -39,7 +39,7 @@
 #
 # inlined-imports: true
 #
-# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e18e4136ec2c2555f2949ff3d20a46828f6ff0aea05e719cec9de72a66e9e3f3"}
+# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"612ea26f3ac3cb54a9fb9279b2a60a10eec6cfcdd9201440a3ac36cec4cb1e1e"}
 
 name: "Create PR From Issue"
 "on":
@@ -1552,7 +1552,6 @@ jobs:
     runs-on: ubuntu-slim
     permissions:
       contents: write
-      discussions: write
       issues: write
       pull-requests: write
     concurrency:
@@ -1694,7 +1693,6 @@ jobs:
     runs-on: ubuntu-slim
     permissions:
       contents: write
-      discussions: write
       issues: write
       pull-requests: write
     timeout-minutes: 15
diff --git a/.github/workflows/gh-aw-create-pr-from-issue.md b/.github/workflows/gh-aw-create-pr-from-issue.md
index 2e8cf547..5251d771 100644
--- a/.github/workflows/gh-aw-create-pr-from-issue.md
+++ b/.github/workflows/gh-aw-create-pr-from-issue.md
@@ -79,6 +79,10 @@ safe-outputs:
   activation-comments: false
   max-patch-size: 10240
   add-comment:
+    max: 1
+    pull-requests: false
+    issues: true
+    discussions: false
     target: "${{ inputs.target-issue-number }}"
 timeout-minutes: 60
 steps:
diff --git a/.github/workflows/trigger-docs-patrol.yml b/.github/workflows/trigger-docs-patrol.yml
index d8a4edc0..5017be6e 100644
--- a/.github/workflows/trigger-docs-patrol.yml
+++ b/.github/workflows/trigger-docs-patrol.yml
@@ -11,6 +11,7 @@ permissions:
   issues: write
   pull-requests: write
 
+  actions: read
 jobs:
   run:
     uses: ./.github/workflows/gh-aw-docs-patrol.lock.yml
diff --git a/.github/workflows/trigger-framework-best-practices.yml b/.github/workflows/trigger-framework-best-practices.yml
index 40792a4f..7b00a1bb 100644
--- a/.github/workflows/trigger-framework-best-practices.yml
+++ b/.github/workflows/trigger-framework-best-practices.yml
@@ -11,6 +11,7 @@ permissions:
   issues: write
   pull-requests: write
 
+  actions: read
 jobs:
   run:
     uses: ./.github/workflows/gh-aw-framework-best-practices.lock.yml
diff --git a/.github/workflows/trigger-text-auditor.yml b/.github/workflows/trigger-text-auditor.yml
index f3cd874d..02a8e31a 100644
--- a/.github/workflows/trigger-text-auditor.yml
+++ b/.github/workflows/trigger-text-auditor.yml
@@ -11,6 +11,7 @@ permissions:
   issues: write
   pull-requests: write
 
+  actions: read
 jobs:
   run:
     uses: ./.github/workflows/gh-aw-text-auditor.lock.yml
diff --git a/scripts/dogfood.sh b/scripts/dogfood.sh
index 6b3bddf2..a1b5c945 100755
--- a/scripts/dogfood.sh
+++ b/scripts/dogfood.sh
@@ -110,8 +110,28 @@ for f in gh-agent-workflows/*/example.yml; do
     [[ "$dir" == "$remediation" ]] && add_remediation=true && break
   done
   if [[ "$add_remediation" == "true" ]]; then
-    # Ensure permissions allow downstream PR creation job.
-    sed -E 's/^([[:space:]]*contents: )read$/\1write/; s/^([[:space:]]*pull-requests: )read$/\1write/' "$target" > "$target.tmp" && mv "$target.tmp" "$target"
+    # Ensure permissions allow downstream remediation workflow call.
+    awk '
+      BEGIN { in_permissions=0; have_actions=0 }
+      /^permissions:/ { in_permissions=1; print; next }
+      in_permissions {
+        if (/^jobs:/) {
+          if (!have_actions) print "  actions: read"
+          in_permissions=0
+          print
+          next
+        }
+        if ($0 ~ /^  contents: /) sub(/read$/, "write")
+        if ($0 ~ /^  pull-requests: /) sub(/read$/, "write")
+        if ($0 ~ /^  actions: /) {
+          if ($0 ~ /none$/) sub(/none$/, "read")
+          have_actions=1
+        }
+        print
+        next
+      }
+      { print }
+    ' "$target" > "$target.tmp" && mv "$target.tmp" "$target"
 
     cat >> "$target" <<'EOF'