diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index 07a1d01..ba33cf2 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -51,6 +51,9 @@ jobs:
     needs: auto-tag
     if: success()
     uses: ./.github/workflows/release.yml
-    secrets: inherit
     with:
-      gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+      tag: ${{ needs.auto-tag.outputs.new_tag }}
+    secrets:
+      RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      PASSPHRASE: ${{ secrets.PASSPHRASE }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1d916b7..af5d89c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,17 +3,17 @@ name: Release
 on:
   workflow_call:
     inputs:
-      gpg_private_key:
-        description: "GPG private key to sign releases"
-        required: false
+      tag:
+        description: "The tag to release"
+        required: true
         type: string
     secrets:
       RELEASE_TOKEN:
         required: true
       GPG_PRIVATE_KEY:
-        required: false
+        required: true
       PASSPHRASE:
-        required: false
+        required: true
   push:
     tags:
       - "v*"
@@ -40,9 +40,8 @@ jobs:
       - name: Import GPG key
         id: import_gpg
         uses: crazy-max/ghaction-import-gpg@v5
-        if: inputs.gpg_private_key != ''
         with:
-          gpg_private_key: ${{ inputs.gpg_private_key }}
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
 
       - name: Run GoReleaser