diff --git a/.github/workflows/repo-health.yml b/.github/workflows/repo-health.yml
index 254a50d..4a2eb55 100644
--- a/.github/workflows/repo-health.yml
+++ b/.github/workflows/repo-health.yml
@@ -6,6 +6,7 @@ on:
   workflow_dispatch:
 
 permissions:
+  actions: read
   contents: read
   issues: write
   pull-requests: read
@@ -14,6 +15,8 @@ jobs:
   health-check:
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    env:
+      GH_TOKEN: ${{ github.token }}
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/tests/test_repo_health_workflow.py b/tests/test_repo_health_workflow.py
new file mode 100644
index 0000000..858426d
--- /dev/null
+++ b/tests/test_repo_health_workflow.py
@@ -0,0 +1,11 @@
+from pathlib import Path
+
+
+WORKFLOW = Path(".github/workflows/repo-health.yml")
+
+
+def test_repo_health_workflow_authenticates_github_cli() -> None:
+    workflow = WORKFLOW.read_text(encoding="utf-8")
+
+    assert "actions: read" in workflow
+    assert "GH_TOKEN: ${{ github.token }}" in workflow