diff --git a/.github/workflows/changelog_release.yaml b/.github/workflows/changelog_release.yaml
index 6cba3e3b4..6b81c54ce 100644
--- a/.github/workflows/changelog_release.yaml
+++ b/.github/workflows/changelog_release.yaml
@@ -63,7 +63,11 @@ jobs:
     with:
       version: ${{ needs.prepare-release.outputs.version }}
       emergency: false
-    secrets: inherit
+    # Explicitly pass secrets (instead of secrets: inherit) because reusable workflows
+    # called from push events may not reliably inherit secrets automatically.
+    secrets:
+      OPEN_CAPTURE_SDK_PRS_APP_ID: ${{ secrets.OPEN_CAPTURE_SDK_PRS_APP_ID }}
+      OPEN_CAPTURE_SDK_PRS_PRIVATE_KEY: ${{ secrets.OPEN_CAPTURE_SDK_PRS_PRIVATE_KEY }}
 
   no-release:
     name: No release (tag exists)
diff --git a/.github/workflows/update_sdk_version.yaml b/.github/workflows/update_sdk_version.yaml
index 6581b7a3d..71bc737ff 100644
--- a/.github/workflows/update_sdk_version.yaml
+++ b/.github/workflows/update_sdk_version.yaml
@@ -28,7 +28,10 @@ jobs:
     uses: ./.github/workflows/release_gh.yaml
     with:
       version: ${{ inputs.version }}
-    secrets: inherit
+    # Explicitly pass secrets to ensure they're available when called from other workflows
+    secrets:
+      OPEN_CAPTURE_SDK_PRS_APP_ID: ${{ secrets.OPEN_CAPTURE_SDK_PRS_APP_ID }}
+      OPEN_CAPTURE_SDK_PRS_PRIVATE_KEY: ${{ secrets.OPEN_CAPTURE_SDK_PRS_PRIVATE_KEY }}
   public-release:
     permissions:
       id-token: write # required to use OIDC authentication