diff --git a/.github/workflows/main-issue.yml b/.github/workflows/main-issue.yml
index 701b50c..6e7eb40 100644
--- a/.github/workflows/main-issue.yml
+++ b/.github/workflows/main-issue.yml
@@ -39,3 +39,30 @@ jobs:
               labels: newLabels,
               assignees: ['matttrach']
             });
+            if (versionLabel) {
+              // if version label detected, then add appropriate sub-issues
+              const parentIssue = newIssue.data;
+              const parentIssueTitle = parentIssue.title;
+              const parentIssueNumber = parentIssue.number;
+              // Note: can't get terraform-maintainers team, the default token can't access org level objects
+              // Create the sub-issue
+              const newSubIssue = await github.rest.issues.create({
+                owner: owner,
+                repo: repo,
+                title: "Backport #" + parentIssueNumber + " to release/v0",
+                body:  "Backport #" + parentIssueNumber + " to release/v0",
+                labels: ['release/v0'],
+                assignees: ['matttrach']
+              });
+              const subIssueId = newSubIssue.data.id;
+              // Attach the sub-issue to the parent using API request
+              await github.request('POST /repos/{owner}/{repo}/issues/{issue_number}/sub_issues', {
+                owner: owner,
+                repo: repo,
+                issue_number: parentIssueNumber,
+                sub_issue_id: subIssueId,
+                headers: {
+                  'X-GitHub-Api-Version': '2022-11-28'
+                }
+              });
+            }
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7db03ad..53c293c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,7 +6,12 @@ on:
     - release/v0
     - release/v1
 
-permissions: write-all
+permissions:
+  contents: write
+  id-token: write
+  issues: write
+  pull-requests: write
+  actions: read
 
 jobs:
   release:
@@ -81,7 +86,7 @@ jobs:
         uses: rancher-eio/read-vault-secrets@main
         with:
           secrets: |
-            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE;
             secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID;
             secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY;
       - name: import_gpg_key
@@ -114,7 +119,6 @@ jobs:
           GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
           GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
 
-
       # These run after release-please generates a release, so when the release PR is merged
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         if: steps.release-please.outputs.version