diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a990ad5b..44029aed 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -93,8 +93,6 @@ jobs:
         with:
           key: ${{ matrix.build.target }}
           save-if: false
-      - name: Configure git auth
-        run: git config --global url."https://x-access-token:${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/"
       - name: Build release binary
         run: cargo build --locked --release --target ${{ matrix.build.target }} -p ${{ env.PACKAGE }}
       - run: strip target/${{ matrix.build.target }}/release/${{ env.PACKAGE }}
@@ -201,8 +199,6 @@ jobs:
           TAG="${RELEASE_TAG}"
           gh release upload "$TAG" artifacts/* --clobber
 
-      - name: Configure git auth
-        run: git config --global url."https://x-access-token:${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/"
       - name: Build release signer
         run: cargo build --release -p tempo-sign
 
diff --git a/.github/workflows/changelog-generate.yml b/.github/workflows/changelog-generate.yml
index 7833b515..f4d6cb4e 100644
--- a/.github/workflows/changelog-generate.yml
+++ b/.github/workflows/changelog-generate.yml
@@ -10,14 +10,14 @@ on:
 
 concurrency: ${{ github.workflow }}-${{ github.event.number }}
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   generate:
     if: startsWith(github.event.label.name, 'changelog:')
     runs-on: ubuntu-latest
+    environment: release
+    permissions: {}
     steps:
       - name: Determine PR source
         id: source
@@ -45,13 +45,26 @@ jobs:
           fi
           echo "ref=$REF" >> "$GITHUB_OUTPUT"
 
+      - name: Mint scoped app token
+        if: steps.source.outputs.same_repo == 'true'
+        id: app-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          app-id: ${{ secrets.RELEASE_BOT_APP_ID }}
+          private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}
+          owner: tempoxyz
+          repositories: wallet
+          permission-contents: write
+          permission-pull-requests: write
+          permission-metadata: read
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: steps.source.outputs.same_repo == 'true'
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
-          token: ${{ secrets.GH_PAT }}
+          token: ${{ steps.app-token.outputs.token }}
           persist-credentials: false
 
       - name: Fetch base branch for diff comparison
@@ -61,10 +74,6 @@ jobs:
         run: |
           git fetch origin "$BASE_REF"
 
-      - name: Configure git credentials for private dependencies
-        if: steps.source.outputs.same_repo == 'true'
-        run: git config --global url."https://x-access-token:${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/"
-
       - name: Check for existing changelog
         if: steps.source.outputs.same_repo == 'true'
         id: existing
@@ -140,16 +149,25 @@ jobs:
         if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false'
         env:
           VALIDATED_REF: ${{ steps.ref.outputs.ref }}
+          APP_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           set -euo pipefail
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add .changelog/
           git commit -m "chore: add changelog"
-          git push origin "HEAD:${VALIDATED_REF}"
+          git push "https://x-access-token:${APP_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "HEAD:${VALIDATED_REF}"
 
+  pr-feedback:
+    name: PR feedback
+    needs: generate
+    if: always() && startsWith(github.event.label.name, 'changelog:')
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
       - name: Comment for fork PRs
-        if: steps.source.outputs.same_repo != 'true'
+        if: github.event.pull_request.head.repo.full_name != github.repository
         env:
           GH_TOKEN: ${{ github.token }}
           PR_NUMBER: ${{ github.event.number }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 268e555f..324638ca 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,29 +16,37 @@ env:
 jobs:
   release:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
+    environment: release
+    permissions: {}
     steps:
+      - name: Mint scoped app token
+        id: app-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          app-id: ${{ secrets.RELEASE_BOT_APP_ID }}
+          private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}
+          owner: tempoxyz
+          repositories: wallet
+          permission-contents: write
+          permission-pull-requests: write
+          permission-metadata: read
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-          token: ${{ secrets.GH_PAT }}
+          token: ${{ steps.app-token.outputs.token }}
           persist-credentials: false
 
-      - name: Configure git auth
-        run: git config --global url."https://x-access-token:${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/"
-
       - uses: tempoxyz/changelogs@54f693643e1bd8469293bdfcbfb647bceb559490 # changelogs@0.6.3 + unified PR title + install from source
         id: changelogs
         with:
           conventional-commit: true
-          github-token: ${{ github.token }}
+          github-token: ${{ steps.app-token.outputs.token }}
 
       - name: Update Cargo.lock on release PR
         if: steps.changelogs.outputs.pullRequestNumber != ''
         env:
-          GH_TOKEN: ${{ secrets.GH_PAT }}
+          APP_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           git fetch origin changelog-release/main
           git checkout changelog-release/main
@@ -46,5 +54,5 @@ jobs:
           if ! git diff --quiet Cargo.lock; then
             git add Cargo.lock
             git commit -m "chore: update Cargo.lock"
-            git push origin changelog-release/main
+            git push "https://x-access-token:${APP_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" HEAD:changelog-release/main
           fi
diff --git a/.github/workflows/workflow-validation.yml b/.github/workflows/workflow-validation.yml
index c4a2707a..f874a02a 100644
--- a/.github/workflows/workflow-validation.yml
+++ b/.github/workflows/workflow-validation.yml
@@ -80,7 +80,9 @@ jobs:
           echo "Checking pull_request_target hardening..."
           grep -n "pull_request_target:" .github/workflows/changelog-generate.yml >/dev/null
           grep -n "if: steps.source.outputs.same_repo == 'true'" .github/workflows/changelog-generate.yml >/dev/null
-          grep -n "git push origin \"HEAD:" .github/workflows/changelog-generate.yml >/dev/null
+          # The push must go to the validated branch ref via an authenticated URL
+          # (App-token), since persist-credentials=false on the checkout step.
+          grep -n "git push \"https://x-access-token:\${APP_TOKEN}@github.com/\${GITHUB_REPOSITORY}.git\" \"HEAD:" .github/workflows/changelog-generate.yml >/dev/null
           if grep -n "git checkout -b \$\{\{ github.event.pull_request.head.ref \}\}" .github/workflows/changelog-generate.yml; then
             echo "::error::Unsafe branch checkout pattern detected in changelog generation workflow."
             exit 1