diff --git a/.github/workflows/agent-restricted.yml b/.github/workflows/agent-restricted.yml
index 9ba260dac..d222ef36d 100644
--- a/.github/workflows/agent-restricted.yml
+++ b/.github/workflows/agent-restricted.yml
@@ -67,6 +67,8 @@ jobs:
           echo "✅ User $ACTOR is authorized"
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Run Strands Agent
         uses: ./.github/actions/strands-action
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 89caef3bc..e20605073 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -50,6 +50,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
@@ -117,6 +118,12 @@ jobs:
           npx prettier --write schemas/
           echo "✓ JSON schema regenerated and formatted"
 
+      - name: Configure push credentials
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
+
       - name: Create release branch and PR
         env:
           NEW_VERSION: ${{ steps.bump.outputs.version }}
@@ -302,6 +309,7 @@ jobs:
         with:
           ref: main
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Verify we have the merged code
         run: |
@@ -370,6 +378,12 @@ jobs:
           echo "No NPM_TOKEN needed - using GitHub OIDC"
           npm publish --access public --provenance --tag latest
 
+      - name: Configure push credentials
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
+
       - name: Create and push tag
         env:
           VERSION: ${{ steps.version.outputs.version }}
diff --git a/.github/workflows/strands-command.yml b/.github/workflows/strands-command.yml
index a964f215e..65583b102 100644
--- a/.github/workflows/strands-command.yml
+++ b/.github/workflows/strands-command.yml
@@ -68,6 +68,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Add strands-running label
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8