diff --git a/.github/chainguard/self.github.release.prerelease.sts.yaml b/.github/chainguard/self.github.release.prerelease.sts.yaml
new file mode 100644
index 0000000..cb29a40
--- /dev/null
+++ b/.github/chainguard/self.github.release.prerelease.sts.yaml
@@ -0,0 +1,12 @@
+# Policy for: .github/workflows/prerelease.yml in DataDog/ddtest
+issuer: https://token.actions.githubusercontent.com
+subject: repo:DataDog/ddtest:ref:refs/heads/main
+
+claim_pattern:
+  event_name: push
+  job_workflow_ref: DataDog/ddtest/\.github/workflows/prerelease\.yml@refs/heads/main
+  ref: refs/heads/main
+  repository: DataDog/ddtest
+
+permissions:
+  contents: write
diff --git a/.github/chainguard/self.github.release.tags.sts.yaml b/.github/chainguard/self.github.release.tags.sts.yaml
new file mode 100644
index 0000000..b74eb7f
--- /dev/null
+++ b/.github/chainguard/self.github.release.tags.sts.yaml
@@ -0,0 +1,12 @@
+# Policy for: .github/workflows/release.yml in DataDog/ddtest
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: repo:DataDog/ddtest:ref:refs/tags/v.*
+
+claim_pattern:
+  event_name: push
+  job_workflow_ref: DataDog/ddtest/\.github/workflows/release\.yml@refs/tags/v.*
+  ref: refs/tags/v.*
+  repository: DataDog/ddtest
+
+permissions:
+  contents: write
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
index 612b1a5..c5ae0f1 100644
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@@ -8,12 +8,20 @@ jobs:
   release:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
+      id-token: write
 
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      - name: Get GitHub token
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/ddtest
+          policy: self.github.release.prerelease
+
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
         with:
@@ -24,7 +32,7 @@ jobs:
 
       - name: Create Release and Upload Assets
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           SHORT_SHA=$(git rev-parse --short HEAD)
           gh release create "pre-release-$SHORT_SHA" \
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 429de4c..05f64db 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,12 +9,20 @@ jobs:
   release:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
+      id-token: write
 
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      - name: Get GitHub token
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/ddtest
+          policy: self.github.release.tags
+
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
         with:
@@ -25,7 +33,7 @@ jobs:
 
       - name: Create Release and Upload Assets
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           TAG_NAME=${GITHUB_REF#refs/tags/}
           gh release create "$TAG_NAME" \
@@ -36,7 +44,7 @@ jobs:
 
       - name: Print Release Summary
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           TAG_NAME=${GITHUB_REF#refs/tags/}
           RELEASE_URL=$(gh release view "$TAG_NAME" --json url --jq .url)