diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..3f5197e
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,4 @@
+# CODEOWNERS - Require review from maintainers for critical files
+/.github/workflows/ @abubnalitic-nbl @ltucker
+/pyproject.toml @abubnalitic-nbl @ltucker
+/.github/CODEOWNERS @abubnalitic-nbl @ltucker
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5715aa5..a17c0e1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,9 +1,10 @@
 name: Release
 
+# Global defaults - read-only (least privilege)
 permissions:
-  contents: write
-  issues: write
-  pull-requests: write
+  contents: read
+  issues: read
+  pull-requests: read
 
 on:
   workflow_dispatch:
@@ -11,6 +12,13 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    environment: release  # Requires manual approval in GitHub settings
+
+    # Job-specific write permissions (least privilege)
+    permissions:
+      contents: write       # Push tags and CHANGELOG
+      issues: write        # Create release issues
+      pull-requests: write # Create release PRs
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/pyproject.toml b/pyproject.toml
index 92e84a3..e1e3791 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -31,7 +31,6 @@ version_toml = ["pyproject.toml:project.version"]
 version_variables = ["src/netbox_mcp_server/__init__.py:__version__"]
 branch = "main"
 upload_to_vcs_release = true
-build_command = "uv build"
 tag_format = "v{version}"
 
 [tool.semantic_release.commit_parser_options]