diff --git a/.github/chainguard/self.release.create-release.sts.yaml b/.github/chainguard/self.release.create-release.sts.yaml
new file mode 100644
index 00000000..f90a5786
--- /dev/null
+++ b/.github/chainguard/self.release.create-release.sts.yaml
@@ -0,0 +1,13 @@
+issuer: https://token.actions.githubusercontent.com
+
+# For pull_request events, OIDC subject is derived from the PR base branch ref.
+# This policy only works for PRs targeting 'main'.
+subject: repo:DataDog/datadog-sync-cli:ref:refs/heads/main
+
+claim_pattern:
+  event_name: pull_request
+  ref: refs/heads/main
+  job_workflow_ref: DataDog/datadog-sync-cli/.github/workflows/release.yml@refs/heads/main
+
+permissions:
+  contents: write
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e4eabba1..06c0c0c7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,8 +1,5 @@
 name: Release
 
-permissions:
-  contents: write
-
 on:
   pull_request:
     types: [closed]
@@ -14,13 +11,23 @@ jobs:
     name: Create release
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')
+    permissions:
+      contents: read
+      id-token: write
     steps:
+      - name: Get access token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        id: octo-sts
+        with:
+          scope: DataDog/datadog-sync-cli
+          policy: self.release.create-release
+
       - name: Create release
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           RELEASE_BRANCH: ${{ github.head_ref }}
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.octo-sts.outputs.token }}
           script: |
             const tagName = `${process.env.RELEASE_BRANCH.split("/")[1]}`;
             let tagExists = false;
@@ -70,6 +77,8 @@ jobs:
   build_artifacts:
     needs: create_release
     name: Build executables
+    permissions:
+      contents: write
     strategy:
       matrix:
         os: [ubuntu-22.04-arm, ubuntu-22.04, windows-latest, macos-latest]
@@ -79,7 +88,7 @@ jobs:
         env:
           RELEASE_BRANCH: ${{ github.head_ref }}
         run: |
-          TAG_NAME=$(echo $RELEASE_BRANCH | cut -d "/" -f2)
+          TAG_NAME=$(echo "$RELEASE_BRANCH" | cut -d "/" -f2)
           echo "tag_name=$TAG_NAME" >> "$GITHUB_ENV"
         shell: bash
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2