diff --git a/.github/workflows/__check-action.yml b/.github/workflows/__check-action.yml
index 3c75536..138da96 100644
--- a/.github/workflows/__check-action.yml
+++ b/.github/workflows/__check-action.yml
@@ -190,7 +190,7 @@ jobs:
 
       - name: "Arrange: retrieve latest version of docker compose"
         if: ${{ matrix.fetch-latest-compose }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const dockerComposeVersion = (await github.rest.repos.getLatestRelease({
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index 346b168..0ccc485 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -15,12 +15,8 @@ permissions: {}
 
 jobs:
   release:
-    uses: hoverkraft-tech/ci-github-publish/.github/workflows/prepare-release.yml@5ff7d4c3910971ed53834becd5967271b4e228cf # 0.21.1
+    uses: hoverkraft-tech/ci-github-publish/.github/workflows/prepare-release.yml@b56be562f38e0e3e712f09691a8fe930aae9db1b # 0.22.0
     permissions:
-      contents: write
+      contents: read
       id-token: write
       pull-requests: write
-    with:
-      github-app-id: ${{ vars.CI_BOT_APP_ID }}
-    secrets:
-      github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}