diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml
index d9d96306..3a111d6c 100644
--- a/.github/workflows/changelog-preview.yml
+++ b/.github/workflows/changelog-preview.yml
@@ -4,6 +4,10 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, edited, labeled]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   changelog-preview:
     uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a31aac2c..6a239f66 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,8 +3,8 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: Version to release
-        required: true
+        description: Version to release (or "auto")
+        required: false
       force:
         description:
           Force a release even when there are release-blockers (optional)
@@ -15,6 +15,10 @@ on:
           (optional)
         required: false
         default: master
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -33,7 +37,7 @@ jobs:
       - name: Install Dependencies
         run: yarn install
       - name: Prepare release
-        uses: getsentry/action-prepare-release@v1
+        uses: getsentry/craft@c6e2f04939b6ee67030588afbb5af76b127d8203 # v2
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with: