diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7341724..b39dcce 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,9 +6,6 @@ on:
   pull_request:
     branches: [ main ]
 
-permissions:
-  contents: write
-
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -17,6 +14,8 @@ jobs:
         python-version: ["3.10", "3.11", "3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: 'false'
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:
@@ -37,11 +36,16 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          fetch-depth: 0
-      - name: Set git user for hawkdeploy
+          persist-credentials: 'false'
+      - name: Generate GitHub App token
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.HAWKY_APP_ID }}
+          private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
+      - name: Set up git for pushing
         run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git
       - name: Show git user and remote
         run: |
           git config --get user.name
@@ -71,11 +75,16 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          fetch-depth: 0
-      - name: Set git user for hawkdeploy
+          persist-credentials: 'false'
+      - name: Generate GitHub App token
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.HAWKY_APP_ID }}
+          private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
+      - name: Set up git for pushing
         run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index 54eb786..67969e8 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -24,10 +24,15 @@ jobs:
           python -m pip install --upgrade pip
           pip install -r requirements.txt
           pip install .
-      - name: Set git user for github-actions
+      - name: Generate GitHub App token
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.HAWKY_APP_ID }}
+          private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
+      - name: Set up git for pushing
         run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git
       - name: Bump minor version with bumpver
         run: bumpver update --minor --commit
       - name: Push version bump commit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 525bf06..b31ff81 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,23 +3,24 @@ name: Release
 on:
   workflow_dispatch:
 
-permissions:
-  contents: write
-  issues: write
-  id-token: write
-
 jobs:
   approval:
     name: Manual Approval
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.HAWKY_APP_ID }}
+          private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
       - name: Wait for manual approval
         uses: trstringer/manual-approval@v1
         with:
-          secret: ${{ secrets.GITHUB_TOKEN }}
+          secret: ${{ steps.generate_token.outputs.token }}
           issue-title: "Release Approval for ${{ github.ref_name }}"
-          issue-body: "Please approve this release to publish to PyPI and Docker."
-          approvers: sgerlach,kcberg,danielhopkins,clamey,Bwvolleyball
+          issue-body: "Please approve the release for ${{ github.ref_name }}."
+          approvers: engineering
           minimum-approvals: 1
           mode: issue
           fail-on-denial: true
@@ -41,8 +42,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ github.ref }}
-          fetch-depth: 0
+          persist-credentials: 'false'
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
@@ -65,8 +65,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ github.ref }}
-          fetch-depth: 0
+          persist-credentials: 'false'
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
diff --git a/README.md b/README.md
index 3cba17c..f9f8dc5 100644
--- a/README.md
+++ b/README.md
@@ -311,7 +311,3 @@ Contributions are welcome! Please open issues or pull requests for bug fixes, ne
 ## License
 
 Apache License 2.0. See [LICENSE](LICENSE) for details.
-
-## GitHub Actions
-
-Workflows are being updated to improve git permissions for CI/CD automation. See the `fix/git-permission-issues` branch for details.