diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml
index 8df88f2e..a18c9fa7 100644
--- a/.github/workflows/changelog-preview.yml
+++ b/.github/workflows/changelog-preview.yml
@@ -7,8 +7,13 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened, edited, labeled, unlabeled]
 
+permissions:
+  contents: read
+  pull-requests: write
+  statuses: write
+
 jobs:
   changelog-preview:
     name: Preview Changelog
-    uses: getsentry/craft/.github/workflows/changelog-preview.yml@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce
+    uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
     secrets: inherit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 75f4886a..6e2f4267 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -27,12 +27,12 @@ jobs:
     steps:
       - name: Get auth token
         id: token
-        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2
+        uses: actions/create-github-app-token@v2.2.1
         with:
           app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
           private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           token: ${{ steps.token.outputs.token }}
           fetch-depth: 0
@@ -47,7 +47,7 @@ jobs:
           cache: "pnpm"
 
       - name: Prepare release
-        uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2
+        uses: getsentry/craft@v2
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with: