diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index fbe69a7c1a..0f903353c4 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -8,18 +8,24 @@ on:
 jobs:
   create-draft-release:
     runs-on: ubuntu-latest
+    environment: "Production – umami-v2"
+    permissions:
+      contents: write
+      issues: write
     steps:
       - name: Check out code
         uses: actions/checkout@v4
 
       - name: Create Draft Release for ${{ github.ref_name }}
-        env:
-          GH_TOKEN: ${{ secrets.PERSONAL_GH_TOKEN }}
         run: gh release create ${{  github.ref_name }} --draft --title "${{  github.ref_name }}" --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   create-release-linux:
     runs-on: ubuntu-latest
     needs: create-draft-release
+    permissions:
+        contents: write
     environment: "Production – umami-v2"
     steps:
       - name: Check out code
@@ -44,31 +50,38 @@ jobs:
       - name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@v6
         with:
-          gpg_private_key: ${{ env.GPG_PRIVATE_KEY }}
-          passphrase: ${{ env.GPG_PASSPHRASE }}
-          fingerprint: ${{env.GPG_KEY_ID }}
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          fingerprint: ${{ secrets.GPG_KEY_ID }}
           git_user_signingkey: true
 
       - name: Generate deb and rpm files
         working-directory: apps/desktop
         run: pnpm run electron:package:linux
+        env:
+          CI: false
+
 
       - name: Sign the deb and rpm files using dpkg-sig and rpm-sign
         working-directory: apps/desktop
         run: |
           sudo apt install -y dpkg-sig
-          dpkg-sig --sign builder -k ${{ env.GPG_KEY_ID }} ./dist/*.deb
+          dpkg-sig --sign builder -k ${{ secrets.GPG_KEY_ID }} ./dist/*.deb
+          echo "%_gpg_name ${{ secrets.GPG_KEY_ID }}" > ~/.rpmmacros
           rpm --addsign ./dist/*.rpm
 
       - name: Upload deb and rpm files
         working-directory: apps/desktop
-        env:
-          GH_TOKEN: ${{ secrets.PERSONAL_GH_TOKEN }}
         run: gh release upload ${{  github.ref_name }} ./dist/*.deb ./dist/*.rpm
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   create-release-mac:
     runs-on: macos-latest
     needs: create-draft-release
+    environment: "Production – umami-v2"
+    permissions:
+      contents: write
     steps:
       - name: Check out code
         uses: actions/checkout@v4
@@ -93,7 +106,7 @@ jobs:
         working-directory: apps/desktop
         env:
           CI: true
-          GH_TOKEN: ${{ secrets.PERSONAL_GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CSC_LINK: ${{ secrets.CSC_LINK }}
           CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
           APPLE_ID: ${{ secrets.APPLE_ID }}