diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml
index 10614e3..ca81a05 100644
--- a/.github/workflows/deploy-prod.yml
+++ b/.github/workflows/deploy-prod.yml
@@ -27,7 +27,6 @@ jobs:
     env:
       AWS_STG_ACCOUNT_ID: "071308038858"
       AWS_PRD_ACCOUNT_ID: "591292939760"
-      BUILD_PREFIX: "s3://apiforge-artifacts-071308038858/builds/${{ github.event.workflow_run.head_sha }}" # bucket from staging env
 
     steps:
       # check out the released tag so the SAM template / scripts match the artifacts
@@ -43,6 +42,8 @@ jobs:
         run: |
           SHA=$(git rev-parse HEAD)
           echo "SHA=$SHA" >> "$GITHUB_ENV"
+          echo "BUILD_PREFIX=s3://apiforge-artifacts-071308038858/builds/$SHA" >> "$GITHUB_ENV"
+
           echo "Releasing commit $SHA (tag ${{ github.event.release.tag_name }})"
 
       - name: Configure AWS Production Credentials (OIDC)
diff --git a/.github/workflows/trigger-release.yml b/.github/workflows/trigger-release.yml
index 74aa72c..a299147 100644
--- a/.github/workflows/trigger-release.yml
+++ b/.github/workflows/trigger-release.yml
@@ -107,7 +107,7 @@ jobs:
 
       - name: Create GitHub Release + tag
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.RELEASE_AUTOMATION_TOKEN }}
         run: |
           echo "Creating release $VERSION at $SHA ..."
           if [ "$IS_ROLLBACK" = "true" ]; then