diff --git a/.github/workflows/build-test-distribute.yml b/.github/workflows/build-test-distribute.yml
index a28477e61a57..fb667dbd7c45 100644
--- a/.github/workflows/build-test-distribute.yml
+++ b/.github/workflows/build-test-distribute.yml
@@ -16,7 +16,7 @@ on:
 
 permissions:
   id-token: write
-  contents: read
+  contents: write
 
 jobs:
   # NOTE: all output values are strings
@@ -54,8 +54,6 @@ jobs:
       app_version:       ${{ needs.config.outputs.app_version }}
       release_tag:       ${{ needs.config.outputs.release_tag }}
       upload_artifacts:  ${{ needs.config.outputs.upload_artifacts == 'true' }}
-    secrets:
-      BUILD_MACHINE_TOKEN: ${{ secrets.BUILD_MACHINE_TOKEN }}
 
   windows-build-test:
     if: ${{ needs.config.outputs.build_enable_windows == 'true' }}
@@ -250,11 +248,12 @@ jobs:
           done
 
       - name: Upload Distributives
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
           shopt -s nullglob
           PKG_FILES="MeshLibDist*.zip MeshLib*.nupkg meshlib*-dev.deb meshlib*-dev.rpm meshlib*.pkg meshlib_*.zip meshlib_*.tar.xz"
           if [ -n "$(echo $PKG_FILES)" ] ; then
-            echo ${{ secrets.BUILD_MACHINE_TOKEN }} | gh auth login --with-token
             gh release upload ${{ needs.config.outputs.release_tag }} $PKG_FILES --clobber
           fi
 
@@ -268,8 +267,6 @@ jobs:
     uses: ./.github/workflows/unity-nuget-test.yml
     with:
       release_tag: ${{ needs.config.outputs.release_tag }}
-    secrets:
-      BUILD_MACHINE_TOKEN: ${{ secrets.BUILD_MACHINE_TOKEN }}
 
   test-distribution:
     if: ${{ !cancelled() && needs.config.outputs.upload_artifacts == 'true' }}
@@ -282,7 +279,7 @@ jobs:
       test_macos:        ${{ needs.config.outputs.build_enable_macos == 'true' }}
       test_windows:      ${{ needs.config.outputs.build_enable_windows == 'true' && needs.config.outputs.build-release-win == 'true' }}
     secrets:
-      GH_TOKEN: ${{ secrets.BUILD_MACHINE_TOKEN }}
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   update-dev-documentation:
     # !cancelled() need to ignore general fail previous job, because this job depends on one matrix variant (ubuntu 22),
diff --git a/.github/workflows/distro-release.yml b/.github/workflows/distro-release.yml
index cc72b6fda5f2..d78182bb281d 100644
--- a/.github/workflows/distro-release.yml
+++ b/.github/workflows/distro-release.yml
@@ -7,6 +7,9 @@ on:
         description: 'Tag to build Windows Release from'
         required: true
 
+permissions:
+  contents: write
+
 jobs:
   config:
     runs-on: aws-micro
@@ -93,11 +96,12 @@ jobs:
           done
 
       - name: Upload Distributives
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
           shopt -s nullglob
           PKG_FILES="MeshLibDist*.zip meshlib_*.zip meshlib_*.tar.xz"
           if [ -n "$(echo $PKG_FILES)" ] ; then
-            echo ${{ secrets.BUILD_MACHINE_TOKEN }} | gh auth login --with-token
             gh release upload ${{ needs.config.outputs.release_tag }} $PKG_FILES --clobber
           fi
 
diff --git a/.github/workflows/release-body-update.yml b/.github/workflows/release-body-update.yml
index 34b4453ea0cf..007b45650a36 100644
--- a/.github/workflows/release-body-update.yml
+++ b/.github/workflows/release-body-update.yml
@@ -11,6 +11,9 @@ on:
     types:
       - released
 
+permissions:
+  contents: write
+
 jobs:
   update-release-body:
     runs-on: ubuntu-latest
@@ -21,8 +24,9 @@ jobs:
 
       - name: Determine latest release tag
         id: latest_release
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
-          echo ${{ secrets.BUILD_MACHINE_TOKEN }} | gh auth login --with-token
           LATEST_RELEASE_TAG=$(gh release list --exclude-drafts --repo ${{ github.repository }} --limit 1 | awk '{print $4}')
           echo "::set-output name=tag::${LATEST_RELEASE_TAG}"
 
diff --git a/.github/workflows/unity-nuget-test.yml b/.github/workflows/unity-nuget-test.yml
index 8eadc25bfb8b..39fbccb54b4d 100644
--- a/.github/workflows/unity-nuget-test.yml
+++ b/.github/workflows/unity-nuget-test.yml
@@ -11,9 +11,6 @@ on:
       release_tag:
         required: true
         type: string
-    secrets:
-      BUILD_MACHINE_TOKEN:
-        required: true
 
 permissions:
   id-token: write
@@ -70,7 +67,7 @@ jobs:
       - name: Download nuget package
         shell: powershell
         env:
-          GH_TOKEN: ${{ secrets.BUILD_MACHINE_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           gh release download ${{ inputs.release_tag }} --pattern "*.nupkg" --repo ${{ github.repository }} --clobber
       
diff --git a/.github/workflows/versioning-release.yml b/.github/workflows/versioning-release.yml
index e9c959c15ca4..6fc3368e6008 100644
--- a/.github/workflows/versioning-release.yml
+++ b/.github/workflows/versioning-release.yml
@@ -2,9 +2,6 @@ name: Create release
 
 on:
   workflow_call:
-    secrets:
-      BUILD_MACHINE_TOKEN:
-        required: false
     inputs:
       app_version:
         required: true
@@ -23,6 +20,9 @@ on:
         description: "release id"
         value: ${{ jobs.versioning-and-release-url.outputs.release_id }}
 
+permissions:
+  contents: write
+
 jobs:
   versioning-and-release-url:
     timeout-minutes: 10
@@ -43,7 +43,7 @@ jobs:
         id: create_release
         uses: mikepenz/action-gh-release@5c3d16ffbdc3e0fbfe2c8a69a448798f5d9b30c2 # v2.0.0
         env:
-          GITHUB_TOKEN: ${{ secrets.BUILD_MACHINE_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           RELEASE_PATH: https://github.com/${{github.repository}}/releases/download/${{steps.version-tag.outputs.short_version}}
         with:
           name: Release ${{ inputs.release_tag }}