diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4026cf6..9b2b283 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -54,10 +54,13 @@ jobs:
           persist-credentials: 'false'
       - name: Generate GitHub App token
         id: generate_token
-        uses: tibdex/github-app-token@v2
+        # SECURITY FIX (Finding 2 - TeamPCP audit): Using official GitHub-maintained action
+        # instead of third-party tibdex. Pinned to SHA for supply chain safety.
+        # actions/create-github-app-token v3 -> sha f8d387b68d61c58ab83c6c016672934102569859
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
         with:
-          app_id: ${{ secrets.HAWKY_APP_ID }}
-          private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.HAWKY_APP_ID }}
+          private-key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
       - name: Set up git for pushing
         run: |
           git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git
@@ -96,10 +99,13 @@ jobs:
           persist-credentials: 'false'
       - name: Generate GitHub App token
         id: generate_token
-        uses: tibdex/github-app-token@v2
+        # SECURITY FIX (Finding 2 - TeamPCP audit): Pinned to commit SHA instead of
+        # mutable @v2 tag.
+        # Pin: v2.1.0 -> sha 3beb63f4bd073e61482598c45c71c1019b59b73a
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
         with:
-          app_id: ${{ secrets.HAWKY_APP_ID }}
-          private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.HAWKY_APP_ID }}
+          private-key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
       - name: Set up git for pushing
         run: |
           git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index c6a7ae0..7f08608 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -52,10 +52,13 @@ jobs:
           pip install .
       - name: Generate GitHub App token
         id: generate_token
-        uses: tibdex/github-app-token@v2
+        # SECURITY FIX (Finding 2 - TeamPCP audit): Using official GitHub-maintained action
+        # instead of third-party tibdex. Pinned to SHA for supply chain safety.
+        # actions/create-github-app-token v3 -> sha f8d387b68d61c58ab83c6c016672934102569859
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
         with:
-          app_id: ${{ secrets.HAWKY_APP_ID }}
-          private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.HAWKY_APP_ID }}
+          private-key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
       - name: Set up git for pushing
         run: |
           git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git
@@ -87,10 +90,12 @@ jobs:
           fetch-depth: 0
       - name: Generate GitHub App token
         id: generate_token
-        uses: tibdex/github-app-token@v2
+        # SECURITY FIX (Finding 2 - TeamPCP audit): Using official GitHub-maintained action.
+        # actions/create-github-app-token v3 -> sha f8d387b68d61c58ab83c6c016672934102569859
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
         with:
-          app_id: ${{ secrets.HAWKY_APP_ID }}
-          private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.HAWKY_APP_ID }}
+          private-key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
       - name: Set up git for pulling latest
         run: |
           git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git
@@ -132,10 +137,12 @@ jobs:
           pip install .
       - name: Generate GitHub App token
         id: generate_token
-        uses: tibdex/github-app-token@v2
+        # SECURITY FIX (Finding 2 - TeamPCP audit): Using official GitHub-maintained action.
+        # actions/create-github-app-token v3 -> sha f8d387b68d61c58ab83c6c016672934102569859
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
         with:
-          app_id: ${{ secrets.HAWKY_APP_ID }}
-          private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.HAWKY_APP_ID }}
+          private-key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }}
       - name: Set up git for pushing
         run: |
           git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git
@@ -151,4 +158,4 @@ jobs:
         run: bumpver update --patch --commit
       - name: Push patch version bump commit
         run: |
-          git push origin HEAD:main
\ No newline at end of file
+          git push origin HEAD:main