diff --git a/.github/workflows/auto-changelog.yml b/.github/workflows/auto-changelog.yml
index 0f7cf602..468a54aa 100644
--- a/.github/workflows/auto-changelog.yml
+++ b/.github/workflows/auto-changelog.yml
@@ -14,4 +14,4 @@ jobs:
       - name: Draft Release
         uses: release-drafter/release-drafter@v5
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
diff --git a/.github/workflows/auto-versioning.yml b/.github/workflows/auto-versioning.yml
index 1bb8dce4..a75664da 100644
--- a/.github/workflows/auto-versioning.yml
+++ b/.github/workflows/auto-versioning.yml
@@ -60,21 +60,21 @@ jobs:
           # Export the tag for downstream steps
           echo "tag=${TAG}" >> $GITHUB_OUTPUT
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
 
       - name: Check for existing GitHub Release
         id: check_release
         run: |
           TAG=${{ steps.create_tag.outputs.tag }}
           echo "Checking for release for tag: ${TAG}"
-          STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${GITHUB_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${CHARON_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true
           if [ "${STATUS}" = "200" ]; then
             echo "exists=true" >> $GITHUB_OUTPUT
           else
             echo "exists=false" >> $GITHUB_OUTPUT
           fi
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
 
       - name: Create GitHub Release (tag-only, no workspace changes)
         if: ${{ steps.semver.outputs.changed && steps.check_release.outputs.exists == 'false' }}
@@ -84,4 +84,4 @@ jobs:
           name: Release ${{ steps.create_tag.outputs.tag }}
           body: ${{ steps.semver.outputs.release_notes }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 28354ac9..ef284294 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -42,7 +42,7 @@ jobs:
           name: Go Benchmark
           tool: 'go'
           output-file-path: backend/output.txt
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.CHARON_TOKEN }}
           auto-push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
           # Show alert with commit comment on detection of performance regression
           alert-threshold: '150%'
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index b5c87c31..01a73f63 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -169,7 +169,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         with:
           sarif_file: 'trivy-results.sarif'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.CHARON_TOKEN }}
 
       - name: Create summary
         if: steps.skip.outputs.skip_build != 'true'
diff --git a/.github/workflows/release-goreleaser.yml b/.github/workflows/release-goreleaser.yml
index cc65b74a..dfecc7d9 100644
--- a/.github/workflows/release-goreleaser.yml
+++ b/.github/workflows/release-goreleaser.yml
@@ -13,10 +13,10 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     env:
-      # Use the built-in GITHUB_TOKEN by default for GitHub API operations.
+      # Use the built-in CHARON_TOKEN by default for GitHub API operations.
       # If you need to provide a PAT with elevated permissions, add a CHARON_TOKEN secret
       # at the repo or organization level and update the env here accordingly.
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -47,7 +47,8 @@ jobs:
         with:
           version: 0.13.0
 
-      # GITHUB_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN
+      # CHARON_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN
+
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
diff --git a/.github/workflows/renovate_prune.yml b/.github/workflows/renovate_prune.yml
index b75e836b..7089e435 100644
--- a/.github/workflows/renovate_prune.yml
+++ b/.github/workflows/renovate_prune.yml
@@ -26,15 +26,15 @@ jobs:
         run: |
           if [ -n "${{ secrets.CHARON_TOKEN }}" ]; then
             echo "Using CHARON_TOKEN" >&2
-            echo "GITHUB_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV
+            echo "CHARON_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV
           else
             echo "Using CPMP_TOKEN fallback" >&2
-            echo "GITHUB_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV
+            echo "CHARON_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV
           fi
       - name: Prune renovate branches
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
-          github-token: ${{ env.GITHUB_TOKEN }}
+          github-token: ${{ env.CHARON_TOKEN }}
           script: |
             const owner = context.repo.owner;
             const repo = context.repo.repo;