diff --git a/.github/workflows/quarto-build.yml b/.github/workflows/quarto-build.yml
index d2763017..92e6d37e 100644
--- a/.github/workflows/quarto-build.yml
+++ b/.github/workflows/quarto-build.yml
@@ -23,10 +23,13 @@ on:
         type: string
         default: ""
 
-# NOTE: no workflow-level `permissions:` here. A called workflow may not
+# NOTE: keep workflow-level permissions minimal. A called workflow may not
 # request more than its caller's job grants; `read-all` would demand read on
 # every scope while callers grant only `contents: write` (startup_failure).
-# The job below declares exactly what it needs.
+# `contents: read` is a subset of that grant and satisfies the OpenSSF
+# Scorecard TokenPermissions check; the job below elevates to what it needs.
+permissions:
+  contents: read
 
 env:
   QUARTO_VERSION: "1.8.27"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 433863d5..d9db2265 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -37,9 +37,15 @@ jobs:
 
     steps:
       # ── Checkout ──────────────────────────────────────────────────────
+      # ssh-key: the protect-main ruleset blocks direct pushes to main, with
+      # a bypass for deploy keys. Checking out with the DEPLOY_KEY secret
+      # makes git operate over SSH as that deploy key, so semantic-release's
+      # chore(release) push (see repositoryUrl in .releaserc.json) bypasses
+      # the ruleset. GITHUB_TOKEN stays for the GitHub API (release creation).
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          ssh-key: ${{ secrets.DEPLOY_KEY }}
 
       # ── Python + uv ──────────────────────────────────────────────────
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
diff --git a/.releaserc.json b/.releaserc.json
index 84a86e42..80aa67dc 100644
--- a/.releaserc.json
+++ b/.releaserc.json
@@ -1,4 +1,5 @@
 {
+    "repositoryUrl": "git@github.com:sequential-parameter-optimization/spotoptim.git",
     "branches": [
         "main"
     ],
@@ -128,7 +129,7 @@
         [
             "@semantic-release/exec",
             {
-                "prepareCmd": "sed -i 's/^version = .*/version = \"${nextRelease.version}\"/' pyproject.toml"
+                "prepareCmd": "sed -i 's/^version = .*/version = \"${nextRelease.version}\"/' pyproject.toml && uv lock"
             }
         ],
         [
@@ -159,7 +160,8 @@
             {
                 "assets": [
                     "CHANGELOG.md",
-                    "pyproject.toml"
+                    "pyproject.toml",
+                    "uv.lock"
                 ],
                 "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
             }
diff --git a/uv.lock b/uv.lock
index 61052f15..504941ba 100644
--- a/uv.lock
+++ b/uv.lock
@@ -2926,7 +2926,7 @@ wheels = [
 
 [[package]]
 name = "spotoptim"
-version = "0.12.5"
+version = "0.12.6"
 source = { editable = "." }
 dependencies = [
     { name = "black" },