diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 06cda485c..c3c3b1fc3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -33,6 +33,7 @@ jobs:
         with:
           node-version: 20.x
           registry-url: "https://registry.npmjs.org"
+          token: ""
 
       - name: Ensure npm 11.5.1+ for trusted publishing
         run: npm install -g npm@^11.5.1
@@ -47,4 +48,7 @@ jobs:
           # This expects you to have a script called release which does a build for your packages and calls changeset publish
           publish: yarn release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # we use trusted publishing and setup-node will set these incorrectly. Unset if we ever use RO_TOKEN
+          NODE_AUTH_TOKEN: ""
+          NPM_TOKEN: ""
diff --git a/security.yaml b/security.yaml
new file mode 100644
index 000000000..3f6e3ef1b
--- /dev/null
+++ b/security.yaml
@@ -0,0 +1 @@
+codeowner_approvals: false