diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
deleted file mode 100644
index 9a52d0e..0000000
--- a/.github/release-drafter.yml
+++ /dev/null
@@ -1,68 +0,0 @@
----
-# SPDX-FileCopyrightText: 2025 The Linux Foundation
-# SPDX-License-Identifier: Apache-2.0
-
-name-template: "v$RESOLVED_VERSION"
-tag-template: "v$RESOLVED_VERSION"
-change-template: "- $TITLE @$AUTHOR (#$NUMBER)"
-sort-direction: ascending
-categories:
-  - title: ":boom: Breaking Change :boom:"
-    labels:
-      - "breaking-change"
-  - title: ":zap: Enhancements :zap:"
-    labels:
-      - "enhancement"
-  - title: ":sparkles: New Features :sparkles:"
-    labels:
-      - "feature"
-  - title: ":bug: Bug Fixes :bug:"
-    labels:
-      - "fix"
-      - "bugfix"
-      - "bug"
-  - title: ":wrench: Maintenance :wrench:"
-    labels:
-      - "chore"
-      - "documentation"
-      - "maintenance"
-      - "repo"
-      - "dependencies"
-      - "github_actions"
-      - "refactor"
-  - title: ":mortar_board: Code Quality :mortar_board:"
-    labels:
-      - "code-quality"
-      - "CI"
-      - "test"
-autolabeler:
-  - label: "breaking-change"
-    title:
-      - "/!:/i"
-  - label: "feature"
-    title:
-      - "/feat:/i"
-  - label: "bug"
-    title:
-      - "/fix:/i"
-  - label: "refactor"
-    title:
-      - "/refactor:/i"
-  - label: "code-quality"
-    title:
-      - "/test:/i"
-  - label: "CI"
-    title:
-      - "/ci:/i"
-  - label: "chore"
-    title:
-      - "/chore:/i"
-  - label: "documentation"
-    title:
-      - "/docs:/i"
-# yamllint disable rule:line-length
-template: |
-  $CHANGES
-
-  ## Links
-  - [Submit bugs/feature requests](https://github.com/$OWNER/$REPOSITORY/issues)
diff --git a/.github/workflows/autolabeler.yaml b/.github/workflows/autolabeler.yaml
new file mode 100644
index 0000000..2c77470
--- /dev/null
+++ b/.github/workflows/autolabeler.yaml
@@ -0,0 +1,59 @@
+---
+# SPDX-FileCopyrightText: 2025 The Linux Foundation
+# SPDX-License-Identifier: Apache-2.0
+
+name: 'Autolabeler'
+
+# yamllint disable-line rule:truthy
+on:
+  # pull_request is required for autolabeler
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+  # pull_request_target is required for autolabeler on PRs from forks
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions: {}
+
+concurrency:
+  # yamllint disable-line rule:line-length
+  group: ${{ format('al-{0}-pr-{1}', github.event_name, github.event.pull_request.number) }}
+  cancel-in-progress: true
+
+jobs:
+  autolabel:
+    name: 'Autolabel PR'
+    # Run on pull_request_target for forks, or pull_request for same-repo PRs
+    # This prevents duplicate runs for same-repo PRs
+    # yamllint disable rule:line-length
+    if: >
+      (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork) ||
+      (github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork)
+    # yamllint enable rule:line-length
+    # SECURITY: pull_request_target with write permissions is safe here because:
+    # 1. This workflow does NOT checkout any code from the PR
+    # 2. The workflow code itself runs from the base branch (not the fork)
+    # 3. release-drafter only makes GitHub API calls (no code execution)
+    # 4. pull_request_target is needed ONLY for autolabeling fork PRs
+    permissions:
+      # write permission is required for autolabeler
+      pull-requests: write
+      # read is sufficient; autolabeler does not create releases
+      contents: read
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 3
+    steps:
+      # Harden the runner used by this workflow
+      # yamllint disable-line rule:line-length
+      - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: 'audit'
+
+      # yamllint disable-line rule:line-length
+      - uses: release-drafter/release-drafter/autolabeler@44a942e465867c7465b76aa808ddca6e0acae5da # v7.1.0
diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml
index c48f3d7..1bbe32f 100644
--- a/.github/workflows/release-drafter.yaml
+++ b/.github/workflows/release-drafter.yaml
@@ -2,37 +2,34 @@
 # SPDX-FileCopyrightText: 2025 The Linux Foundation
 # SPDX-License-Identifier: Apache-2.0
 
-name: Release Drafter
+name: 'Release Drafter'
 
 # yamllint disable-line rule:truthy
 on:
   push:
     branches:
       - main
-  # pull_request is required for autolabeler
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-  # pull_request_target is required for autolabeler on PRs from forks
-  pull_request_target:
-    types:
-      - opened
-      - synchronize
-      - reopened
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   update_release_draft:
+    name: 'Update Release Draft'
     permissions:
       # write permission is required to create releases
       contents: write
-      # write permission is required for autolabeler
-      pull-requests: write
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 3
     steps:
+      # Harden the runner used by this workflow
+      # yamllint disable-line rule:line-length
+      - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: 'audit'
+
       # yamllint disable-line rule:line-length
-      - uses: release-drafter/release-drafter@3a7fb5c85b80b1dda66e1ccb94009adbbd32fce3 # v7.0.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: release-drafter/release-drafter@44a942e465867c7465b76aa808ddca6e0acae5da # v7.1.0