diff --git a/.github/workflows/update-main-source.yml b/.github/workflows/update-main-source.yml
index 5e73cf6c9..909a26ad8 100644
--- a/.github/workflows/update-main-source.yml
+++ b/.github/workflows/update-main-source.yml
@@ -8,11 +8,9 @@ on:
 jobs:
   update:
     permissions:
-      contents: read
       id-token: write
     runs-on: ubuntu-latest
     steps:
-
     - name: Configure git
       run: |
         git config --global user.name "github-actions[bot]"
@@ -45,4 +43,3 @@ jobs:
         git diff --quiet origin/main-source main-source && exit 0
 
         git push origin main-source
-#        git remote set-url origin https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/rancher/partner-charts
diff --git a/.github/workflows/update-main.yml b/.github/workflows/update-main.yml
index e4d0196ba..fb4968810 100644
--- a/.github/workflows/update-main.yml
+++ b/.github/workflows/update-main.yml
@@ -12,8 +12,6 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-
     - name: Configure git
       run: |
         git config --global user.name "github-actions[bot]"
@@ -23,8 +21,8 @@ jobs:
       uses: rancher-eio/read-vault-secrets@main
       with:
         secrets: |
-          github/repo/rancher/partner-charts/github/app-credentials appId | APP_ID ;
-          github/repo/rancher/partner-charts/github/app-credentials privateKey | PRIVATE_KEY
+          secret/data/github/repo/rancher/partner-charts/github/app-credentials appId | APP_ID ;
+          secret/data/github/repo/rancher/partner-charts/github/app-credentials privateKey | PRIVATE_KEY
 
     - name: Generate short-lived github app token
       uses: actions/create-github-app-token@v1
@@ -33,9 +31,11 @@ jobs:
         app-id: ${{ env.APP_ID }}
         private-key: ${{ env.PRIVATE_KEY }}
 
+    - uses: actions/checkout@v4
+      with:
+        token: ${{ steps.app-token.outputs.token }}
+
     - name: Update main branch with latest from main-source
-      env:
-        APP_TOKEN: ${{ steps.app-token.outputs.token }}
       run: |
         # checkout action only fetches main-source, so we need to fetch main
         git fetch origin main --depth 1
@@ -48,5 +48,4 @@ jobs:
         git diff-index --quiet HEAD assets index.yaml && exit 0
 
         git commit -m "Release partner charts"
-        git remote set-url origin https://x-access-token:${APP_TOKEN}@github.com/rancher/partner-charts
-        git push origin
+        git push origin main