diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a19cc173105..04d532d61bb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -68,10 +68,20 @@ jobs:
           if git rev-parse --verify origin/prod > /dev/null 2>&1; then
             COUNT=$(git log --oneline "origin/prod..HEAD" | grep -c . || true)
             echo "commit_list=${COUNT} commit(s) pending" >> "$GITHUB_OUTPUT"
-            echo "Commits to deploy ($COUNT):"
-            git log --oneline "origin/prod..HEAD"
+            LOG=$(git log --oneline "origin/prod..HEAD")
+            printf '%s\n' "Commits to deploy ($COUNT):"
+            printf '%s\n' "$LOG"
+            # JSON-encode the commit log for safe embedding in the Slack Block Kit payload.
+            # Commit subjects can contain characters (e.g. quotes, backslashes) that would
+            # otherwise break the JSON. Truncate the raw log before encoding to avoid
+            # splitting escape sequences, leaving headroom for Slack's 3000-char block limit
+            # after the prefix text the Slack action prepends.
+            LOG_JSON=$(printf '%s' "$LOG" | head -c 2500 | jq -Rs '.')
+            LOG_ESCAPED="${LOG_JSON:1:-1}"
+            echo "commit_log=${LOG_ESCAPED}" >> "$GITHUB_OUTPUT"
           else
             echo "commit_list=unknown (origin/prod not available)" >> "$GITHUB_OUTPUT"
+            echo "commit_log=origin/prod not available — cannot list commits" >> "$GITHUB_OUTPUT"
             echo "Unable to compare — origin/prod not found"
           fi
 
@@ -84,7 +94,7 @@ jobs:
           channel_id: ${{ env.SLACK_CHANNEL_WWW }}
           slack_bot_token: ${{ env.SLACK_BOT_TOKEN }}
           ref: ${{ steps.resolve-sha.outputs.release_sha }}
-          message: "Starting Bedrock release (${{ steps.commit-list.outputs.commit_list }}), triggered by ${{ github.actor }}"
+          message: "Starting Bedrock release (${{ steps.commit-list.outputs.commit_list }}), triggered by ${{ github.actor }}\n\nCommits:\n${{ steps.commit-list.outputs.commit_log }}"
 
       - name: Notify #www-notify — release started
         uses: ./.github/actions/slack
@@ -261,6 +271,11 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
           ref: main
+          # A PAT is required here instead of the default GITHUB_TOKEN because GitHub
+          # does not trigger downstream workflow runs (e.g. build-and-push.yml) when a
+          # push is made using GITHUB_TOKEN. Using a PAT means the push is attributed
+          # to a real user, which causes GitHub to fire the push event normally.
+          token: ${{ secrets.BEDROCK_GHA_RELEASE_WORKFLOW_PAT }}
           # persist-credentials: true (default) — required for git push to stage
 
       - name: Configure git identity
@@ -448,6 +463,9 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
           ref: main
+          # A PAT is required here instead of the default GITHUB_TOKEN — see the
+          # equivalent comment in deploy-to-stage for the full explanation.
+          token: ${{ secrets.BEDROCK_GHA_RELEASE_WORKFLOW_PAT }}
           # persist-credentials: true (default) — required for git push to prod and tag push
 
       - name: Configure git identity