diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e4b4d176..9fc0cf08 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -64,6 +64,8 @@ jobs:
           echo -n "$GOOGLE_PLAY_KEYSTORE_BASE64" | base64 --decode --output "$GOOGLE_PLAY_KEYSTORE_PATH"
 
       - name: Get build name and number, install dependencies
+        env:
+          TOKEN: ${{ secrets.MACHINE_USER_PAT }}
         run: |
           go install golang.org/x/mobile/cmd/gomobile@latest
           gomobile init
@@ -81,12 +83,20 @@ jobs:
 
       - name: Build iOS
         env:
+          TOKEN: ${{ secrets.MACHINE_USER_PAT }}
           MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
         run: |
           cd ios
           pod install
           fastlane build
 
+          # verify that the github token didn't make it into the output
+          mkdir -p build/app/test-ios
+          cp ios/MobileNebula.ipa build/app/test-ios
+          cd build/app/test-ios
+          unzip MobileNebula.ipa
+          find . | xargs strings &>/dev/null | grep -F "${TOKEN}" &>/dev/null && exit 1
+
       - name: Collect iOS artifacts
         uses: actions/upload-artifact@v3
         with:
@@ -101,6 +111,13 @@ jobs:
         run: |
           flutter build appbundle --build-number="$BUILD_NUMBER" --build-name="$BUILD_NAME"
 
+          # verify that the github token didn't make it into the output
+          mkdir -p build/app/test-android
+          cp build/app/outputs/bundle/release/app-release.aab build/app/test-android
+          cd build/app/test-android
+          unzip app-release.aab
+          find . | xargs strings &>/dev/null | grep -F "${TOKEN}" &>/dev/null && exit 1
+
       - name: Collect Android artifacts
         uses: actions/upload-artifact@v3
         with: