diff --git a/.github/workflows/agent-restricted.yml b/.github/workflows/agent-restricted.yml
index 7a0948861..d229919a4 100644
--- a/.github/workflows/agent-restricted.yml
+++ b/.github/workflows/agent-restricted.yml
@@ -66,6 +66,13 @@ jobs:
 
       - uses: actions/checkout@v6
 
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Run Strands Agent
         uses: ./.github/actions/strands-action
         with:
@@ -78,6 +85,6 @@ jobs:
           agent_runner: ${{ inputs.agent_runner }}
           aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
           aws_region: 'us-west-2'
-          pat_token: ${{ secrets.PAT_TOKEN }}
+          pat_token: ${{ steps.app-token.outputs.token }}
         env:
           STRANDS_TOOLS_DIRECTORY: 'true'
diff --git a/.github/workflows/ci-failure-issue.yml b/.github/workflows/ci-failure-issue.yml
index 2114154ba..0cbb430a1 100644
--- a/.github/workflows/ci-failure-issue.yml
+++ b/.github/workflows/ci-failure-issue.yml
@@ -19,9 +19,16 @@ jobs:
     permissions:
       issues: write
     steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - uses: actions/github-script@v9
         with:
-          github-token: ${{ secrets.AUTOMATION_ACCOUNT_PAT_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             try {
               const workflowName = context.payload.workflow_run.name;