diff --git a/.github/workflows/bundle.yml b/.github/workflows/bundle.yml
index e42baa4..f9f175a 100644
--- a/.github/workflows/bundle.yml
+++ b/.github/workflows/bundle.yml
@@ -497,6 +497,14 @@ jobs:
     # Stable tags only — beta/pre-release builds must not replace the Homebrew cask
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && needs.release.outputs.is_prerelease == 'false'
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.RELEASE_BOT_APP_ID }}
+          private-key: ${{ secrets.RELEASE_BOT_APP_PRIVATE_KEY }}
+          repositories: homebrew-tap
+
       - name: Download macOS artifacts
         uses: actions/download-artifact@v7
         with:
@@ -505,7 +513,7 @@ jobs:
 
       - name: Update Homebrew Tap
         env:
-          HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           TAG: ${{ github.ref_name }}
         run: |
           VERSION="${TAG#v}"
@@ -513,7 +521,7 @@ jobs:
           DMG_SHA=$(sha256sum "$DMG_FILE" | cut -d' ' -f1)
           REPO="datum-cloud/app"
 
-          git clone https://x-access-token:${HOMEBREW_TAP_TOKEN}@github.com/datum-cloud/homebrew-tap.git tap
+          git clone https://x-access-token:${GH_TOKEN}@github.com/datum-cloud/homebrew-tap.git tap
           mkdir -p tap/Casks
           rm -f tap/Casks/datum.rb
 
@@ -537,5 +545,6 @@ jobs:
           git config user.name "Datum Release Bot"
           git config user.email "releases@datum.net"
           git add Casks/
-          git diff --cached --quiet || git commit -m "Brew cask update for Datum Desktop version ${TAG}"
+          git diff --cached --quiet && exit 0
+          git commit -m "Brew cask update for Datum Desktop version ${TAG}"
           git push