diff --git a/.github/workflows/update-flake-lock.yaml b/.github/workflows/update-flake-lock.yaml
index ebf2c64..e36d0a3 100644
--- a/.github/workflows/update-flake-lock.yaml
+++ b/.github/workflows/update-flake-lock.yaml
@@ -9,15 +9,21 @@ jobs:
   update-flake-lock:
     name: Update flake.lock
     runs-on: ubuntu-24.04
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
+      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
       - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+
       - uses: DeterminateSystems/update-flake-lock@e80a657d7603606be0c69b117cfdc240f1e6af88
         with:
           pr-title: 'deps: update flake.lock'
           pr-labels: |
             dependencies
           path-to-flake-dir: 'nix/'
+          token: ${{ steps.app-token.outputs.token }}