diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 6ad171c..89d9f50 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -23,4 +23,8 @@ jobs:
         run: gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # AUTOMERGE_PAT (repo+workflow scope) lets auto-merge work on PRs that
+          # touch .github/workflows/** (e.g. github-actions bumps); the default
+          # GITHUB_TOKEN is forbidden by GitHub from doing so. Falls back to
+          # GITHUB_TOKEN when the secret is absent (unchanged behavior).
+          GH_TOKEN: ${{ secrets.AUTOMERGE_PAT || secrets.GITHUB_TOKEN }}