diff --git a/.github/workflows/ci-locks.yml b/.github/workflows/ci-locks.yml
index 88d7323..0520abc 100644
--- a/.github/workflows/ci-locks.yml
+++ b/.github/workflows/ci-locks.yml
@@ -24,10 +24,6 @@ defaults:
   run:
     shell: bash -l {0}
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   locks-update:
     name: "update lockfiles"
@@ -56,12 +52,19 @@ jobs:
           pixi workspace export conda-explicit-spec --environment ${{ env.NAME }} --frozen --ignore-pypi-errors requirements
           pixi workspace export conda-environment --environment ${{ env.NAME }} requirements/mo-pack.yml
 
+      - name: "generate token"
+        uses: actions/create-github-app-token@v2
+        id: generate-token
+        with:
+          app-id: ${{ secrets.AUTH_APP_ID }}
+          private-key: ${{ secrets.AUTH_APP_PRIVATE_KEY }}
+
       - name: "create pull-request"
         id: cpr
         if: ${{ hashFiles('diff.md') }}
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.generate-token.outputs.token }}
           add-paths: |
             ${{ github.workspace }}/pixi.lock
             ${{ github.workspace }}/requirements/mo-pack*.txt