diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
index 2d1393a9b..7d115ae72 100644
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@@ -15,14 +15,16 @@ jobs:
   renovate:
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: write
-      pull-requests: write
-
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
+      - uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        id: app-token
+        with:
+          app-id: ${{ vars.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_PRIVATE_KEY }}
+
       - name: Self-hosted Renovate
         uses: renovatebot/github-action@5712c6a41dea6cdf32c72d92a763bd417e6606aa # v44.0.5
         with:
@@ -30,6 +32,6 @@ jobs:
           token: "${{ secrets.GITHUB_TOKEN }}"
         env:
           LOG_LEVEL: ${{ env.ACTIONS_STEP_DEBUG == 'true' && 'debug' || 'info' }}
-          RENOVATE_REPOSITORIES: ${{ github.repository }}
+          RENOVATE_REPOSITORIES: ${{ steps.app-token.outputs.token }}
           RENOVATE_ALLOW_SCRIPTS: true
           RENOVATE_SEPARATE_MAJOR_MINOR: false