From c9fc55fa1865ac7bd8dc58eeb19b798df8aa1106 Mon Sep 17 00:00:00 2001
From: Geoff Lamrock <geoff.lamrock@gmail.com>
Date: Tue, 5 May 2026 15:12:18 +1000
Subject: [PATCH] chore: Use GitHub App token for Renovate instead of personal
 access token

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/update-dependencies.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
index c6db7a53..42eccdf9 100644
--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@@ -15,14 +15,22 @@ jobs:
   renovate:
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Self-hosted Renovate
         uses: renovatebot/github-action@f9c81dddc9b589e4e6ae0326d1e36f6bc415d230 # v39.2.4
         with:
           configurationFile: renovate-config.js
-          token: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
         env:
           LOG_LEVEL: debug
           RENOVATE_DRY_RUN: ${{ inputs.dryRun && 'full' || null }}