diff --git a/.github/workflows/versioning.yaml b/.github/workflows/versioning.yaml
index 212b532..6c54735 100644
--- a/.github/workflows/versioning.yaml
+++ b/.github/workflows/versioning.yaml
@@ -15,10 +15,16 @@ jobs:
         if: (github.event.head_commit.message != 'Update package version')
         runs-on: ubuntu-latest
         steps:
+          - name: Generate GitHub App token
+            id: app-token
+            uses: actions/create-github-app-token@v1
+            with:
+              app-id: ${{ secrets.APP_ID }}
+              private-key: ${{ secrets.APP_PRIVATE_KEY }}
           - name: Checkout repo
             uses: actions/checkout@v4
             with:
-              token: ${{ secrets.POLICYENGINE_GITHUB }}
+              token: ${{ steps.app-token.outputs.token }}
               fetch-depth: 0
           - name: Setup Python
             uses: actions/setup-python@v5
@@ -35,3 +41,5 @@ jobs:
             with:
               add: "."
               message: Update package version
+              github_token: ${{ steps.app-token.outputs.token }}
+              fetch: false
diff --git a/changelog.d/migrate-to-app-token.changed.md b/changelog.d/migrate-to-app-token.changed.md
new file mode 100644
index 0000000..fc394fa
--- /dev/null
+++ b/changelog.d/migrate-to-app-token.changed.md
@@ -0,0 +1 @@
+Migrated versioning workflow from expired POLICYENGINE_GITHUB PAT to GitHub App token (APP_ID/APP_PRIVATE_KEY).