diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml
index a963117..f642dba 100644
--- a/.github/.kodiak.toml
+++ b/.github/.kodiak.toml
@@ -1,7 +1,7 @@
 version = 1
 
 [approve]
-auto_approve_usernames = ["cq-bot"]
+auto_approve_usernames = ["cloudquery-ci"]
 
 [merge.message]
 body = "pull_request_body"
diff --git a/.github/workflows/regen.yml b/.github/workflows/regen.yml
index 4749ed4..295b7a2 100644
--- a/.github/workflows/regen.yml
+++ b/.github/workflows/regen.yml
@@ -12,6 +12,14 @@ jobs:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        with:
+          app-id: ${{ secrets.CQ_APP_ID }}
+          private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
@@ -31,11 +39,10 @@ jobs:
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
         with:
           # required so the PR triggers workflow runs
-          token: ${{ secrets.GH_CQ_BOT }}
+          token: ${{ steps.app-token.outputs.token }}
           branch: fix/gen_proto
           base: main
           title: "fix: Generate JavaScript Code from `plugin-pb`"
           commit-message: "fix: Generate JavaScript Code from `plugin-pb`"
           body: This PR was created by a scheduled workflow to regenerate the JavaScript code from `plugin-pb`.
-          author: cq-bot <cq-bot@users.noreply.github.com>
           labels: automerge
diff --git a/.github/workflows/release_pr.yml b/.github/workflows/release_pr.yml
index 2df9788..67f8b08 100644
--- a/.github/workflows/release_pr.yml
+++ b/.github/workflows/release_pr.yml
@@ -11,7 +11,15 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        with:
+          app-id: ${{ secrets.CQ_APP_ID }}
+          private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
       - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4
         id: release
         with:
-          token: ${{ secrets.GH_CQ_BOT }}
+          token: ${{ steps.app-token.outputs.token }}