diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index fe1ffd8..d051de7 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -1,28 +1,41 @@
+# see https://gist.github.com/xt0rted/46475099dc0a70ba63e16e3177407872
+
 name: Dependabot auto-merge
 
 on:
   pull_request:
     branches:
-    - master
+      - master
 
 permissions:
-  issues: write
-  contents: write
-  pull-requests: write
+  contents: read
+  pull-requests: read
 
 jobs:
   auto-merge:
     runs-on: ubuntu-latest
+
     if: github.actor == 'dependabot[bot]'
+
     steps:
+      - name: Create token
+        id: create_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.BIG_MERGER_APP_ID }}
+          private_key: ${{ secrets.BIG_MERGER_PRIVATE_KEY }}
+
       - name: Dependabot metadata
         id: dependabot-metadata
         uses: dependabot/fetch-metadata@v1
         with:
-          github-token: '${{ secrets.GITHUB_TOKEN }}'
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Authenticate cli
+        run: echo "${{ steps.create_token.outputs.token }}" | gh auth login --with-token
+
       - name: Enable auto-merge for Dependabot PRs
         if: contains(fromJSON('["version-update:semver-patch", "version-update:semver-minor"]'), steps.dependabot-metadata.outputs.update-type)
         run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}