diff --git a/.github/workflows/versioning.yaml b/.github/workflows/versioning.yaml
index 5df2b1f..d128e17 100644
--- a/.github/workflows/versioning.yaml
+++ b/.github/workflows/versioning.yaml
@@ -16,10 +16,16 @@ jobs:
         if: |
           (!(github.event.head_commit.message == 'Update package version'))
         steps:
+            - name: Generate GitHub App token
+              id: app-token
+              uses: actions/create-github-app-token@v1
+              with:
+                app-id: ${{ secrets.APP_ID }}
+                private-key: ${{ secrets.APP_PRIVATE_KEY }}
             - name: Checkout repo
               uses: actions/checkout@v4
               with:
-                token: ${{ secrets.POLICYENGINE_GITHUB }}
+                token: ${{ steps.app-token.outputs.token }}
                 fetch-depth: 0
             - name: Setup Python
               uses: actions/setup-python@v5
@@ -35,6 +41,8 @@ jobs:
               with:
                 add: "."
                 message: Update package version
+                github_token: ${{ steps.app-token.outputs.token }}
+                fetch: false
     publish-to-pypi:
       name: Publish to PyPI
       if: (github.event.head_commit.message == 'Update package version')
diff --git a/changelog.d/migrate-to-app-token.fixed.md b/changelog.d/migrate-to-app-token.fixed.md
new file mode 100644
index 0000000..2f5807c
--- /dev/null
+++ b/changelog.d/migrate-to-app-token.fixed.md
@@ -0,0 +1 @@
+Migrated versioning workflow from expired `POLICYENGINE_GITHUB` PAT to a short-lived GitHub App token, matching the pattern used by `policyengine-us`, `policyengine-core`, and `microdf`.