diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
index 4ae8fc863957c..97ba215778c25 100644
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@@ -1,8 +1,8 @@
 self-hosted-runner:
   # Labels of self-hosted runner in array of strings.
-  labels:
-    - 11-arm64
+  labels: []
 # Configuration variables in array of strings defined in your repository or
 # organization. `null` means disabling configuration variables check.
 # Empty array means no configuration variable is allowed.
-config-variables: []
+config-variables:
+  - BREW_COMMIT_APP_ID
diff --git a/.github/workflows/vendor-gems.yml b/.github/workflows/vendor-gems.yml
index 12aa4372b2545..b1f1a59f65c94 100644
--- a/.github/workflows/vendor-gems.yml
+++ b/.github/workflows/vendor-gems.yml
@@ -151,11 +151,19 @@ jobs:
                        -m "Autogenerated by the [vendor-gems](https://github.com/Homebrew/brew/blob/HEAD/.github/workflows/vendor-gems.yml) workflow."
           fi
 
+      - name: Generate push token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        if: github.event_name == 'pull_request_target' || github.event_name == 'workflow_dispatch'
+        with:
+          app-id: ${{ vars.BREW_COMMIT_APP_ID }}
+          private-key: ${{ secrets.BREW_COMMIT_APP_KEY }}
+
       - name: Push to pull request
         if: github.event_name == 'pull_request_target' || github.event_name == 'workflow_dispatch'
         uses: Homebrew/actions/git-try-push@master
         with:
-          token: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           directory: ${{ steps.set-up-homebrew.outputs.repository-path }}
           branch: ${{ steps.checkout.outputs.branch }}
           force: true