diff --git a/.github/workflows/autofix-command.yml b/.github/workflows/autofix-command.yml
index ba5aefb1b..23af24386 100644
--- a/.github/workflows/autofix-command.yml
+++ b/.github/workflows/autofix-command.yml
@@ -27,12 +27,20 @@ jobs:
     runs-on: "${{ matrix.os }}-latest"
     steps:
       # Custom steps to fetch the PR and checkout the code:
+      - name: Authenticate as GitHub App
+        uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte-python-cdk"
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
       - name: Checkout Airbyte
         uses: actions/checkout@v4
         with:
           # Important that this is set so that CI checks are triggered again
           # Without this we would be forever waiting on required checks to pass
-          token: ${{ secrets.GH_PAT_APPROVINGTON_OCTAVIA }}
+          token: ${{ steps.get-app-token.outputs.token }}
 
       - name: Checkout PR (${{ github.event.inputs.pr }})
         uses: dawidd6/action-checkout-pr@v1
diff --git a/.github/workflows/poe-command.yml b/.github/workflows/poe-command.yml
index e3fcaf37c..802f70683 100644
--- a/.github/workflows/poe-command.yml
+++ b/.github/workflows/poe-command.yml
@@ -20,9 +20,17 @@ jobs:
       GCP_GSM_CREDENTIALS: ${{ secrets.GCP_GSM_CREDENTIALS }}
     runs-on: ubuntu-latest
     steps:
+      - name: Authenticate as GitHub App
+        uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte-python-cdk"
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
       - name: Run Poe Slash Command Processor
         uses: aaronsteers/poe-command-processor@v1
         with:
           pr: ${{ github.event.inputs.pr }}
           comment-id: ${{ github.event.inputs.comment-id }}
-          github-token: ${{ secrets.GH_PAT_MAINTENANCE_OCTAVIA }}
+          github-token: ${{ steps.get-app-token.outputs.token }}
diff --git a/.github/workflows/poetry-lock-command.yml b/.github/workflows/poetry-lock-command.yml
index d31fc4c6f..88233ec8a 100644
--- a/.github/workflows/poetry-lock-command.yml
+++ b/.github/workflows/poetry-lock-command.yml
@@ -24,12 +24,20 @@ jobs:
     runs-on: "${{ matrix.os }}-latest"
     steps:
       # Custom steps to fetch the PR and checkout the code:
+      - name: Authenticate as GitHub App
+        uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte-python-cdk"
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
       - name: Checkout Airbyte
         uses: actions/checkout@v4
         with:
           # Important that this is set so that CI checks are triggered again
           # Without this we would be forever waiting on required checks to pass
-          token: ${{ secrets.GH_PAT_APPROVINGTON_OCTAVIA }}
+          token: ${{ steps.get-app-token.outputs.token }}
 
       - name: Checkout PR (${{ github.event.inputs.pr }})
         uses: dawidd6/action-checkout-pr@v1
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5e1d729ca..b4cc24318 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -358,11 +358,19 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: "3.10"
+      - name: Authenticate as GitHub App
+        uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte-platform-internal"
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
       - name: Checkout Airbyte Platform Internal
         uses: actions/checkout@v4
         with:
           repository: airbytehq/airbyte-platform-internal
-          token: ${{ secrets.GH_PAT_MAINTENANCE_OCTAVIA }}
+          token: ${{ steps.get-app-token.outputs.token }}
       - name: Update Builder's CDK version to ${{ env.VERSION }}
         # PyPI servers aren't immediately updated so we may need to retry a few times.
         uses: nick-fields/retry@v3
@@ -386,7 +394,7 @@ jobs:
         id: create-pull-request
         uses: peter-evans/create-pull-request@v7
         with:
-          token: ${{ secrets.GH_PAT_MAINTENANCE_OCTAVIA }}
+          token: ${{ steps.get-app-token.outputs.token }}
           commit-message: "chore: update CDK version following release"
           title: "chore: update CDK version following release"
           body: This is an automatically generated PR triggered by a CDK release
diff --git a/.github/workflows/slash_command_dispatch.yml b/.github/workflows/slash_command_dispatch.yml
index 1fa1f7012..b42d61e64 100644
--- a/.github/workflows/slash_command_dispatch.yml
+++ b/.github/workflows/slash_command_dispatch.yml
@@ -8,6 +8,14 @@ jobs:
   slashCommandDispatch:
     runs-on: ubuntu-24.04
     steps:
+      - name: Authenticate as GitHub App
+        uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte-python-cdk"
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
       - name: Slash Command Dispatch
         id: dispatch
         # TODO: Revert to `peter-evans/slash-command-dispatch@v4` after PR merges:
@@ -15,7 +23,7 @@ jobs:
         uses: aaronsteers/slash-command-dispatch@aj/fix/add-dispatched-bool-output
         with:
           repository: ${{ github.repository }}
-          token: ${{ secrets.GH_PAT_MAINTENANCE_OCTAVIA }}
+          token: ${{ steps.get-app-token.outputs.token }}
           dispatch-type: workflow
           issue-type: both