diff --git a/.github/workflows/fix-dependabot-alerts.yml b/.github/workflows/fix-dependabot-alerts.yml
index 3156bcfa1..d0622a541 100644
--- a/.github/workflows/fix-dependabot-alerts.yml
+++ b/.github/workflows/fix-dependabot-alerts.yml
@@ -431,10 +431,25 @@ jobs:
           echo "shell_ok=true" >> "$GITHUB_OUTPUT"
 
       # ── Create PR ───────────────────────────────────────────────────
+      # GitHub App installation tokens expire after 1 hour. The build/verify
+      # phase routinely runs longer than that, so the original app-token
+      # minted at job start is expired by the time we get here, causing
+      # `gh pr create` to fail with 401 Bad credentials (the `git push`
+      # itself works because actions/checkout uses the workflow's own
+      # GITHUB_TOKEN, which is valid for the full job lifetime). Mint a
+      # fresh app token immediately before any late-running `gh` calls.
+      - name: Refresh GitHub App token
+        id: app-token-pr
+        if: ${{ steps.fix.outputs.changes == 'true' && steps.build.outputs.build_ok == 'true' }}
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.DEPENDABOT_APP_ID }}
+          private-key: ${{ secrets.DEPENDABOT_APP_PRIVATE_KEY }}
+
       - name: Create pull request
         if: ${{ steps.fix.outputs.changes == 'true' && steps.build.outputs.build_ok == 'true' }}
         env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          GH_TOKEN: ${{ steps.app-token-pr.outputs.token }}
         run: |
           BRANCH="automated/fix-dependabot-alerts-$(date +%Y%m%d)-${{ github.run_number }}"