diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index bae29bc9428bc..8e95a9a21a97b 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -22,8 +22,8 @@ jobs:
       - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         id: app-token
         with:
-          app-id: ${{ vars.BACKPORT_APP_ID }}
-          private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
diff --git a/.github/workflows/periodic-merge-24h.yml b/.github/workflows/periodic-merge-24h.yml
index 1028b64a91765..9090eb17a9656 100644
--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -14,9 +14,7 @@ on:
     - cron:  '0 0 * * *'
   workflow_dispatch:
 
-permissions:
-  contents: write  # for devmasx/merge-branch to merge branches
-  pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
+permissions: {}
 
 jobs:
   periodic-merge:
@@ -39,3 +37,4 @@ jobs:
     with:
       from: ${{ matrix.pairs.from }}
       into: ${{ matrix.pairs.into }}
+    secrets: inherit
diff --git a/.github/workflows/periodic-merge-6h.yml b/.github/workflows/periodic-merge-6h.yml
index 9d72539dd02ee..f7ffec99a4df2 100644
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@@ -14,9 +14,7 @@ on:
     - cron:  '0 */6 * * *'
   workflow_dispatch:
 
-permissions:
-  contents: write  # for devmasx/merge-branch to merge branches
-  pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
+permissions: {}
 
 jobs:
   periodic-merge:
@@ -37,3 +35,4 @@ jobs:
     with:
       from: ${{ matrix.pairs.from }}
       into: ${{ matrix.pairs.into }}
+    secrets: inherit
diff --git a/.github/workflows/periodic-merge.yml b/.github/workflows/periodic-merge.yml
index e8307308218c1..91ab0b25f146e 100644
--- a/.github/workflows/periodic-merge.yml
+++ b/.github/workflows/periodic-merge.yml
@@ -17,6 +17,14 @@ jobs:
     runs-on: ubuntu-24.04
     name: ${{ inputs.from }} → ${{ inputs.into }}
     steps:
+      # Use a GitHub App to create the PR so that CI gets triggered
+      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Find merge base between two branches
@@ -38,7 +46,7 @@ jobs:
           type: now
           from_branch: ${{ steps.merge_base.outputs.merge_base || inputs.from }}
           target_branch: ${{ inputs.into }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
 
       - name: Comment on failure
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
@@ -47,3 +55,4 @@ jobs:
           issue-number: 105153
           body: |
             Periodic merge from `${{ inputs.from }}` into `${{ inputs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
+          token: ${{ steps.app-token.outputs.token }}