diff --git a/.github/workflows/zitadel.yml b/.github/workflows/zitadel.yml
index 66b031a231..c374fb7049 100644
--- a/.github/workflows/zitadel.yml
+++ b/.github/workflows/zitadel.yml
@@ -48,6 +48,11 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: tibdex/github-app-token@v1
+        id: generate-token
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Google Artifact Registry Login
         if: steps.semantic.outputs.new_release_published == 'true' && github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
         uses: docker/login-action@v1
@@ -64,7 +69,7 @@ jobs:
           args: release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_TOKEN_TAP: ${{ secrets.GITHUB_TOKEN_TAP }}
+          GORELEASER_TOKEN_TAP: ${{ steps.generate-token.outputs.token }}
           RELEASE_VERSION: ${{ steps.semantic.outputs.release-version }} # I think this line is not needed. Nevertheless, it's explicit
       - name: Publish go coverage
         uses: codecov/codecov-action@v3.1.0
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index dc37e81798..23392d0eee 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -68,7 +68,7 @@ brews:
   - tap:
       owner: zitadel
       name: zitadel-tap
-      token: "{{ .Env.GITHUB_TOKEN_TAP }}"
+      token: "{{ .Env.GORELEASER_TOKEN_TAP }}"
     folder: Formula
     goarm: "7"
     homepage:  https://zitadel.ch