diff --git a/.github/configs/cr.yaml b/.github/configs/cr.yaml
new file mode 100644
index 0000000..f47388b
--- /dev/null
+++ b/.github/configs/cr.yaml
@@ -0,0 +1,3 @@
+owner: grafana
+git-repo: helm-charts
+skip-existing: true
\ No newline at end of file
diff --git a/.github/configs/ct.yaml b/.github/configs/ct.yaml
new file mode 100644
index 0000000..30a94a1
--- /dev/null
+++ b/.github/configs/ct.yaml
@@ -0,0 +1,15 @@
+## Reference: https://github.com/helm/chart-testing/blob/master/doc/ct_lint-and-install.md
+remote: origin
+target-branch: main
+chart-dirs:
+- charts
+chart-repos:
+  - grafana=https://grafana.github.io/helm-charts
+  - minio=https://charts.min.io
+validate-chart-schema: true
+validate-maintainers: true
+validate-yaml: true
+exclude-deprecated: true
+excluded-charts: []
+namespace: meta-monitoring # Need to set the namespace because we create the secret there
+release-label: app.kubernetes.io/instance
\ No newline at end of file
diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml
index c0de7b2..1e105b6 100644
--- a/.github/workflows/helm-release.yml
+++ b/.github/workflows/helm-release.yml
@@ -8,6 +8,9 @@ env:
   CR_PACKAGE_PATH: "${{ github.workspace }}/.cr-release-packages"
   CR_TOOL_PATH: "${{ github.workspace }}/.cr-tool"
   CR_VERSION: "1.5.0"
+permissions:
+  contents: read
+  id-token: write
 jobs:
   setup:
     runs-on: ubuntu-latest
@@ -63,6 +66,11 @@ jobs:
     runs-on: ubuntu-latest
     if: needs.setup.outputs.changed == 'true'
     steps:
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ secrets.app-id }}
+        private-key: ${{ secrets.private-key }}
     - name: Checkout
       uses: actions/checkout@v4
       with:
@@ -81,7 +89,7 @@ jobs:
         fetch-depth: 0
         repository: grafana/helm-charts
         path: helm-charts
-        token: "${{ secrets.GH_BOT_ACCESS_TOKEN }}"
+        token: "${{ steps.app-token.outputs.token }}"
 
     - name: Configure Git for helm-charts
       run: |
@@ -91,8 +99,6 @@ jobs:
 
     - name: Set up Helm
       uses: azure/setup-helm@v4
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Parse Chart.yaml
       id: parse-chart
@@ -131,7 +137,7 @@ jobs:
         name: ${{ steps.parse-chart.outputs.tagname }}
         repository: grafana/meta-monitoring-chart
         tag_name: ${{ steps.parse-chart.outputs.tagname }}
-        token: ${{ secrets.GH_BOT_ACCESS_TOKEN }}
+        token: ${{ steps.app-token.outputs.token }}
         generate_release_notes: true
         files: |
           ${{ env.CR_PACKAGE_PATH }}/${{ steps.parse-chart.outputs.packagename }}.tgz
@@ -145,7 +151,7 @@ jobs:
         name: ${{ steps.parse-chart.outputs.packagename }}
         repository: grafana/helm-charts
         tag_name: ${{ steps.parse-chart.outputs.packagename }}
-        token: ${{ secrets.GH_BOT_ACCESS_TOKEN }}
+        token: ${{ steps.app-token.outputs.token }}
         body: |
           ${{ steps.parse-chart.outputs.desc }}
 
@@ -158,4 +164,4 @@ jobs:
     - name: Update helm-charts index.yaml
       run: |
         cd helm-charts
-        "${CR_TOOL_PATH}/cr" index --config "${CR_CONFIGFILE}" --token "${{ secrets.GH_BOT_ACCESS_TOKEN }}" --index-path "${CR_INDEX_PATH}" --package-path "${CR_PACKAGE_PATH}" --push
\ No newline at end of file
+        "${CR_TOOL_PATH}/cr" index --config "${CR_CONFIGFILE}" --token "${{ steps.app-token.outputs.token }}" --index-path "${CR_INDEX_PATH}" --package-path "${CR_PACKAGE_PATH}" --push
\ No newline at end of file