dependabot · truggeri · Mar 25, 2026 · Feb 20, 2026 · Mar 9, 2026 · Mar 9, 2026
@@ -41,11 +41,11 @@ Supported inputs are:
 - `github-token` (string)
   - The `GITHUB_TOKEN` secret
   - Defaults to `${{ github.token }}`
-  - Note: this must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) if you enable `alert-lookup` or `compat-lookup`.
+  - Note: this must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or an [installation access token (App Token)](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app) if you enable `alert-lookup` or `compat-lookup`.
 - `alert-lookup` (boolean)
   - If `true`, then populate the `alert-state`, `ghsa-id` and `cvss` outputs.
   - Defaults to `false`
-  - Note: the `github-token` field must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).
+  - Note: the `github-token` field must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or an [installation access token (App Token)](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app). For more details, see [this](#use-with-app-token)
 - `compat-lookup` (boolean)
   - If `true`, then populate the `compatibility-score` output.
   - Defaults to `false`
@@ -186,6 +186,40 @@ jobs:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 ```
 
+### Use with App Token
+First, create a [GitHub App](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps) and set the appropriate permissions.
+
+For example, to use the features below, the minimum [permissions](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/choosing-permissions-for-a-github-app) required for the GitHub App are as follows:
+
+- `alert-lookup` : `Dependabot alerts: Read only`
+
+Please add any necessary permissions for your job as needed.
+
+The following is an example of using an [installation access token (App Token)](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app) in `github-token`.
+
+```yml
+on: pull_request
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
+    steps:
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          # Store these as repository or organization GitHub Dependabot secrets
+          # (e.g. Settings → Secrets and variables → Dependabot → GH_APP_ID, GH_APP_PRIVATE_KEY)
+          app-id: ${{ secrets.GH_APP_ID }} # GitHub App ID
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} # GitHub App Private key
+
+      - name: Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ steps.app-token.outputs.token }}
+          alert-lookup: true
+```
+
 ## Notes for project maintainers:
 
 <details><summary>:book: Release guide</summary>