diff --git a/.github/workflows/dependabot-pr.yml b/.github/workflows/dependabot-pr.yml
index e53a6b94100..cd7bf272c1c 100644
--- a/.github/workflows/dependabot-pr.yml
+++ b/.github/workflows/dependabot-pr.yml
@@ -2,8 +2,7 @@ name: Approve & merge successful dependabot patch upgrade PRs
 on: pull_request
 
 permissions:
-  contents: write
-  pull-requests: write
+  pull-requests: read
 
 jobs:
   dependabot:
@@ -13,8 +12,6 @@ jobs:
       - name: Dependabot metadata
         id: metadata
         uses: dependabot/fetch-metadata@v1
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Approve the PR & enable auto-merge
         if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-patch' }}
         run: |
@@ -22,4 +19,4 @@ jobs:
           gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GH_TOKEN: ${{secrets.SERVO_DEPENDABOT_TOKEN}}