diff --git a/.github/workflows/dashboards-issue-add-label.yml b/.github/workflows/dashboards-issue-add-label.yml
index 766c89c7242..95abce4355b 100644
--- a/.github/workflows/dashboards-issue-add-label.yml
+++ b/.github/workflows/dashboards-issue-add-label.yml
@@ -3,8 +3,11 @@ on:
   issues:
     types: [opened, closed, edited, reopened, assigned, unassigned, labeled, unlabeled]
 
+permissions:
+  contents: read
+  id-token: write
+
 env:
-  GITHUB_TOKEN: ${{ secrets.ISSUE_COMMANDS_TOKEN }}
   ORGANIZATION: ${{ github.repository_owner }}
   REPO: ${{ github.event.repository.name }}
   TARGET_PROJECT: 202
@@ -13,27 +16,28 @@ env:
 concurrency:
   group: issue-label-when-in-project-${{ github.event.number }}
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.ISSUE_COMMANDS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   main:
-    needs: config
-    if: needs.config.outputs.has-secrets
+    if: github.repository == 'grafana/grafana'
     runs-on: ubuntu-latest
     steps:
-      - name: log in
-        run: gh api user -q .login
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
+          repo_secrets: |
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
       - name: Check if issue is in target project
+        env:
+          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
         run: |
           gh api graphql -f query='
             query($org: String!, $repo: String!) {
@@ -62,6 +66,8 @@ jobs:
           done
       - name: Add label to issue
         if: env.IN_TARGET_PROJ
+        env:
+          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
         run: |
           gh api graphql -f query='
             mutation ($labelableId: ID!, $labelIds: [ID!]!) {