diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1c179c7e..6c33086d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -50,6 +50,12 @@ jobs:
       - uses: peter-evans/create-pull-request@v7
         if: github.event_name != 'pull_request' && github.repository_owner == 'aya-rs'
         with:
+          # GitHub actions aren't allowed to trigger other actions to prevent
+          # abuse; the canonical workaround is to use a sufficiently authorized
+          # token.
+          #
+          # See https://github.com/peter-evans/create-pull-request/issues/48.
+          token: ${{ secrets.CRABBY_GITHUB_TOKEN }}
           branch: create-pull-request/public-api
           commit-message: 'public-api: regenerate'
           title: 'public-api: regenerate'
diff --git a/.github/workflows/gen.yml b/.github/workflows/gen.yml
index b8696675..14d10ff7 100644
--- a/.github/workflows/gen.yml
+++ b/.github/workflows/gen.yml
@@ -41,6 +41,12 @@ jobs:
 
       - uses: peter-evans/create-pull-request@v7
         with:
+          # GitHub actions aren't allowed to trigger other actions to prevent
+          # abuse; the canonical workaround is to use a sufficiently authorized
+          # token.
+          #
+          # See https://github.com/peter-evans/create-pull-request/issues/48.
+          token: ${{ secrets.CRABBY_GITHUB_TOKEN }}
           branch: create-pull-request/codegen
           commit-message: |
             aya-obj, aya-ebpf-bindings: regenerate