diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index db04fef5..70f3c80a 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,18 +4,34 @@ updates:
     directory: "/"
     schedule:
       interval: daily
+    groups:
+      actions:
+        patterns:
+          - "*"
 
   - package-ecosystem: github-actions
     directory: "/.github/actions/build-api-doc"
     schedule:
       interval: daily
+    groups:
+      actions:
+        patterns:
+          - "*"
 
   - package-ecosystem: github-actions
     directory: "/.github/actions/setup-node"
     schedule:
       interval: daily
+    groups:
+      actions:
+        patterns:
+          - "*"
 
   - package-ecosystem: github-actions
     directory: "/.github/actions/setup-python"
     schedule:
       interval: daily
+    groups:
+      actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index a63de9d0..0cd38ca1 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -35,7 +35,7 @@ jobs:
       - uses: release-drafter/release-drafter@v5
         id: release-drafter
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
 
       - name: Update Changelog
         uses: docker://ghcr.io/nonebot/auto-changelog:master
@@ -60,6 +60,13 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.APP_KEY }}
+
       - uses: actions/checkout@v4
 
       - name: Setup Python Environment
@@ -80,15 +87,17 @@ jobs:
           tag: ${{ env.TAG_NAME }}
           publish: true
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
 
       - name: Build and Publish Package
         run: |
           poetry build
-          poetry publish -u ${{secrets.PYPI_USERNAME}} -p ${{secrets.PYPI_PASSWORD}}
           gh release upload --clobber ${{ env.TAG_NAME }} dist/*.tar.gz dist/*.whl
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
 
       - name: Build and Publish Doc Package
         run: |
@@ -97,7 +106,11 @@ jobs:
           cd packages/nonebot-plugin-docs/
           poetry version $NONEBOT_VERSION
           poetry build
-          poetry publish -u ${{secrets.PYPI_USERNAME}} -p ${{secrets.PYPI_PASSWORD}}
           gh release upload --clobber ${{ env.TAG_NAME }} dist/*.tar.gz dist/*.whl
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+
+      - name: Publish Doc Package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: packages/nonebot-plugin-docs/