diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 4c50c42..077911d 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -16,11 +16,19 @@ jobs:
   CLAAssistant:
     runs-on: ubuntu-latest
     steps:
-      - name: "CLA Assistant"
-        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.4.0
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+
+      - uses: contributor-assistant/github-action@v2.4.0
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby accept the CLA') || github.event_name == 'pull_request_target'
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # the default github token does not allow github action to create & push commit,
+          # instead, we need to use a github app to generate a token
+          # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           # the below token should have repo scope and must be manually added by you in the repository's secret
           # This token is required only if you have configured to store the signatures in a remote repository/organization
           # PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
@@ -36,8 +44,11 @@ jobs:
           #remote-repository-name: enter the  remote repository name where the signatures should be stored (Default is storing the signatures in the same repository)
           #create-file-commit-message: 'For example: Creating file for storing CLA Signatures'
           #signed-commit-message: 'For example: $contributorName has signed the CLA in $owner/$repo#$pullRequestNo'
-          custom-notsigned-prcomment: 'Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our [Contributor License Agreement](https://github.com/aiidateam/aiida-wannier90-workflows/blob/main/.cla/version1/CLA.md) before we can merge your contribution. You can sign the CLA by just copying the sentence below and posting it as a Pull Request Comment.'
-          custom-pr-sign-comment: 'I have read the CLA Document and I hereby sign the CLA'
-          #custom-allsigned-prcomment: 'pull request comment when all contributors has signed, defaults to **CLA Assistant Lite bot** All Contributors have signed the CLA.'
+          custom-notsigned-prcomment: 'Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you accept our [Contributor License Agreement](https://github.com/aiidateam/aiida-wannier90-workflows/blob/main/.cla/version1/CLA.md) before we can merge your contribution. You can accept the CLA by just copying the sentence below and posting it as a Pull Request Comment.'
+          custom-pr-sign-comment: 'I have read the CLA Document and I hereby accept the CLA'
+          custom-allsigned-prcomment: |
+            All contributors have signed the CLA ✍️ ✅
+            ---
+            <sub>You might need to click the button "Update" to update the pull request and rerun the GitHub actions to pass the CLA check.</sub>
           #lock-pullrequest-aftermerge: false - if you don't want this bot to automatically lock the pull request after merging (default - true)
           #use-dco-flag: true - If you are using DCO instead of CLA