ci: changesets release uses github app token (#770)

Route changesets/action through the GitHub App token so the
"Version Packages" PR is authored by the App and therefore triggers
CI (test, check-dist, zizmor). The default GITHUB_TOKEN cannot trigger
downstream workflow runs regardless of its permission scopes. Job
permissions are left intact; the App token is scoped to contents and
pull-requests writes.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: andykenward

.github/workflows/release.yml

@@ -31,10 +31,17 @@ jobs:
         with:
           persist-credentials: false
       - uses: ./.github/actions/setup-pnpm
+      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 #v3.2.0
+        id: app-token
+        with:
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          permission-contents: write # push the version/CHANGELOG commit, tags, and GitHub releases
+          permission-pull-requests: write # create/update the Version Packages PR
       - name: Create Release Pull Request
         id: changesets
         uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b #v1.8.0
         with:
           publish: pnpm release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}