chore: replace PAT token with GitHub App token (#179)

Replace secrets.PAT_TOKEN with a short-lived token generated by the
agentcore-devx-automation GitHub App (ID: 3637953) via
actions/create-github-app-token@v1.

This improves security by using ephemeral tokens scoped to the
installation rather than long-lived personal access tokens.

Requires adding repo variable APP_ID=3637953 and repo secret
APP_PRIVATE_KEY with the app's RSA private key.

Author: aidandaly24

.github/workflows/agent-restricted.yml

@@ -66,6 +66,13 @@ jobs:
 
       - uses: actions/checkout@v6
 
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Run Strands Agent
         uses: ./.github/actions/strands-action
         with:
@@ -78,6 +85,6 @@ jobs:
           agent_runner: ${{ inputs.agent_runner }}
           aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
           aws_region: 'us-west-2'
-          pat_token: ${{ secrets.PAT_TOKEN }}
+          pat_token: ${{ steps.app-token.outputs.token }}
         env:
           STRANDS_TOOLS_DIRECTORY: 'true'