Use ephemeral token for check-aw-updates workflow (#60)

Replace actions/create-github-app-token with Elastic's ephemeral
GitHub tokens solution (Vault OIDC). Uses token-policy-8749eaab83f2
which grants contents:write, workflows:write, and pull_requests:write
on docs-actions, docs-content, and docs-content-internal.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: theletterf

.github/workflows/check-aw-updates.yml

@@ -5,16 +5,23 @@ on:
     - cron: '0 9 * * 1' # Weekly on Mondays at 9am UTC
   workflow_dispatch:
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   check-updates:
     name: Recompile lock files and open PR if changed
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
+      - name: Create ephemeral GitHub token
+        id: create-token
+        uses: elastic/oblt-actions/github/create-token@v1
+        with:
+          token-policy: token-policy-8749eaab83f2
+
       - uses: actions/checkout@v6
+        with:
+          token: ${{ steps.create-token.outputs.token }}
 
       - name: Save current lock file checksums
         run: |
@@ -41,7 +48,7 @@ jobs:
         if: steps.changes.outputs.changed == 'true'
         uses: peter-evans/create-pull-request@v7
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.create-token.outputs.token }}
           commit-message: |
             Update gh-aw lock files