feat(release): move release App credentials to the org and add demo_farm_openemr as a consumer

[kojiromike]

Two related cleanups to the release App's wiring:

• Identify the App by its client-id (stored as an org variable). The client-id isn't secret — it's on the App's public page. GitHub Actions has two distinct stores: secrets (write-only, redacted in logs, intended for credentials) and variables (readable, plain in logs, intended for non-sensitive configuration). The client-id belongs in a variable, both for honesty and so the value is inspectable in logs when debugging cross-repo dispatch.
• Automate demo-farm tag bump on release #710 adds a fourth consumer (openemr/demo_farm_openemr); the App needs to be installed there and added to RELEASE_APP_PRIVATE_KEY's selected-repos list as part of the same change.

Steps

• Create org variable RELEASE_APP_CLIENT_ID.
• In every workflow that mints the App token, replace the app-id: input (deprecated by actions/create-github-app-token) with client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}. Don't set both — the new input replaces the old one. Affected files:
  • openemr/openemr: release-prep.yml, release-permissions-check.yml
  • openemr/openemr-devops: release-rotation.yml (and any new release-app-using workflows from feat(ci): render Docker Hub readme from versions.yml at build time #715/ci: add manual workflow to validate DOCKERHUB_TOKEN before a build #716 that land first)
  • openemr/website-openemr: release-docs.yml
  • openemr/demo_farm_openemr: bump-tag.yml (new in feat(ci): automate production-demo tag bump on openemr-tag dispatch demo_farm_openemr#108)
• Install the App on openemr/demo_farm_openemr.
• Add openemr/demo_farm_openemr to RELEASE_APP_PRIVATE_KEY's selected-repos list.
• Delete the org secret RELEASE_APP_ID (no longer referenced).

Verification

• All release-app-using workflows still mint tokens.
• release-permissions-check's probe (after feat(release): dispatch openemr-tag to openemr/demo_farm_openemr openemr#12128) succeeds against demo_farm_openemr.
• Manual workflow_dispatch of bump-tag on openemr/demo_farm_openemr with the current tag succeeds (no-op, exercises auth).

Related

#664, #706, #710, openemr/demo_farm_openemr#108, openemr/openemr#12128, #584.

[kojiromike]

A fourth consumer is in flight: openemr/demo_farm_openemr (consumer side openemr/demo_farm_openemr#108, conductor side openemr/openemr#12128, refs #710). Folding "install the App on demo_farm_openemr + add it to RELEASE_APP_PRIVATE_KEY's selected-repos list" into this issue's scope so both moves land together — see updated body.

(Earlier draft of this comment misread the secret setup; ignore. The org-secret-with-selected-repos shape is already in place.)

[kojiromike]

@stephenwaite @bradymiller I hope you don't mind. I assigned this to y'all as it requires org permissions to do.

[stephenwaite]

okay @kojiromike, that's done