feat: use GitHub App token for release-please identity separation (#89)

Use patchloom-release App token for release-please so PRs are authored
by patchloom-release[bot] instead of github-actions[bot]. This fixes
the auto-approve self-approval deadlock (github-actions[bot] cannot
approve its own PRs) and enables CI to trigger on release PR updates
(GITHUB_TOKEN events are suppressed by GitHub).

- Add create-github-app-token step in release.yml
- Pass app token to release-please-action
- Add patchloom-release[bot] to auto-approve trusted actors

Closes #77

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/workflows/auto-approve.yml

@@ -21,7 +21,9 @@ jobs:
       pull-requests: write
     if: >-
       github.event.pull_request.user.login != 'github-actions[bot]' &&
-      (github.actor == 'SebTardif' || github.actor == 'dependabot[bot]')
+      (github.actor == 'SebTardif' ||
+       github.actor == 'dependabot[bot]' ||
+       github.actor == 'patchloom-release[bot]')
     steps:
       - name: Harden runner
         uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4

.github/workflows/release.yml

@@ -27,9 +27,15 @@ jobs:
       - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: audit
+      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
         id: release
         with:
+          token: ${{ steps.app-token.outputs.token }}
           config-file: release-please-config.json
           manifest-file: .release-please-manifest.json