ci: migrate GH_TOKEN_ADMIN to GitHub App token (#156)

## Summary
- Replace `GH_TOKEN_ADMIN` (long-lived PAT) with short-lived GitHub App
installation tokens via `actions/create-github-app-token@v3`.
- Each job that needed the token (`build_action`, `update-semver`) gets
its own token-generation step, since app tokens are revoked at job end.
- Uses the centrally-synced `GH_APP_CLIENT_ID` / `GH_APP_PRIVATE_KEY`
secrets managed by `splunk/addonfactory-sync-secrets`.

Made with [Cursor](https://cursor.com)

Author: mbruzda-splunk

.github/workflows/main.yml

@@ -48,6 +48,13 @@ jobs:
         with:
           submodules: recursive
           persist-credentials: false
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          client-id: ${{ secrets.GH_APP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
       - name: Install yq
         run: sudo snap install yq
       - name: Set up QEMU
@@ -90,7 +97,7 @@ jobs:
       - name: Semantic Release
         uses: splunk/semantic-release-action@v1.3
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         with:
           git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
           git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}
@@ -105,9 +112,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          client-id: ${{ secrets.GH_APP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
       - uses: splunk/addonfactory-update-semver@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         with:
           git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
           git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}