Replace PAT usage with GitHub App Tokens

[carlocab]

Verification

• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

Provide a detailed description of the proposed feature

We should replace usage of PATs (e.g. HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN) with GitHub App tokens. We can use this action to simplify its usage: https://github.com/actions/create-github-app-token

What is the motivation for the feature?

GitHub App tokens are ephemeral, which limits the blast radius when they get leaked.

How will the feature be relevant to at least 90% of Homebrew users?

This will make our CI more secure, which is relevant to 100% of Homebrew users.

What alternatives to the feature have been considered?

Continuing to use PATs.

[carlocab]

Here is an incomplete list of workflows that currently use PATs. It is not complete because I don't have all official repositories tapped. The list is relative to HOMEBREW_REPOSITORY.

❯ rg -uu -l -g'**/.github/workflows/*.yml' 'secrets\.HOMEBREW_([A-Z]*_)*TOKEN'
Library/Taps/homebrew/homebrew-cask-fonts/.github/workflows/google-fonts.yml
Library/Taps/homebrew/homebrew-cask-fonts/.github/workflows/automerge.yml
Library/Taps/homebrew/homebrew-cask-fonts/.github/workflows/autobump.yml
Library/Taps/homebrew/homebrew-cask-fonts/.github/workflows/rebase.yml
Library/Taps/homebrew/homebrew-cask-fonts/.github/workflows/dispatch-command.yml
Library/Taps/homebrew/homebrew-cask-fonts/.github/workflows/triage.yml
Library/Taps/homebrew/homebrew-cask-fonts/.github/workflows/rerun-workflow.yml
.github/workflows/docker.yml
.github/workflows/tests.yml
.github/workflows/sponsors-maintainers-man-completions.yml
.github/workflows/spdx.yml
.github/workflows/sorbet.yml
Library/Taps/homebrew/homebrew-cask/.github/workflows/sync-templates-and-ci-config.yml
Library/Taps/homebrew/homebrew-cask/.github/workflows/automerge.yml
Library/Taps/homebrew/homebrew-cask/.github/workflows/autobump.yml
Library/Taps/homebrew/homebrew-cask/.github/workflows/sync-labels.yml
Library/Taps/homebrew/homebrew-cask/.github/workflows/rebase.yml
Library/Taps/homebrew/homebrew-cask/.github/workflows/dispatch-command.yml
Library/Taps/homebrew/homebrew-cask/.github/workflows/bump-unversioned-casks.yml
Library/Taps/homebrew/homebrew-cask/.github/workflows/triage.yml
Library/Taps/homebrew/homebrew-cask/.github/workflows/rerun-workflow.yml
Library/Taps/homebrew/homebrew-core/.github/workflows/autobump.yml
Library/Taps/homebrew/homebrew-core/.github/workflows/dispatch-build-bottle.yml
Library/Taps/homebrew/homebrew-core/.github/workflows/publish-commit-bottles.yml
Library/Taps/homebrew/homebrew-core/.github/workflows/dispatch-rebottle.yml
Library/Taps/homebrew/homebrew-core/.github/workflows/create-replacement-pr.yml
Library/Taps/homebrew/homebrew-core/.github/workflows/recreate-linux-runners.yml
Library/Taps/homebrew/homebrew-core/.github/workflows/remove-disabled-formulae.yml

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.