ci: Replace ad-m/github-push-action@master with native git push

The plugin-SDK auto-bump workflow used ad-m/github-push-action pinned
to the upstream master branch. That is a textbook CWE-829: a
supply-chain compromise of the action's master would inject arbitrary
shell into every Ethereum-plugin auto-PR run, with write access to
every LedgerHQ/app-plugin-* repository through the CI bot token.

Pinning to a SHA would reduce but not remove that risk. Instead,
replace the action with the same `git remote set-url` + `git push`
pattern already used by ledger-app-workflows'
_open_pr_with_new_snapshots.yml. The push step now runs only the
shell visible in this file and uses the same CI_BOT_TOKEN as
before.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: cedelavergne-ledger

.github/workflows/pr_on_all_plugins.yml

@@ -126,18 +126,21 @@ jobs:
           echo "Branch Name: $branch_name"
           echo "Title: $title"
           git status
+          git checkout -b "$branch_name"
           git commit -am "$title"
           # Set output
           echo "title=$title" >> $GITHUB_OUTPUT
           echo "branch_name=$branch_name" >> $GITHUB_OUTPUT
 
       - name: Push commit
-        uses: ad-m/github-push-action@master
-        with:
-          github_token: ${{ secrets.CI_BOT_TOKEN }}
-          branch: ${{ steps.commit-changes.outputs.branch_name }}
-          repository: LedgerHQ/${{ matrix.repo }}
-          force: true
+        env:
+          GH_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
+        run: |
+          # Push the branch via the CI bot token.
+          branch_name="${{ steps.commit-changes.outputs.branch_name }}"
+          git remote set-url origin \
+            "https://x-access-token:${GH_TOKEN}@github.com/LedgerHQ/${{ matrix.repo }}.git"
+          git push -u origin "$branch_name" --force
 
       - name: Create 'auto' label if missing
         run: |