fix(ci): use GitHub App token for release-please

Release-please was using GITHUB_TOKEN to create and update PR #130.
GitHub suppresses pull_request events for pushes made with
GITHUB_TOKEN (to prevent recursive workflows), so the CI workflow
never triggered and the CI Gate required status check never appeared,
permanently blocking the release PR.

Switch to the attune-release-bot GitHub App token so release-please
PR pushes generate real pull_request events that trigger CI.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/workflows/release.yaml

@@ -38,11 +38,20 @@ jobs:
       - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: audit
+      # Use the GitHub App token so that release-please PR pushes
+      # trigger pull_request events (GITHUB_TOKEN suppresses them,
+      # which prevents the CI Gate status check from appearing).
+      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4
         id: release
         with:
           config-file: release-please-config.json
           manifest-file: .release-please-manifest.json
+          token: ${{ steps.app-token.outputs.token }}
 
   release:
     name: Release