chore: replace PAT tokens with GitHub App token (#1198)

Replace secrets.PAT_TOKEN and secrets.AUTOMATION_ACCOUNT_PAT_TOKEN with
short-lived tokens generated by the agentcore-devx-automation GitHub App
(ID: 3637953) via actions/create-github-app-token@v1.

This improves security by using ephemeral tokens scoped to the
installation rather than long-lived personal access tokens.

Requires adding repo variable APP_ID=3637953 and repo secret
APP_PRIVATE_KEY with the app's RSA private key.

Author: aidandaly24

.github/workflows/agent-restricted.yml

@@ -66,6 +66,13 @@ jobs:
 
       - uses: actions/checkout@v6
 
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Run Strands Agent
         uses: ./.github/actions/strands-action
         with:
@@ -78,6 +85,6 @@ jobs:
           agent_runner: ${{ inputs.agent_runner }}
           aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
           aws_region: 'us-west-2'
-          pat_token: ${{ secrets.PAT_TOKEN }}
+          pat_token: ${{ steps.app-token.outputs.token }}
         env:
           STRANDS_TOOLS_DIRECTORY: 'true'

.github/workflows/ci-failure-issue.yml

@@ -19,9 +19,16 @@ jobs:
     permissions:
       issues: write
     steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - uses: actions/github-script@v9
         with:
-          github-token: ${{ secrets.AUTOMATION_ACCOUNT_PAT_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             try {
               const workflowName = context.payload.workflow_run.name;