feat: fetch GitHub App credentials from AWS Secrets Manager via OIDC

[derekmisler]

What's changing

Replaces the three org-level secrets (CAGENT_REVIEWER_APP_ID, CAGENT_REVIEWER_APP_PRIVATE_KEY, CAGENT_ORG_MEMBERSHIP_TOKEN) with a single OIDC-based lookup from AWS Secrets Manager. Consumer repos no longer need those secrets configured — they only need id-token: write in their job permissions.

Why

Currently every one of the ~40 repos that uses these reusable workflows must have 3 org-level secrets manually configured and kept in sync. This is operationally fragile and creates unnecessary secret sprawl. The new approach:

• Credentials live in one place: docker-agent-action/github-app in AWS Secrets Manager
• Updates (e.g., app key rotation) happen once, instantly available to all consumers
• No more secrets to manage in GitHub org settings for consumers

How it works

Each affected job now:

1. Assumes the docker-agent-action-* IAM role via GitHub OIDC (id-token: write)
2. Fetches the JSON secret docker-agent-action/github-app from Secrets Manager
3. Masks all three values immediately after extraction
4. Passes them to downstream steps as step outputs

The multi-line PEM private key is handled via a randomized heredoc delimiter to prevent content from colliding with the GITHUB_OUTPUT terminator.

Files changed

File	Jobs updated
review-pr.yml	auto-review, manual-review, reply-to-feedback
reply-to-feedback.yml	reply
pr-describe.yml	generate-description
security-scan.yml	security-scan
self-review-pr.yml	auto-review, manual-review

release.yml and update-docker-agent-version.yml are not changed — these are internal automation workflows that use the GitHub App for pushing commits and creating releases, not consumer-facing credential passing.

TODO_ROLE_ARN placeholder

The IAM role ARN is not known until the companion Terraform PR (docker/infra-terraform) is applied. Do not merge this PR until:

1. The Terraform is applied and the role ARN is output
2. TODO_ROLE_ARN in all 5 files is replaced with the actual ARN (e.g., arn:aws:iam::123456789012:role/docker-agent-action-abc123)

Deployment sequence

1. Apply Terraform (companion PR in docker/infra-terraform) → creates IAM role + Secrets Manager secret shell
2. Populate the secret manually: aws secretsmanager put-secret-value --secret-id docker-agent-action/github-app --secret-string '{"app_id":"...","private_key":"...","org_membership_token":"..."}'
3. Replace TODO_ROLE_ARN in this PR with the output ARN from step 1
4. Merge this PR after the repo rename from cagent-action → docker-agent-action (OIDC scope already uses repo:docker/*:* so the rename is safe)
5. Update consumer repos — they only need to add id-token: write to the calling job; the 3 secrets can be removed from their config at any time (kept as required: false for backward compat)

Consumer repo changes required

# Before
jobs:
  review:
    uses: docker/cagent-action/.github/workflows/review-pr.yml@VERSION
    permissions:
      contents: read
      pull-requests: write
      issues: write
    secrets:
      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
      CAGENT_ORG_MEMBERSHIP_TOKEN: ${{ secrets.CAGENT_ORG_MEMBERSHIP_TOKEN }}
      CAGENT_REVIEWER_APP_ID: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
      CAGENT_REVIEWER_APP_PRIVATE_KEY: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}

# After
jobs:
  review:
    uses: docker/docker-agent-action/.github/workflows/review-pr.yml@VERSION
    permissions:
      contents: read
      pull-requests: write
      issues: write
      id-token: write   # ← only addition needed
    secrets:
      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
      # CAGENT_* secrets no longer needed

[derekmisler]

/review