Build/Test Tools: Re-add GitHub App.

Without this, workflow runs are not triggered by commits made by the workflow.

Follow up to [59983], [60052], [60059], [60063], [60064].

See #62221.

git-svn-id: https://develop.svn.wordpress.org/trunk@60065 602fd350-edb4-49c9-b593-d223f7449a82

Author: desrosj

.github/workflows/commit-built-file-changes.yml

@@ -24,6 +24,7 @@ jobs:
   # - Attempts to download the artifact containing the PR diff.
   # - Checks for the existence of an artifact.
   # - Unzips the artifact.
+  # - Generates a token for authenticating with the GitHub App.
   # - Checks out the repository.
   # - Applies the patch file.
   # - Displays the result of git diff.
@@ -83,6 +84,42 @@ jobs:
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
         run: unzip pr-built-file-changes.zip
 
+      - name: Generate Installation Token
+        id: generate_token
+        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
+        env:
+          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
+          GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_BUILT_FILES_PRIVATE_KEY }}
+        run: |
+          echo "$GH_APP_PRIVATE_KEY" > private-key.pem
+
+          # Generate JWT
+          JWT=$(python3 - <<EOF
+          import jwt, time
+          private_key = open("private-key.pem", "r").read()
+          payload = {
+              "iat": int(time.time()),
+              "exp": int(time.time()) + 600,  # 10-minute expiration
+              "iss": $GH_APP_ID
+          }
+          print(jwt.encode(payload, private_key, algorithm="RS256"))
+          EOF
+          )
+
+          # Get Installation ID
+          INSTALLATION_ID=$(curl -s -X GET -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/app/installations | jq -r '.[0].id')
+
+          # Request Installation Access Token
+          ACCESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token')
+
+          echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
+
+          rm -f private-key.pem
+
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
@@ -91,6 +128,7 @@ jobs:
           ref: ${{ github.event.workflow_run.head_branch }}
           path: 'pr-repo'
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          token: ${{ env.ACCESS_TOKEN }}
 
       - name: Apply patch
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
@@ -105,9 +143,11 @@ jobs:
       - name: Configure git user name and email
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
         working-directory: 'pr-repo'
+        env:
+          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
         run: |
-          git config user.name "WordPress Build Script Bot[bot]"
-          git config user.email [email protected]
+          git config user.name "wordpress-develop-pr-bot[bot]"
+          git config user.email ${{ env.GH_APP_ID }}+wordpress-develop-pr-bot[bot]@users.noreply.github.com
 
       - name: Stage changes
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}