ci: push changelog via deploy key, drop BOT_TOKEN dependency

PATs (fine- or coarse-grained) issued to bypass-team members were
the only way for the workflow to push past the PRS-ONLY ruleset,
and that came back to bite us when BOT_TOKEN expired. The ruleset
already allows any deploy key with bypass_mode:always, so swap to
that path:

  - actions/checkout uses ssh-key: CHANGELOG_DEPLOY_KEY, which
    auths the clone over SSH and configures origin for SSH push
  - the script reads PR metadata via secrets.GITHUB_TOKEN (the
    token has full read for pull_request_target and workflow_dispatch)
  - lock GITHUB_TOKEN to contents:read + pull-requests:read since
    we no longer need write
  - drop the https x-access-token push in favour of ssh-driven
    git push origin HEAD:master

Author: duzos

.github/workflows/append_changelog.yml

@@ -18,6 +18,9 @@ concurrency:
 jobs:
   append-changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     # only proceed if merge event or manual run
     if: |
       (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true) ||
@@ -28,7 +31,7 @@ jobs:
         with:
           fetch-depth: 0
           ref: master
-          token: ${{ secrets.BOT_TOKEN }}
+          ssh-key: ${{ secrets.CHANGELOG_DEPLOY_KEY }}
 
       - name: Set up Python
         uses: actions/setup-python@v4
@@ -41,14 +44,12 @@ jobs:
       - name: Run changelog updater
         env:
           GITHUB_REPOSITORY: ${{ github.repository }}
-          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+          BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_EVENT_PATH: ${{ github.event_path }}
         run: |
           python scripts/update_changelog.py \
             --pr-numbers "${{ github.event.inputs.pr_numbers }}"
       - name: Commit & push
-        env:
-          TOKEN: ${{ secrets.BOT_TOKEN }}
         run: |
           git config user.name "github-bot"
           git config user.email "bot@users.noreply.github.com"
@@ -58,4 +59,4 @@ jobs:
             exit 0
           fi
           git commit -m "docs: update CHANGELOG"
-          git push https://x-access-token:${TOKEN}@github.com/${{ github.repository }} HEAD:master
+          git push origin HEAD:master