renovate: Use GitHub app to retrieve a token

As Renovate will run with a different token, there is no need for
specific workflow permissions anymore.

Instead the GitHub app should have sufficient permissions to create a
PullRequest on the repo.

See https://github.com/actions/create-github-app-token/blob/main/README.md
on instructions how to add the GitHub App.

Please note we need to configure following on the repo settings:

variable RENOVATE_APP_ID
secret   RENOVATE_PRIVATE_KEY

I named it specific like this so we can dedicate this app specifically
to Renovate and therefore also keep permissions limited to the Renovate
usecase.

Signed-off-by: Marco Franssen <[email protected]>

Author: marcofranssen

.github/workflows/renovate.yaml

@@ -15,21 +15,23 @@ jobs:
   renovate:
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: write
-      pull-requests: write
-
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
+      - uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        id: app-token
+        with:
+          app-id: ${{ vars.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_PRIVATE_KEY }}
+
       - name: Self-hosted Renovate
         uses: renovatebot/github-action@e084b5ac6fd201023db6dd7743aec023babb02c8 # v41.0.13
         with:
           configurationFile: ".github/renovate-config.js"
           token: "${{ secrets.GITHUB_TOKEN }}"
         env:
           LOG_LEVEL: ${{ env.ACTIONS_STEP_DEBUG == 'true' && 'debug' || 'info' }}
-          RENOVATE_REPOSITORIES: ${{ github.repository }}
+          RENOVATE_REPOSITORIES: ${{ steps.app-token.outputs.token }}
           RENOVATE_ALLOW_SCRIPTS: true
           RENOVATE_SEPARATE_MAJOR_MINOR: false