[OPS-1301] Use baton-ci app token in capabilities.yaml

[ennyjfrick]

Replace the long-lived RELENG_GITHUB_TOKEN PAT with a short-lived baton-ci app token scoped to the current repo.

Mirrors the OPS-1300 templated workflow pattern. With the Connector Rules ruleset hardened, the legacy PAT only continues to work because of the temp org-admin mitigation; this PR replaces it with the proper App-token bypass actor before that mitigation is removed.

Linear: OPS-1301

🤖 Generated with Claude Code

[linear]

OPS-1301 Replace RELENG_GITHUB_TOKEN in legacy untemplated capabilities workflows

[github-actions]

Claude finished @ennyjfrick's task in 44s —— View job

---

PR Review: [OPS-1301] Use baton-ci app token in capabilities.yaml

• Gather context and read changed files
• Review PR changes
• Post review feedback

---

Verdict: Looks good ✅

This is a clean, well-scoped security improvement — replacing a long-lived PAT (RELENG_GITHUB_TOKEN) with a short-lived GitHub App token minted per-run via actions/create-github-app-token@v2.

What's correct

• Step ordering: The token-minting step is correctly placed before checkout, since it doesn't require a working copy.
• Repo scoping: repositories: ${{ github.event.repository.name }} limits the token to just this repo — good least-privilege practice.
• Downstream usage: The EndBug/add-and-commit@v9 step (line 43) inherits the token from the checkout step by default, so the minted app token will be used for the commit push as well. No additional token wiring needed.
• Action version: Uses v2 of create-github-app-token, which is the current major version.

Minor observation

• release.yaml still references RELENG_GITHUB_TOKEN. That may already be tracked under a separate ticket (or may be handled by the templated workflow pattern mentioned in the PR description), but worth confirming that workflow is also on the migration path before the org-admin mitigation is removed.

No issues found

No bugs, security concerns, or correctness problems with this change. Ship it.