Create GH App for weekly tag scan workflow

[egrace479]

From @thompsonmj:

OK, for the Catalog, I think GitHub App is good. Using the PAT is functional but obviously incorrect in attribution. To solve it, we can make a narrow org-owned GitHub App installed only on the Catalog repo with write permissions for content and PRs and mint short-lived installation tokens [ref1, ref2]. Then the PRs will come from a bot rather than a person.

The weekly run should make a new token each time and it's OK if the old token expires ... just needs to survive for long enough to finish its job then 🪦 (harsh, but that's nature).
As long as the app has write permissions for PRs, it can create and edit the body and titles and write permissions for contents it can update and push the branches. So it should still work with the weekly cadence as a bot.
Here's a supporting series of steps:

1. Create an org-owned GitHub App for the tag scan automation.
2. Install it only on the Catalog repo.
3. Give it the narrow permissions it needs: contents: write to update/push the tag-scan branch, and pull_requests: write to create/edit the PR.
4. Each weekly workflow run mints a fresh GitHub App installation token using the App credentials.
5. The workflow uses that token to push the updated tag-scan branch.
6. It then either opens a new [Tag Scan] PR or edits the existing open one.
7. The token expires after the run; next week the workflow mints a new one.

This should preserve behavior and fix attribution.

And relevant docs:

• Register App, store App ID and private key, install on the right account/repo, create installation access token in workflow [ref]
• Installation tokens scoped to App installation's repos/permissions and expire after 1h [ref]
• For PR, create a PR and update a PR both work with a GitHub App installation access token and require the PR repo write permissions [ref]

[egrace479]

The app should also be usable for the daily version release scans. This will basically be a Catalog Automation App. The version scan just uses a standard GH token.

[egrace479]

From what I can tell, it looks like we need to add this GitHub Action to be triggered by this line of the tag-scan workflow to get a PR token from the App.

• Specifically, should be this workflow, though for extra security we may want to use the scoped version (permissions would still match those of the App and editors are limited).
• Notes on how it works. It is a temporary token that cannot be moved out of the workflow it's used for.

For this to work, the App Client ID must be stored as a variable and the App's private key as a secret.

Together that will allow for the Authentication as an App, so the PR is clearly automated and not opened as me.

[egrace479]

I followed this guide while "creating" the App (registering it). It has no associated code, no webhooks, and is private within the Imageomics Org.