ci: authenticate release pushes via GitHub App token

[aliasunder]

Summary

• Adds actions/create-github-app-token@v3 to both release workflows to mint an installation token from the vault-cortex-release GitHub App.
• Passes the App token to actions/checkout, so git push calls later in the job use the App's auth.
• The App is on the ruleset bypass list, so direct pushes to main go through without disabling protection.

Why

The default GITHUB_TOKEN cannot be added to ruleset bypass lists — by GitHub design, to prevent any workflow from circumventing protection. The Require code scanning results rule was the immediate blocker (catch-22: CodeQL only scans after a push lands on main), but Require a pull request before merging and Require status checks to pass would also block direct release pushes.

A GitHub App with Contents: write is the official-recommended workaround. The App's installation token is treated as a separate actor that CAN be bypassed by ruleset, scoped per-App, rotatable, and auditable.

Prerequisites (already configured)

• GitHub App vault-cortex-release created with Contents: read and write and Workflows: read and write, installed on this repo.
• Repo secrets RELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY populated.
• App added to the main branch ruleset's bypass list.

Affected workflows

• manual_release.yml — bump-and-tag job (push of version-bump commit + tag) and release job (changelog push).
• auto_release.yml — release job (changelog push).

Test plan

• CI green on this PR (no behavior changes for non-release runs).
• After merge, trigger Manual Release with patch bump → expect v0.15.2 to ship without touching ruleset rules.
• Verify the release commit + tag land on main and the GitHub release is created.
• Confirm the CHANGELOG commit also lands (second push in the release job).

https://claude.ai/code/session_01K8eXF8Fe3gjCR5e2ndU2Wo

---

Generated by Claude Code