infra: switch sync-motoko to pr-automation-bot-public GitHub App

[marc0olo]

Summary

Switches the Motoko release check workflow from using GITHUB_TOKEN with elevated permissions to the pr-automation-bot-public GitHub App, as required now that the repo is public.

Changes to .github/workflows/sync-motoko.yml:

• Remove job-level permissions: contents: write / pull-requests: write — no longer needed when using the app token
• Add actions/create-github-app-token step (using vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID and secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY) immediately after checkout
• Configure git remote URL with the app token before git push, so branch creation is authenticated via the bot
• Replace both secrets.GITHUB_TOKEN usages with steps.app-token.outputs.token (gh release view and gh pr create)

Closes #196

Next steps after merge

Trigger the Motoko release check workflow manually via workflow_dispatch to verify the bot creates the PR correctly for the pending Motoko v1.7.0 sync.

Sync recommendation

hand-written

[ggreif]

Looks complicated. I have recently applied a cleanups to motoko's mechanism, you should compare. It uses client_id instead of the (deprecated) app_id.

[marc0olo]

Feedback addressed:

• Switched from deprecated app-id to client-id (using vars.PR_AUTOMATION_BOT_PUBLIC_CLIENT_ID)
• Bumped actions/create-github-app-token pin to v3.1.1 (1b10c78c)

Note: this assumes PR_AUTOMATION_BOT_PUBLIC_CLIENT_ID exists as an org variable alongside the existing PR_AUTOMATION_BOT_PUBLIC_APP_ID. Bas will need to confirm/provision it if not.

[marc0olo]

needs confirmation of @basvandijk that PR_AUTOMATION_BOT_PUBLIC_CLIENT_ID exists or will be created. otherwise we should switch back to app-id for now and change later.

[basvandijk]

I just created PR_AUTOMATION_BOT_PUBLIC_CLIENT_ID.