Harden APM auth: also set GITHUB_APM_PAT when github-app is configured

[danielmeppiel]

Context

We identified and fixed a token shadowing bug in apm-action v1.4.0 that broke dependencies.github-app users (see microsoft/apm-action#21). The root cause was apm-action auto-setting GITHUB_APM_PAT to the default ${{ github.token }}, which shadowed the GitHub App token that gh-aw places in GITHUB_TOKEN.

The apm-action fix (only setting GITHUB_APM_PAT when GITHUB_TOKEN is not already present) resolves the issue. However, gh-aw can add a belt-and-suspenders defense so it is resilient to any future apm-action token-forwarding changes.

What to do

In pkg/workflow/apm_dependencies.go, GenerateAPMPackStep(), when github-app is configured, also emit GITHUB_APM_PAT alongside GITHUB_TOKEN:

// Current (lines ~128-133):
if apmDeps.GitHubApp != nil {
    lines = append(lines,
        "        env:",
        fmt.Sprintf("          GITHUB_TOKEN: ${{ steps.%s.outputs.token }}", apmAppTokenStepID),
    )
}

// Proposed:
if apmDeps.GitHubApp != nil {
    lines = append(lines,
        "        env:",
        fmt.Sprintf("          GITHUB_TOKEN: ${{ steps.%s.outputs.token }}", apmAppTokenStepID),
        fmt.Sprintf("          GITHUB_APM_PAT: ${{ steps.%s.outputs.token }}", apmAppTokenStepID),
    )
}

Why

APM CLI's token resolution precedence for module downloads is:

GITHUB_APM_PAT > GITHUB_TOKEN > GH_TOKEN

By explicitly setting GITHUB_APM_PAT to the App token, gh-aw ensures the correct token wins regardless of what apm-action does with its default github-token input. This makes gh-aw self-contained and not dependent on apm-action's internal token-forwarding behavior.

Priority

Low — the primary fix is in microsoft/apm-action#21. This is a defensive hardening measure.