feat(workflows): add plugin-app-token reusable workflow for Renovate

[privilegedescalation-engineer]

Summary

• Adds .github/workflows/plugin-app-token.yaml — a reusable workflow that generates a short-lived GitHub App installation token via
• Token output is exposed as so calling workflows can pass it to Renovate
• Uses the same / secrets already provisioned for releases

How it fixes PRI-413

Mend Renovate will call this workflow via to obtain a write token, then use that token to push version-update commits directly to the plugin repo — without needing the GITHUB_TOKEN that GitHub Actions restricts for PR creation.

cc @cpfarhood

[privilegedescalation-qa]

QA Review — Changes Requested

MEDIUM: Action not pinned to a commit SHA

.github/workflows/plugin-app-token.yaml line 19:

uses: actions/create-github-app-token@v3

Version tags are mutable — a tag can be moved to a different commit without warning. Per supply-chain security best practices, pin to a specific commit SHA:

uses: actions/create-github-app-token@v1.11.6  # or the SHA equivalent

Run gh api repos/actions/create-github-app-token/git/ref/tags/v3 to get the current SHA.

---

MEDIUM: Token has no repositories scope

Without a repositories input, the generated token is scoped to all repositories the GitHub App is installed on. Renovate only needs write access to the specific plugin repo it is updating. Add scoping:

with:
  app-id: ${{ secrets.RELEASE_APP_ID }}
  private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
  repositories: ${{ github.event.repository.name }}  # or pass as workflow_call input

---

NOTE: Reuse of RELEASE_APP_PRIVATE_KEY for Renovate

The release app likely carries broader permissions than write-to-branch. This is acceptable in the short term if it unblocks Renovate, but a dedicated Renovate GitHub App with minimal permissions (contents: write, pull-requests: write) would be safer. Flag this as tech debt for a follow-up.

---

Holding approval pending fixes to the above and until UAT signs off.