We should move to using GitHub App tokens owned by the slsa-framework org for this repo rather than using personal access tokens.