infra: switch sync-motoko workflow to pr-automation-bot-public GitHub App

## Background

Since the repo is now public, stricter rules apply: workflows using `GITHUB_TOKEN` with elevated permissions (`contents: write`, `pull-requests: write`) to create PRs are not allowed. PR #185 (chore: bump Motoko to v1.7.0) was created this way and must be closed.

The `pr-automation-bot-public` GitHub App has been granted access to this repo by Bas and should be used for all automated PR creation going forward.

## What needs to change

File: `.github/workflows/sync-motoko.yml`

### 1. Remove the elevated `permissions` block

The current workflow declares:

```yaml
permissions:
  contents: write
  pull-requests: write
```

These permissions are required when using `GITHUB_TOKEN` to push branches and create PRs. With the app token they are no longer needed at the job level (the app's installation token carries its own permissions).

### 2. Add the app token step (at line 23, before the first `GH_TOKEN` usage)

```yaml
- name: Create GitHub App Token
  uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
  id: app-token
  with:
    app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }}
    private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }}
```

Reference: how the `sdk` repo uses this action — https://github.com/dfinity/sdk/blob/db214a5974444beb3cad66a1b30bfc108acf1937/.github/workflows/update-motoko.yml#L63

### 3. Replace `secrets.GITHUB_TOKEN` with the app token

There are two places in the workflow that use `GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}`:

- **"Get latest Motoko release tag" step** — used to query the `caffeinelabs/motoko` release via `gh release view`
- **"Create PR" step** — used to push the branch and open the PR via `gh pr create`

Both should become:

```yaml
env:
  GH_TOKEN: ${{ steps.app-token.outputs.token }}
```

## After the changes are merged

1. Close PR #185 with a note that the workflow will be re-triggered manually once the new setup is in place
2. Re-trigger the `Motoko release check` workflow manually via `workflow_dispatch` to verify the new bot-based PR creation works end-to-end for the same Motoko v1.7.0 sync

## Org-level credentials

| Type | Name |
|------|------|
| Org variable | `PR_AUTOMATION_BOT_PUBLIC_APP_ID` |
| Org secret | `PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY` |

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

infra: switch sync-motoko workflow to pr-automation-bot-public GitHub App #196

Background

What needs to change

1. Remove the elevated `permissions` block

2. Add the app token step (at line 23, before the first `GH_TOKEN` usage)

3. Replace `secrets.GITHUB_TOKEN` with the app token

After the changes are merged

Org-level credentials

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Type	Name
Org variable	`PR_AUTOMATION_BOT_PUBLIC_APP_ID`
Org secret	`PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY`

infra: switch sync-motoko workflow to pr-automation-bot-public GitHub App #196

Description

Background

What needs to change

1. Remove the elevated permissions block

2. Add the app token step (at line 23, before the first GH_TOKEN usage)

3. Replace secrets.GITHUB_TOKEN with the app token

After the changes are merged

Org-level credentials

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

1. Remove the elevated `permissions` block

2. Add the app token step (at line 23, before the first `GH_TOKEN` usage)

3. Replace `secrets.GITHUB_TOKEN` with the app token