workflows/commit-access-review: Use a GitHub App access token instead of llvmbotusers/tstellar/github-app-token

This replaces the use of an access token associated with the llvmbot
account with one that is generated by a GitHub App.  This is slightly
better, because it eliminates the need to periodically rotate the
llvmbot tokens, which is difficult to do, since it requires sharing
a password and 2fa code among all the admins.

The tokens generated by the app automatically expire after an hour, and
the private key that is used to request it can be easily rotated by
an LLVM Organization owner.  Also, since a single private key can
be used to generate many tokens, there is only one secret to rotate
instead of many.

1 files changed, 11 insertions, 1 deletions

diff --git a/.github/workflows/commit-access-review.yml b/.github/workflows/commit-access-review.yml
index 2809b1c..7577870 100644
--- a/.github/workflows/commit-access-review.yml
+++ b/.github/workflows/commit-access-review.yml
@@ -21,11 +21,21 @@ jobs:
       - name: Install dependencies
         run: |
           pip install --require-hashes -r ./llvm/utils/git/requirements.txt
+
+      - id: app-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf  #v2.2.1
+        with:
+          app-id: ${{ secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID }}
+          private-key: ${{ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          permission-members: read
+          permission-contents: read
       
       - name: Run Script
         env:
-          GITHUB_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
+          echo "${{ steps.app-token.outputs.app-slug }}[bot]"
           python3 .github/workflows/commit-access-review.py $GITHUB_TOKEN
 
       - name: Upload Triage List