chore(ci): use github app token instead of bot user (#206)

.github/workflows/codeql.yml

@@ -41,7 +41,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/prepare-release.yml

@@ -19,6 +19,12 @@ jobs:
   prepare:
     runs-on: ubuntu-latest
     steps:
+      - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
       - uses: actions/checkout@v4
 
       - name: Use Node.js 20.x
@@ -36,7 +42,7 @@ jobs:
         with:
           branch: release/${{ steps.version.outputs.new-version }}
           title: 'chore: bump version to ${{ steps.version.outputs.new-version }}'
-          token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           draft: false
           body: |
             An automated PR for next release.

.github/workflows/publish-release.yml

@@ -11,6 +11,12 @@ jobs:
       name: Production
       url: https://www.npmjs.com/package/@mongodb-js/oidc-plugin/v/${{ steps.get-version.outputs.package_version }}
     steps:
+      - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
       - uses: actions/checkout@v4
 
       - name: Use Node.js 20.x
@@ -44,7 +50,7 @@ jobs:
       - name: Merge Pull Request
         uses: juliangruber/merge-pull-request-action@9234b8714dda9a08f3d1df5b2a6a3abd7b695353 # 1.3.1
         with:
-          github-token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           number: ${{ steps.find-pull-request.outputs.number }}
           method: squash