fix: use Art Board Bot GitHub app instead of PAT, add permissions

Switch from PROJECT_PAT to the new PostHog Art Board Bot app
(GH_APP_POSTHOG_ART_BOARD_BOT_APP_ID / PRIVATE_KEY) using
actions/create-github-app-token. Add permissions block to all
three workflows to satisfy security checks.

Author: webjunkie

.github/workflows/art-board-reminder.yml

@@ -3,6 +3,9 @@ name: Art board project reminder (reusable)
 # Reusable workflow: paginates a Projects V2 board, finds issues stuck in a
 # given column for too long, and posts a one-time reminder comment.
 
+permissions:
+    contents: read
+
 on:
     workflow_call:
         inputs:
@@ -26,13 +29,21 @@ on:
                 required: true
                 type: string
         secrets:
-            PROJECT_PAT:
+            GH_APP_POSTHOG_ART_BOARD_BOT_APP_ID:
+                required: true
+            GH_APP_POSTHOG_ART_BOARD_BOT_PRIVATE_KEY:
                 required: true
 
 jobs:
     remind:
         runs-on: ubuntu-latest
         steps:
+            - name: Get app token
+              id: app-token
+              uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+              with:
+                  app-id: ${{ secrets.GH_APP_POSTHOG_ART_BOARD_BOT_APP_ID }}
+                  private-key: ${{ secrets.GH_APP_POSTHOG_ART_BOARD_BOT_PRIVATE_KEY }}
             - name: Find stale issues and post reminders
               uses: actions/github-script@v7
               env:
@@ -42,7 +53,7 @@ jobs:
                   INPUT_TAG: ${{ inputs.reminder_tag }}
                   INPUT_MESSAGE: ${{ inputs.message }}
               with:
-                  github-token: ${{ secrets.PROJECT_PAT }}
+                  github-token: ${{ steps.app-token.outputs.token }}
                   script: |
                       const column       = process.env.INPUT_COLUMN;
                       const staleDays    = parseInt(process.env.INPUT_STALE_DAYS);

.github/workflows/art-board-reminders.yml

@@ -1,5 +1,8 @@
 name: Art board reminders
 
+permissions:
+    contents: read
+
 on:
     schedule:
         - cron: '0 9 * * *' # daily 9 AM UTC
@@ -14,7 +17,8 @@ jobs:
             reminder_tag: '<!-- art-board-feedback-reminder -->'
             message: 'This issue has been in **Feedback/Review** for {days} days. Any feedback needed to move it forward?'
         secrets:
-            PROJECT_PAT: ${{ secrets.PROJECT_PAT }}
+            GH_APP_POSTHOG_ART_BOARD_BOT_APP_ID: ${{ secrets.GH_APP_POSTHOG_ART_BOARD_BOT_APP_ID }}
+            GH_APP_POSTHOG_ART_BOARD_BOT_PRIVATE_KEY: ${{ secrets.GH_APP_POSTHOG_ART_BOARD_BOT_PRIVATE_KEY }}
 
     no-status:
         uses: ./.github/workflows/art-board-reminder.yml
@@ -25,4 +29,5 @@ jobs:
             reminder_tag: '<!-- art-board-no-status-reminder -->'
             message: 'This issue has been sitting without an owner for {days} days. Can someone pick this up or assign it to a column on the board?'
         secrets:
-            PROJECT_PAT: ${{ secrets.PROJECT_PAT }}
+            GH_APP_POSTHOG_ART_BOARD_BOT_APP_ID: ${{ secrets.GH_APP_POSTHOG_ART_BOARD_BOT_APP_ID }}
+            GH_APP_POSTHOG_ART_BOARD_BOT_PRIVATE_KEY: ${{ secrets.GH_APP_POSTHOG_ART_BOARD_BOT_PRIVATE_KEY }}

.github/workflows/art-board-status-change.yml

@@ -5,6 +5,9 @@ name: Art board status change
 # 2. Moved to "Assigned: X"  → remove the other default assignees
 #    (exception: internal requests from team members keep everyone assigned)
 
+permissions:
+    contents: read
+
 on:
     projects_v2_item:
         types: [edited]
@@ -14,10 +17,16 @@ jobs:
         runs-on: ubuntu-latest
         if: github.event.projects_v2_item.field_name == 'Status'
         steps:
+            - name: Get app token
+              id: app-token
+              uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+              with:
+                  app-id: ${{ secrets.GH_APP_POSTHOG_ART_BOARD_BOT_APP_ID }}
+                  private-key: ${{ secrets.GH_APP_POSTHOG_ART_BOARD_BOT_PRIVATE_KEY }}
             - name: Close issue or sync assignees
               uses: actions/github-script@v7
               with:
-                  github-token: ${{ secrets.PROJECT_PAT }}
+                  github-token: ${{ steps.app-token.outputs.token }}
                   script: |
                       const ASSIGNEE_MAP = {
                         'Assigned: Daniel': { keep: 'dphawkins1617', remove: ['lottiecoxon', 'heidiberton'] },