Move to using github app token

Author: pragupta

.github/workflows/create_ifu_tag.yml

@@ -18,6 +18,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: rocm
+          repositories: pytorch
+
       - name: Checkout base repo (full history)
         uses: actions/checkout@v4
         with:
@@ -99,7 +108,7 @@ jobs:
 
       - name: Append rocm_base & upstream_main to PR body
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.output.token }}
         shell: bash
         run: |
           set -euo pipefail

.github/workflows/pytorch_ifu.yml

@@ -46,15 +46,22 @@ jobs:
       DOWNSTREAM_REMOTE: origin                              # IFU target remote name
       DOWNSTREAM_REPO: ${{ inputs.ifu_target_repo }}         # target repo for IFU (fork); actions/checkout sets this to origin
       DOWNSTREAM_BRANCH: ${{ inputs.ifu_target_branch }}     # target branch for IFU
-      GH_TOKEN: ${{ secrets.IFU_GITHUB_TOKEN }}              # used by gh; provided by Action 
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: rocm
+          repositories: pytorch
+      
       - name: Checkout repository (${{ env.DOWNSTREAM_REPO }}) (full history)
         uses: actions/checkout@v4
         with:
           repository: ${{ env.DOWNSTREAM_REPO }}
           path: ${{ env.DOWNSTREAM_REPO }}
           ref: ${{ env.DOWNSTREAM_BRANCH }}
-          token: ${{ env.GH_TOKEN }}
           fetch-depth: 0 # need full history for merges/tags
           submodules: recursive
 
@@ -115,18 +122,24 @@ jobs:
 
       - name: Push branch & tag to fork
         working-directory: ${{ env.DOWNSTREAM_REPO }}
+        env:
+          GH_TOKEN: ${{ steps.app-token.output.token }}
         run: |
           git push ${DOWNSTREAM_REMOTE} "${{ steps.tag.outputs.TAG }}"
 
       - name: Authenticate gh (non-interactive)
         working-directory: ${{ env.DOWNSTREAM_REPO }}
+        env:
+          GH_TOKEN: ${{ steps.app-token.output.token }}
         run: |
           # The GitHub-hosted runner has gh preinstalled.
           gh auth status || echo "$GH_TOKEN" | gh auth login --with-token
           gh repo set-default "${{ env.DOWNSTREAM_REPO }}"
 
       - name: Create Pull Request with gh
         working-directory: ${{ env.DOWNSTREAM_REPO }}
+        env:
+          GH_TOKEN: ${{ steps.app-token.output.token }}
         run: |
           BASE="${DOWNSTREAM_BRANCH}"
           HEAD="${{ steps.tag.outputs.TAG }}"