chore: use github app for release workflow

Signed-off-by: Benjamin Fahl <git@fahl-design.de>

Author: Fahl-Design

.github/workflows/release.yml

@@ -6,27 +6,29 @@ name: Release
       - completed
     branches:
       - main
-permissions:
-  contents: read # for checkout
 jobs:
   release:
     if: github.event.workflow_run.conclusion == 'success'
-    permissions:
-      contents: write # to be able to publish a GitHub release
-      issues: write # to be able to comment on released issues
-      pull-requests: write # to be able to comment on released pull requests
-      id-token: write # to enable use of OIDC for npm provenance
     name: release
     runs-on: ubuntu-latest
     steps:
+      - name: Generate Token
+        id: generate_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
+
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.workflow_run.head_sha }}
-          persist-credentials: false
+          fetch-depth: 0
+          token: ${{ steps.generate_token.outputs.token }}
+
       - name: Semantic Release
         id: semantic
-        uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
+        uses: cycjimmy/semantic-release-action@v4
         with:
           tag_format: ${version}
           branches: |
@@ -39,4 +41,4 @@ jobs:
             @semantic-release/git
             conventional-changelog-conventionalcommits
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}