chore(ci): Replace GH_CQ_BOT PAT with GitHub App tokens (#2464)

Replace GH_CQ_BOT PAT with short-lived tokens from the cloudquery-ci GitHub App.

Author: erezrokah

.github/.kodiak.toml

@@ -2,7 +2,7 @@
 version = 1
 
 [approve]
-auto_approve_usernames = ["cq-bot"]
+auto_approve_usernames = ["cloudquery-ci"]
 
 [merge.message]
 body = "pull_request_body"

.github/workflows/gen_coverage_report.yml

@@ -18,9 +18,17 @@ jobs:
       id-token: write
       contents: write
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        with:
+          app-id: ${{ secrets.CQ_APP_ID }}
+          private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GH_CQ_BOT }}
+          token: ${{ steps.app-token.outputs.token }}
       - name: Set up Go 1.x
         id: setup-go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
@@ -44,11 +52,10 @@ jobs:
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
         with:
           # required so the PR triggers workflow runs
-          token: ${{ secrets.GH_CQ_BOT }}
+          token: ${{ steps.app-token.outputs.token }}
           branch: chore/update_coverage_report
           base: main
           title: "chore: Update coverage report"
           commit-message: "chore: Update coverage report"
           body: This PR was created by a scheduled workflow to update the coverage report
-          author: cq-bot <cq-bot@users.noreply.github.com>
           labels: automerge

.github/workflows/go_mod_tidy_examples.yml

@@ -12,14 +12,21 @@ jobs:
   go-mod-tidy-example:
     timeout-minutes: 5
     runs-on: ubuntu-latest
-    if: github.event.pull_request.user.login == 'cq-bot' && startsWith(github.event.pull_request.title, 'fix(deps)') && startsWith(github.head_ref, 'renovate/')
+    if: github.event.pull_request.user.login == 'cloudquery-ci[bot]' && startsWith(github.event.pull_request.title, 'fix(deps)') && startsWith(github.head_ref, 'renovate/')
     strategy:
       matrix:
         plugin: [simple_plugin]
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        with:
+          app-id: ${{ secrets.CQ_APP_ID }}
+          private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }}
+          permission-contents: write
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GH_CQ_BOT }}
+          token: ${{ steps.app-token.outputs.token }}
       - name: Set up Go 1.x
         id: setup-go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6

.github/workflows/release-pr.yml

@@ -12,10 +12,18 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        with:
+          app-id: ${{ secrets.CQ_APP_ID }}
+          private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
       - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
         id: release
         with:
-          token: ${{ secrets.GH_CQ_BOT }}
+          token: ${{ steps.app-token.outputs.token }}
       - name: Parse semver string
         if: steps.release.outputs.release_created
         id: semver_parser
@@ -34,7 +42,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         if: steps.release.outputs.release_created && steps.semver_parser.outputs.prerelease == ''
         with:
-          github-token: ${{ secrets.GH_CQ_BOT }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             github.rest.actions.createWorkflowDispatch({
               owner: 'cloudquery',