ci: migrate workflow auth from PAT to GitHub App tokens (#3004)

## Summary - Migrated `draft-stale-prs` and `label-rebase-prs` GitHub Actions workflows from using a personal access token (`PR_RW_GITHUB_TOKEN`) to generating tokens via the Dyad GitHub App (`actions/create-github-app-token@v2`) - Improves security and auditability by using scoped, short-lived GitHub App tokens with explicit permissions instead of long-lived PATs ## Test plan - [ ] Verify `draft-stale-prs` workflow runs successfully on its cron schedule (or trigger manually) - [ ] Verify `label-rebase-prs` workflow runs successfully when triggered by push to `main` - [ ] Confirm the GitHub App has the required permissions: `contents: read`, `pull-requests: write`, and `issues: write` (for draft-stale-prs) 🤖 Generated with [Claude Code](https://claude.com/claude-code)  --- <a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3004" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a>  Co-authored-by: Will Chen <willchen90@gmail.com> Co-authored-by: Claude <noreply@anthropic.com>

ci: migrate workflow auth from PAT to GitHub App tokens (#3004)
871e3b41 · wwwillchen-bot · GitHub · 0ee64472 · 871e3b41 · 871e3b41
--- a/.github/workflows/draft-stale-prs.yml
+++ b/.github/workflows/draft-stale-prs.yml
@@ -15,9 +15,19 @@ jobs:
    runs-on: ubuntu-latest
    environment: ai-bots
    steps:
+      - name: Create GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.DYAD_GITHUB_APP_ID }}
+          private-key: ${{ secrets.DYAD_GITHUB_APP_PRIVATE_KEY }}
+          permission-contents: read
+          permission-pull-requests: write
+          permission-issues: write
+
      - uses: actions/github-script@v7
        with:
-          github-token: ${{ secrets.PR_RW_GITHUB_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
          script: |
            const sevenDaysAgo = new Date();
            sevenDaysAgo.setDate(sevenDaysAgo.getDate() - 7);

--- a/.github/workflows/label-rebase-prs.yml
+++ b/.github/workflows/label-rebase-prs.yml
@@ -13,9 +13,18 @@ jobs:
    environment: ai-bots
    runs-on: ubuntu-latest
    steps:
+      - name: Create GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.DYAD_GITHUB_APP_ID }}
+          private-key: ${{ secrets.DYAD_GITHUB_APP_PRIVATE_KEY }}
+          permission-contents: read
+          permission-pull-requests: write
+
      - uses: actions/github-script@v7
        with:
-          github-token: ${{ secrets.PR_RW_GITHUB_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
          script: |
            const allowedAuthors = ['wwwillchen', 'wwwillchen-bot', 'dyadbot', 'dyad-assistant'];