Use custom Github App to authenticate backport job

[cdce8p]

Followup to #10390

For organizations it's recommended to use custom Github Apps over PAT from bot accounts.
Created https://github.com/apps/pylint-backport-bot for it.

https://github.com/actions/create-github-app-token

[github-actions]

🤖 According to the primer, this change has no effect on the checked open source code. 🤖🎉

This comment was generated for commit 0033c58

[Pierre-Sassoulas]

This is even better :) Is the app just an empty shell with some rights ? Otherwise where's the code for it ?

[DanielNoord]

Thanks @cdce8p for some of the recent PRs. Always good to have you around here 😄

[cdce8p]

Is the app just an empty shell with some rights ? Otherwise where's the code for it ?

Exactly. We somehow need to move beyond the GITHUB_TOKEN permissions. To do that the actions/create-github-app-token action authenticates the APP with the secret private key and get's an installation access token from it.

You can view the requested permissions here, but they are just the three explicitly listed in the backport.yml file. https://github.com/organizations/pylint-dev/settings/apps/pylint-backport-bot/permissions

Technically speaking the installation access token could have a slightly broader access than the PAT as it could be configured to access other org repos as well (i.e. astroid). That's one of the main use cases for it, to do inter org stuff. That config isn't the default though. https://github.com/actions/create-github-app-token?tab=readme-ov-file#owner