workflows/periodic-merges: use nix-backport app's token when merging branches

This will allow GitHub to run actions on those commits, specifically Eval action.
Currently as these merges are commited by `github-actions`, Eval doesn't run on the commits.
ie, https://github.com/NixOS/nixpkgs/actions/runs/12646467735/job/35237397411?pr=371701 failed due to NixOS@fa2d66f commit was done by github-actions.

With this every periodic merge will be authored and commited by the nix-backports bot. We can reuse the bot here as they have similar perms (NixOS/org#38)

Author: JohnRTitor

.github/workflows/periodic-merge-24h.yml

@@ -20,9 +20,6 @@ permissions:
 
 jobs:
   periodic-merge:
-    permissions:
-      contents: write  # for devmasx/merge-branch to merge branches
-      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
     runs-on: ubuntu-24.04
     strategy:
@@ -39,20 +36,31 @@ jobs:
             into: staging-24.11
     name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
     steps:
+      # Use a GitHub App to create the PR so that CI gets triggered
+      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
+      # Same app as in backport.yml
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ vars.BACKPORT_APP_ID }}
+          private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }}
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
         uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
         with:
           type: now
           from_branch: ${{ matrix.pairs.from }}
           target_branch: ${{ matrix.pairs.into }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token  }}
 
       - name: Comment on failure
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         if: ${{ failure() }}
         with:
+          token: ${{ steps.app-token.outputs.token }}
           issue-number: 105153
           body: |
             Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).

.github/workflows/periodic-merge-6h.yml

@@ -20,9 +20,6 @@ permissions:
 
 jobs:
   periodic-merge:
-    permissions:
-      contents: write  # for devmasx/merge-branch to merge branches
-      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
     runs-on: ubuntu-24.04
     strategy:
@@ -39,20 +36,31 @@ jobs:
             into: staging
     name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
     steps:
+      # Use a GitHub App to create the PR so that CI gets triggered
+      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
+      # Same app as in backport.yml
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ vars.BACKPORT_APP_ID }}
+          private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }}
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
         uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
         with:
           type: now
           from_branch: ${{ matrix.pairs.from }}
           target_branch: ${{ matrix.pairs.into }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
 
       - name: Comment on failure
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         if: ${{ failure() }}
         with:
+          token: ${{ steps.app-token.outputs.token }}
           issue-number: 105153
           body: |
             Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).

.github/workflows/periodic-merge-haskell-updates.yml

@@ -22,16 +22,22 @@ permissions:
 
 jobs:
   periodic-merge:
-    permissions:
-      contents: write  # for devmasx/merge-branch to merge branches
-      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
     runs-on: ubuntu-24.04
     name: git merge-base master staging → haskell-updates
     steps:
+      # Use a GitHub App to create the PR so that CI gets triggered
+      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
+      # Same app as in backport.yml
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ vars.BACKPORT_APP_ID }}
+          private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }}
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
 
       # Note: If we want to do something similar for more branches, we can move this into a
       # separate job, so we can use the matrix strategy again.
@@ -48,12 +54,13 @@ jobs:
           type: now
           head_to_merge: ${{ steps.find_merge_base_step.outputs.merge_base }}
           target_branch: haskell-updates
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
 
       - name: Comment on failure
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         if: ${{ failure() }}
         with:
+          token: ${{ steps.app-token.outputs.token }}
           issue-number: 367709
           body: |
             Periodic merge from `${{ steps.find_merge_base_step.outputs.merge_base }}` into `haskell-updates` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).