Use GH App token instead of PAT token to trigger the deploy workflow (#100)

Author: michalchecinski

.github/workflows/main.yml

@@ -1,4 +1,4 @@
-name: main
+name: Main
 
 on:
   push:
@@ -13,6 +13,7 @@ on:
 
 jobs:
   format:
+    name: Format
     runs-on: ubuntu-24.04
 
     permissions:
@@ -34,6 +35,7 @@ jobs:
         run: npm run format:check
 
   deploy:
+    name: Deploy
     if: ${{ github.event_name == 'release' }}
     needs: format
     runs-on: ubuntu-24.04
@@ -65,9 +67,16 @@ jobs:
             dist
             package.json
 
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ secrets.BW_GHAPP_ID }}
+          private-key: ${{ secrets.BW_GHAPP_KEY }}
+
       - name: Dispatch deployment
         env:
-          GITHUB_TOKEN: ${{ secrets.DEPLOYMENT_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: >
           gh workflow run deploy-passwordless-client-js
           --repo bitwarden/passwordless-devops