use gh app to fetch token for docs pr creation

Author: dminnear-rh

.github/workflows/update-metadata.yaml

@@ -12,15 +12,27 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
+  get-token:
+    runs-on: ubuntu-latest
+    outputs:
+      generated_token: ${{ steps.app-token.outputs.token }}
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        id: app-token
+        with:
+          app-id: ${{ vars.METADATA_SYNC_APP_ID }}
+          private-key: ${{ secrets.METADATA_SYNC_PRIVATE_KEY }}
+
   update-metadata:
+    needs: get-token
     uses: validatedpatterns/docs/.github/workflows/metadata-docs.yml@main # zizmor: ignore[unpinned-uses]
-    permissions: # Workflow-level permissions
-      contents: read  # Required for "read-all"
-      packages: write # Allows writing to packages
-      id-token: write # Allows creating OpenID Connect (OIDC) tokens
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     secrets:
-      DOCS_TOKEN: ${{ secrets.DOCS_TOKEN }}
-    # For testing you can point to a different branch in the docs repository
-    # with:
-    #  DOCS_BRANCH: "main"
+      DOCS_TOKEN: ${{ needs.get-token.outputs.generated_token }}