Generate and use token from GH App

[dcamron]

We currently rely on individual users' Personal Access Tokens (PATs) in place of the default GITHUB_TOKEN for our workflows that submit PRs that themselves kick off additional workflows (a documented limitation of GITHUB_TOKEN.) PATs can be somewhat flimsy and risky, especially as collaborators come and go, and requires individuals to task themselves with generating and updating these secrets.

Owners can see in the Pythia Organization settings that I've created a new Pythia PR Machine Github App. This app has the appropriate (and limited) access to our org and this repo to generate tokens that should work for these workflows. The app must be installed to the particular repo where the token is needed, and appropriate app secrets must be provisioned in the settings. If this works as intended, I'll document that process for other org owners.

I haven't recreated the machinery elsewhere to test this elsewhere; I figure we review and merge this, and we can test this as part of submitting gridding-cookbook to the gallery.

[github-actions]

👋 Thanks for opening this PR! The site will be automatically built with GitHub Actions. To see the status of your deployment, click below.
🔍 Git commit SHA: e90c6d6
✅ Deployment Preview URL: https://cookbooks.projectpythia.org/_preview/114

[jukent]

Sounds like a reasonable and safe way to test this PAT method. Thanks Drew

[dcamron]

@ProjectPythia/infrastructure if a second reviewer wants to sign off on this please do, else I'll plan to merge at the end of the day today so we can try out the workflows for getting cookbooks added to the gallery later this week.

[brian-rose]

I can't claim to understand how this all works, but the idea seems sound I think you should go ahead with the testing @dcamron!

[dopplershift]

Ugh, I really wish GitHub would make an easier official way to deal with this.