cicd: use create-github-app-token (#247)

* cicd: use create-github-app-token

* fix incorrect placement of create-github-app-token

.github/workflows/cd.yaml

@@ -34,12 +34,18 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.BOT_ID }}
+          private-key: ${{ secrets.BOT_SK }}
+
       - uses: actions/checkout@v3
         with:
           # Fetch entire repository history so we can determine version number from it
           fetch-depth: 0
           # use release token for production_release, standard token otherwise
-          token: ${{ inputs.production_release && secrets.RELEASE_GH_TOKEN || secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Install poetry
         run: pipx install poetry
@@ -57,7 +63,7 @@ jobs:
         shell: bash
         run: echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
         id: get_branch
-        
+
       - name: Set Git user as GitHub actions
         run: git config --global user.email "[email protected]" && git config --global user.name "github-actions"
 
@@ -72,7 +78,7 @@ jobs:
             publish
           gh release edit --prerelease "$(poetry run semantic-release print-version --current)"
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           REPOSITORY_USERNAME: __token__
           REPOSITORY_PASSWORD: ${{ secrets.PYPI_API_KEY }}
 
@@ -87,6 +93,6 @@ jobs:
             --define=patch_without_tag=true \
             publish
         env:
-          GH_TOKEN: ${{ secrets.RELEASE_GH_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           REPOSITORY_USERNAME: __token__
           REPOSITORY_PASSWORD: ${{ secrets.PYPI_API_KEY }}