Consume Release GitHub App token in new-release.yml so release PRs trigger CI

[CassioMG]

Summary

Wire the already-provisioned Freighter Mobile Release GitHub App into new-release.yml. Today the workflow opens release PRs with the default GITHUB_TOKEN, which doesn't trigger CI — so we manually push empty commits to kick off tests. Ops has finished their part (stellar/ops#4514): the App is installed and its RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY credentials are in the repo. This is the small follow-up to consume that token in three spots (token step → checkout → both PR-creation steps), mirroring the existing Match pattern in ios.yml. Outcome: release & bump-version PRs auto-run unit + e2e tests, no manual workaround.

---

Background

The new-release.yml workflow creates PRs and pushes branches using the default GITHUB_TOKEN. Due to a GitHub limitation, events created by GITHUB_TOKEN don't trigger other workflows — so the release/version-bump PRs opened by this workflow don't kick off unit tests (test.yml) or e2e tests (ios-e2e.yml, android-e2e.yml). Today we work around this by manually pushing empty commits.

A GitHub App installation token bypasses this limitation. We already use this pattern for Fastlane Match in ios.yml (MATCH_GITHUB_APP_ID / actions/create-github-app-token).

Ops dependency (done ✅)

Ops has completed stellar/ops#4514 — the Freighter Mobile Release GitHub App has been created, installed on freighter-mobile, and the credentials are available in this repo's Actions secrets/variables:

Type	Name
Variable	RELEASE_APP_ID
Secret	RELEASE_APP_PRIVATE_KEY

This issue tracks consuming those credentials in our workflow.

Scope of work

Update new-release.yml to mint and use a GitHub App installation token.

A) Generate the App token — new step, placed after "Validate and normalize app version" / before "Checkout repository":

- name: Generate release automation token
  id: release-token
  uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
  with:
    app-id: ${{ vars.RELEASE_APP_ID }}
    private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
    owner: stellar
    repositories: freighter-mobile

B) Use the token for checkout — so the subsequent git push steps push with the App token:

- name: Checkout repository
  uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
  with:
    token: ${{ steps.release-token.outputs.token }}
    fetch-depth: 0
    fetch-tags: true
    persist-credentials: true

C) Use the token for PR creation — so pull_request: opened triggers the test workflows. Add github-token to both actions/github-script PR-creation steps:

• Create pull request (release → version PR)
• Create bump-version pull request

  with:
    github-token: ${{ steps.release-token.outputs.token }}
    script: |
      // ... existing PR creation code unchanged

Acceptance criteria

• Release PR and bump-version PR opened by new-release.yml automatically trigger test.yml, ios-e2e.yml, and android-e2e.yml.
• Branch pushes from the workflow use the App token (no manual empty-commit workaround needed).
• No regression in the existing release flow (branch creation, version bump, dev build dispatch).

References

• Ops ticket: stellar/ops#4514
• Existing pattern: ios.yml — Fastlane Match GitHub App (create-github-app-token)
• GitHub docs: Triggering a workflow from a workflow
• actions/create-github-app-token