workflows/release-asset-audit: Use a GitHub app token (#194085)

This removes one user of the ISSUE_SUBSCRIBER_TOKEN secret, which we
want to eventually remove since secrets are more difficult to maintain.
This also allows use to scope the token with less permissions since it
isn't shared with other workflows.

.github/workflows/release-asset-audit.yml

@@ -61,10 +61,18 @@ jobs:
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: comment
+      - id: app-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3  # v3.1.1
+        with:
+          client-id: ${{ secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID }}
+          private-key: ${{ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          permission-contents: read
+          permission-issues: write
       - name: "File Issue"
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
-          github-token: ${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             var fs = require('fs');
             var body = ''