Migrate from tibdex/github-app-token to actions/create-github-app-token

### What problem does your feature solve?

The [`tibdex/github-app-token`](https://github.com/tibdex/github-app-token) action used in `update-completed-sprint-on-issue-closed.yml` workflows across stellar org repos is a third-party action, but it has its version as a branch/tag instead of a SHA. Also the action is archived and has in its README a statement directing users to migrate to `actions/create-github-app-token`.

Per [GitHub's security hardening documentation](https://docs.github.com/en/actions/reference/security/secure-use), third-party actions should be pinned to a full-length commit SHA rather than a tag, because tags can be moved or deleted if a bad actor gains access to the repository. A compromise of a single action within a workflow can be significant, as the compromised action would have access to all secrets configured on the repository.

### What would you like to see?

Migrate all stellar org repos to use `actions/create-github-app-token@v1`, GitHub's official first-party alternative. Using the official action removes the need for SHA pinning since GitHub-maintained actions are trusted and verified.

**Affected public repos (20):**
- [stellar/go-stellar-sdk](https://github.com/stellar/go-stellar-sdk) https://github.com/stellar/go-stellar-sdk/pull/5894
- [stellar/js-stellar-sdk](https://github.com/stellar/js-stellar-sdk) https://github.com/stellar/js-stellar-sdk/pull/1316
- [stellar/helm-charts](https://github.com/stellar/helm-charts) https://github.com/stellar/helm-charts/pull/146
- [stellar/soroban-example-dapp](https://github.com/stellar/soroban-example-dapp) https://github.com/stellar/soroban-example-dapp/pull/174
- [stellar/js-stellar-base](https://github.com/stellar/js-stellar-base) https://github.com/stellar/js-stellar-base/pull/830
- [stellar/stellar-rpc](https://github.com/stellar/stellar-rpc) https://github.com/stellar/stellar-rpc/pull/580
- [stellar/stellar-galexie](https://github.com/stellar/stellar-galexie) https://github.com/stellar/stellar-galexie/pull/55
- [stellar/stellar-horizon](https://github.com/stellar/stellar-horizon) https://github.com/stellar/stellar-horizon/pull/146
- [stellar/system-test](https://github.com/stellar/system-test) https://github.com/stellar/system-test/pull/151
- [stellar/friendbot](https://github.com/stellar/friendbot) https://github.com/stellar/friendbot/pull/41

Private repos using this workflow also need updating.

**Change required in each repo:**
```diff
- uses: tibdex/github-app-token@v1
+ uses: actions/create-github-app-token@v1
```

### What alternatives are there?

Pin `tibdex/github-app-token` to a full-length commit SHA instead of a tag version.

cc @stellar/platform-eng @stellar/enterprise-eng 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Migrate from tibdex/github-app-token to actions/create-github-app-token #93

What problem does your feature solve?

What would you like to see?

What alternatives are there?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Migrate from tibdex/github-app-token to actions/create-github-app-token #93

Description

What problem does your feature solve?

What would you like to see?

What alternatives are there?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions