General: Use GitHub App for release push instead of default token

[d4rken]

What changed

No user-facing behavior change. Switches release-prepare.yml's push-and-dispatch job from the default GITHUB_TOKEN to a GitHub App token. The App (d4rken-org-releaser) is added as a bypass actor in the repo's main-branch and tag rulesets, so the bump commit and tag push go through without loosening protections for human users.

Technical Context

• The default GITHUB_TOKEN can't be added as a bypass actor in the rulesets picker on personal/org repos — only installed GitHub Apps appear there. So the App is what makes the bypass possible cleanly.
• App-minted tokens auto-expire in 1 hour (vs. a long-lived PAT). No personal credentials involved.
• The App is owned by the org and reusable across all 8 d4rken-org Android apps — install + add to each repo's rulesets' bypass lists, then the same workflow snippet works everywhere.
• Job 1 still uses the ambient GITHUB_TOKEN (read-only); only Job 2 mints the App token (only step with side effects).
• Bot identity for git config is resolved at runtime via gh api /app and /users/<slug>%5Bbot%5D rather than hardcoding — robust to future App rename.
• permissions: on Job 2 reduced to contents: read since the workflow's GITHUB_TOKEN no longer does any privileged operations.
• Action pinned to SHA per existing convention: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1.

Prerequisites (already done by the maintainer)

• App created at org level, installed on capod
• Org secrets RELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY configured
• App added as bypass actor to both rulesets

Review checklist

• Confirm the App's bot identity resolves correctly on the next dry_run=true run (the "Resolve bot identity" step prints the slug + email)
• After merge, dispatch with dry_run=false to verify the App token actually allows the push through both rulesets