[Changelog]Use isaaclab-bot GitHub App token for nightly changelog push

[hujc7]

Why

Develop's branch ruleset requires 18 status checks and 1 approval before any push. The nightly compile workflow (#5482) was authenticated with GITHUB_TOKEN (identity github-actions[bot]), which has neither the bypass entitlement nor a way to satisfy approvals. Result: the cron pushed cleanly until it hit develop, then failed with protected branch hook declined — fragments accumulate, no auto-bump happens.

Confirmed failure: https://github.com/isaac-sim/IsaacLab/actions/runs/25419200769

What this PR does

Switches the workflow's checkout/push token to a short-lived installation access token minted from the isaaclab-bot GitHub App (created by @kellyguo11 and added to develop's ruleset bypass list).

Change	Effect
Add actions/create-github-app-token@v3.1.1 step (SHA-pinned)	Mints a 1-hour installation token from CHANGELOG_APP_ID + CHANGELOG_APP_PRIVATE_KEY repo secrets.
actions/checkout token: app-token instead of GITHUB_TOKEN	Push is signed by isaaclab-bot[bot] — the bypass identity. Lands without satisfying required-checks / required-approval.
git config user.{name,email} updated to isaaclab-bot[bot]	Auto-commits attribute to the bot user in the GitHub UI.
Workflow permissions: contents: write → contents: read	The App token carries write access; GITHUB_TOKEN only needs read. Tightens least-privilege.
Header comment rewritten	Documents the App-token model + bypass requirement.

Side benefit: triggers downstream workflows

GITHUB_TOKEN-signed pushes don't trigger downstream workflows by design (loop guard). App-token-signed pushes are treated as external pushes and DO trigger downstream CI — so docs / Docker rebuild jobs fire on the auto-commit naturally, no separate PAT required.

Setup status

Already done by maintainers:

• isaaclab-bot GitHub App created with contents: write permission
• App installed on isaac-sim/IsaacLab
• App added to develop's ruleset bypass actor list
• Repo secrets CHANGELOG_APP_ID and CHANGELOG_APP_PRIVATE_KEY set

Test plan

• PR diff is YAML-only, no code changes.
• After merge: manually trigger via gh workflow run "Nightly Changelog Compilation" --repo isaac-sim/IsaacLab and verify the push lands and the bot user shows as the commit author on https://github.com/isaac-sim/IsaacLab/commits/develop.
• Confirm the next 5 AM UTC cron sweeps the accumulated fragment backlog (~22 fragments at last count).

cc @kellyguo11

[greptile-apps]

Greptile Summary

This PR replaces the nightly changelog workflow's push authentication from a GITHUB_TOKEN/CHANGELOG_PAT fallback chain with a short-lived GitHub App installation credential minted from isaaclab-bot, which is on develop's branch-ruleset bypass list — resolving the protected branch hook declined failures that blocked the auto-commit.

• App token step added (actions/create-github-app-token@v3.1.1, SHA-pinned): mints a 1-hour installation credential before checkout; the token is scoped to the current repository only (default when owner and repositories inputs are omitted), and checkout passes it along so all subsequent git push calls are signed as isaaclab-bot[bot].
• Permissions tightened: workflow-level contents permission dropped from write to read since the App credential carries its own write access; git commit author updated to match the bot identity (282401363+isaaclab-bot[bot]@users.noreply.github.com).
• Downstream CI side-effect: App-credential-signed pushes are treated as external pushes by GitHub, so Docker/docs rebuild jobs fire naturally without a separate PAT.

Confidence Score: 4/5

Safe to merge; the YAML-only change correctly threads the App credential through checkout and push, and the permission reduction is a net improvement.

The core flow is sound and the SHA-pinned action is correctly configured. The removal of the previous graceful fallback is the one area worth a second look — a misconfigured App or deleted credential now aborts the entire job before checkout, silently piling up changelog fragments until someone notices the cron failures.

.github/workflows/nightly-changelog.yml — focus on the new create-github-app-token step and whether a credential-minting failure should abort or degrade gracefully.

Important Files Changed

Filename	Overview
.github/workflows/nightly-changelog.yml	Switches nightly changelog push auth from GITHUB_TOKEN/PAT fallback to a GitHub App installation token; reduces workflow-level GITHUB_TOKEN permissions to read-only; updates git commit author identity to isaaclab-bot[bot].

Sequence Diagram

sequenceDiagram
    participant Cron as Cron / workflow_dispatch
    participant Runner as GitHub Actions Runner
    participant AppAction as create-github-app-token action
    participant BotApp as isaaclab-bot GitHub App
    participant Checkout as actions/checkout
    participant Branch as develop branch

    Cron->>Runner: Trigger nightly-changelog workflow
    Runner->>AppAction: App ID + Private Key credentials
    AppAction->>BotApp: Request 1-hour installation access credential
    BotApp-->>AppAction: Installation access credential (1h TTL)
    AppAction-->>Runner: Credential stored as step output
    Runner->>Checkout: "ref=develop, using bot credential"
    Checkout->>Branch: git clone with full history
    Runner->>Runner: Compile changelog fragments via cli.py
    alt Fragments exist and not dry-run
        Runner->>Runner: git commit as isaaclab-bot[bot]
        Runner->>Branch: git push origin HEAD:develop
        Note over Branch: Bot is bypass actor - no review gates required
        Branch-->>Runner: Push accepted
        Runner->>Runner: Downstream CI triggered naturally
    else No fragments or dry-run mode
        Runner->>Runner: Skip commit and push
    end

Loading

_{Reviews (1): Last reviewed commit: "Mint isaaclab-bot App token for nightly ..." | Re-trigger Greptile}