ci(cmd-bot): post PR comments via the App token, not GITHUB_TOKEN

[ilchu]

Problem

Every non---quiet /cmd run currently dies at its first step. The cmd-run.yml jobs comment/react on the PR using secrets.GITHUB_TOKEN, and that token gets HTTP 403 "Resource not accessible by integration" on POST /repos/.../issues/{n}/comments — even though the repo's Actions workflow-permissions setting reads write. So before-cmd → Comment PR (Start) fails, the cmd (e.g. bench) step is skipped, and the only visible signal is the 👀 acknowledgement reaction (the failure comment 403s too).

Evidence: the same workflow commented successfully on a PR as recently as Jun 13 (run 27460868652, PR #172), then began 403ing (Jun 17, Jun 26). The repo token setting is write, yet runs still 403 — i.e. the cap is at the org level (a policy override the repo setting can't relax), applied in that window.

Fix

Route the comment + reaction steps in before-cmd, after-cmd, and finish through the CMD_BOT GitHub App token (scoped to issues + pull-requests: write) instead of GITHUB_TOKEN. This is the same App token already used for the result push in after-cmd, which works precisely because an App token's scope comes from the App installation and isn't subject to the org GITHUB_TOKEN cap. The read-only "Build workflow link" curl keeps using GITHUB_TOKEN.

Prerequisites / notes

• The CMD_BOT App installation must grant issues + pull-requests: write (it already grants contents: write for the push). If it doesn't, the new create-github-app-token steps will fail at token generation and need that scope added in the App settings.
• /cmd dispatches cmd-run.yml from the cmd-bot branch (gh workflow run --ref cmd-bot), so this change only takes effect for live runs once it reaches cmd-bot via the usual dev → cmd-bot sync.
• Workflow changes can't be exercised pre-merge (the dispatch input contract requires the default-branch/cmd-bot copy), so this hasn't been run end-to-end.

[danielbui12]

For cmd-run.yml changes, you can manual verify by below cli, then post result!

  gh workflow run cmd-run.yml \
            --ref <YOUR_BRANCH_NAME> \
            -f cmd="${CMD}" \
            -f repo="${REPO}" \
            -f pr_branch="${PR_BRANCH}" \
            -f pr_num="${PR_NUMBER}" \
            -f runner="${RUNNER}" \
            -f is_org_member="${IS_ORG_MEMBER}" \
            -f comment_id="${COMMENT_ID}" \
            -f image="${IMAGE}" \
            -f is_quiet="${IS_QUIET}"

Reminder: Also merge cmd-run related changes to cmd-bot branch after this PR merged.

[ilchu]

Manually verified by dispatching this branch's cmd-run.yml per the suggested CLI (gh workflow run cmd-run.yml --ref ic/cmd-bot-app-token-comments … -f is_quiet=false): run 28356077303.

All App-token comment/reaction steps pass (these 403'd on GITHUB_TOKEN before):

• before-cmd: Generate App token ✅ → Comment PR (Start) ✅
• finish: Generate App token ✅ → Comment PR (Failure) ✅ → 😕 reaction ✅

The bot posted the start/failure comments on this PR (throwaway test comments, since deleted). The cmd job failure is expected — I passed an intentionally-invalid command (verify-app-token-fix) so it fails fast without running a bench or pushing; only the comment/reaction steps (what this PR changes) matter, and they all pass. App-token generation succeeding also confirms the CMD_BOT App already grants issues + pull-requests write, so no App-installation change is needed.

Reminder per review: this also needs mirroring to the cmd-bot branch after merge, since /cmd dispatches cmd-run.yml from there.

[bkontur]

Why 😕 here: #125 (comment)?

:D :D could be related to this PR?

[danielbui12]

@bkontur it is :D https://github.com/paritytech/web3-storage/actions/runs/28356077303/job/83999454192