ci: add GitHub App token support for release-please

Enables optional GitHub App auth for branch protection bypass:
- Falls back to GITHUB_TOKEN if APP_ID/APP_PRIVATE_KEY not set
- Controlled via USE_APP_TOKEN repository variable

Author: 27Bslash6

.github/workflows/release-please.yml

@@ -17,13 +17,23 @@ jobs:
       tag_name: ${{ steps.release.outputs.tag_name }}
       version: ${{ steps.release.outputs.version }}
     steps:
+      # Use GitHub App for token vending (avoids branch protection issues with GITHUB_TOKEN)
+      # If APP_ID/APP_PRIVATE_KEY not set, falls back to GITHUB_TOKEN
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        if: ${{ vars.USE_APP_TOKEN == 'true' }}
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Run release-please
         id: release
         uses: googleapis/release-please-action@v4
         with:
           manifest-file: .release-please-manifest.json
           config-file: release-please-config.json
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
 
   build-wheels:
     name: Build wheels (${{ matrix.target }})