update github action to use github app

[mmattu-wd]

Summary

• Replace secrets.PAT_GITHUB with a scoped GitHub App installation token (flowise-publish-bot) in the publish workflow for improved security and auditability
• Update git commit identity from github PAT identity to flowise-publish-bot[bot] so version bump commits are attributed to the bot

Why
A long-lived PAT has broad user-level scope and never expires. A GitHub App installation token is scoped to only FlowiseChatEmbed and FlowiseEmbedReact, expires after 1 hour, and auto-rotates per job — significantly reducing blast radius if credentials are ever exposed. Currently because we have to go between the 2 repos we could either have a GHA in each repo that is triggered once one is complete (High complexity) or use a user scoped PAT, which would mean that the PR creation would be under the user's identity

Prerequisites

• flowise-publish-bot GitHub App installed on FlowiseAI org with access to both FlowiseChatEmbed and FlowiseEmbedReact
• App has contents: write and pull_requests: write permissions
• FLOWISE_BOT_APP_ID and FLOWISE_BOT_PRIVATE_KEY secrets configured
• Remove if: Will remove after dry run has been tested

Test plan

• Trigger the workflow via manual trigger with a patch bump and verify the dry-run job succeeds (builds, dry-run publishes, summary renders)
• Approve the npm-publish environment gate and verify the publish job succeeds end-to-end
• Confirm version bump PRs are created in both repos and attributed to flowise-publish-bot[bot]

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.