fix: use release app for npm version finalization

[jan-kubica]

Use an optional release GitHub App token for npm version finalization writes.

This keeps the reusable workflow compatible with protected v* tag rulesets: the finalizer mints a repository-scoped app token when release app credentials are inherited, then uses it for tag creation and GitHub release staging/publishing. Repos without release app credentials continue to fall back to GITHUB_TOKEN.

Local checks:

• actionlint .github/workflows/npm-version-finalize.yml .github/workflows/npm-version-preflight.yml
• git diff --check

CC on behalf of @jan-kubica

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 632f4c675f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fall back to github.token when release app is absent

When a caller provides only the existing CHANGELOG_APP_* secrets, this mints a changelog-app token and the later checkout, tag creation, and release edits all use steps.release-token.outputs.token instead of github.token. That breaks the stated compatibility path for repos without RELEASE_APP_*, and it can make finalization fail for protected v* tags when the changelog app is scoped only for changelog PRs rather than release/tag writes. Prefer minting this token only from a complete RELEASE_APP_* pair and let missing release credentials keep the github.token fallback.

Useful? React with 👍 / 👎.