[ci] codeowner-review-request: mint least-privilege App token (#16351)

.github/workflows/codeowner-review-request.yml

@@ -17,9 +17,10 @@ on:
       - release
       - beta
 
+# PR/review writes (requestReviewers, issues.createComment) are performed with the App token minted below,
+# so the workflow's GITHUB_TOKEN only needs read access for checkout.
 permissions:
-  pull-requests: write
-  contents: read
+  contents: read  # actions/checkout to read CODEOWNERS and the shared codeowners.js helper
 
 jobs:
   request-codeowner-reviews:
@@ -32,9 +33,20 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.base.sha }}
 
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          client-id: ${{ vars.ESPHOME_GITHUB_APP_CLIENT_ID }}
+          private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
+          # Scope the minted App token to the minimum needed by the github-script step below.
+          permission-pull-requests: write  # pulls.listFiles, pulls.get, pulls.listReviews, pulls.requestReviewers
+          permission-issues: write         # issues.listComments and issues.createComment (PR comments use the issues API)
+
       - name: Request reviews from component codeowners
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             const { loadCodeowners, getEffectiveOwners } = require('./.github/scripts/codeowners.js');