fix(ci): use AUTO_SYNC_TOKEN for auto-sync main->staging (Class D)

Same shape as molecule-controlplane#29: per-job GITHUB_TOKEN
doesn't have the Gitea API permissions to open PRs / push branches
the auto-sync flow needs. AUTO_SYNC_TOKEN is the devops-engineer
persona PAT (per saved memory feedback_per_agent_gitea_identity_default).

Companion prod ops (already done):
- devops-engineer added as collaborator on molecule-core (write)
- devops-engineer added to staging branch protection push_whitelist
- AUTO_SYNC_TOKEN registered as Actions secret on molecule-core

.github/workflows/auto-sync-main-to-staging.yml

@@ -103,7 +103,7 @@ jobs:
         with:
           fetch-depth: 0
           ref: staging
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.AUTO_SYNC_TOKEN }}
 
       - name: Configure git author
         run: |
@@ -174,7 +174,7 @@ jobs:
       - name: Open auto-sync PR + enable auto-merge
         if: steps.check.outputs.needs_sync == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }}
           BRANCH: ${{ steps.check.outputs.branch }}
           MAIN_SHORT: ${{ steps.check.outputs.main_short }}
           DID_FF: ${{ steps.prep.outputs.did_ff }}