Apologies if I've missed this issue, I did search.

Currently in order to use the GitHub plugin, a user must supply their personal access token, however those tokens are designed to be personal and so whenever the person who's token it is leaves our company we break Jenkins' connection to GitHub and it takes us a while to understand why.

GitHub apps should give the access that is required but they do require an extra step of generating a JWT before calling the API. https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app

The secret could then be the private key of the app in a valid form (other than text) and then the GitHub Plugin could detect which is being used in https://github.com/jenkinsci/github-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github/config/GitHubServerConfig.java#L288 and perform the extra JWT step if required.

Other changes will likely be required too since the JWT has a limited lifespan.