chore(deps): bump the github-actions group across 1 directory with 2 updates

[dependabot]

Bumps the github-actions group with 2 updates in the / directory: getsentry/github-workflows and actions/create-github-app-token.

Updates getsentry/github-workflows from 3.3.0 to 3.4.0

Release notes

Sourced from getsentry/github-workflows's releases.

3.4.0

Features

• Validate PR - Action is advisory: it posts a single friendly comment on community PRs that don't reference an issue with maintainer discussion. PRs are not closed and no labels are applied. Recommended trigger is types: [opened].
• Validate PR - Skip validation for PRs with fewer than 100 lines changed, excluding common lock files (Cargo.lock, yarn.lock, package-lock.json, Pipfile.lock, etc.). Tiny PRs no longer go through the issue-discussion loop.
• Add validate-pr composite action for validating non-maintainer PRs against contribution guidelines (#153)

Fixes

• Complete script injection hardening across all actions: move remaining step outputs to env vars, validate Danger version against semver (#152)
• Updater - Trigger CI for new PRs without changelog updates (#166)
• Updater - Select the first branch when multiple branches point at HEAD (#165)

Dependencies

• Bump Danger JS from v13.0.4 to v13.0.5 (#160)
  • changelog
  • diff

Commits

• 607fed7 release: 3.4.0
• 82866c1 chore: update getsentry/craft to 2.26.3 (#168)
• 24be696 fix: complete script injection hardening across all actions (#152)
• a940f77 fix(updater): Trigger CI for new PRs without changelog updates (#166)
• 98c1e36 test(updater): Accept either main or master as sentry-cli main branch (#167)
• d81d746 chore: update danger/danger.properties to 13.0.5 (#160)
• 80476a9 fix(updater): Select first matching main branch (#165)
• 43bf14b feat(validate-pr): Make advisory; drop close + labels (#163)
• 71588dd feat(validate-pr): Skip checks for users with write access (#162)
• 02fd7a2 feat(validate-pr): Skip all checks when a maintainer reopens a PR (#161)
• Additional commits viewable in compare view

Updates actions/create-github-app-token from 3.1.1 to 3.2.0

Release notes

Sourced from actions/create-github-app-token's releases.

v3.2.0

3.2.0 (2026-05-12)

Features

• add support for enterprise-level GitHub Apps (#263) (952a2a7)
• support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
• validate private-key input (#376) (f24bbd8)

Changelog

Sourced from actions/create-github-app-token's changelog.

Changelog

3.2.0 (2026-05-12)

Features

• add support for enterprise-level GitHub Apps (#263) (952a2a7)
• support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
• validate private-key input (#376) (f24bbd8)

Commits

• bcd2ba4 chore(main): release 3.2.0 (#370)
• f24bbd8 fix: validate private-key input (#376)
• 363531b docs: capitalize Git as a proper noun in README (#374)
• fd28011 docs: update procedure to configure Git (#287)
• 85eb8dd feat: support full repository names in repositories input (#372)
• c9aabb8 build(deps-dev): bump yaml from 2.8.3 to 2.8.4 in the development-dependencie...
• e02e816 build(deps-dev): bump undici from 7.24.6 to 8.2.0 (#366)
• 8d835bf build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 in the development-depend...
• 952a2a7 feat: add support for enterprise-level GitHub Apps (#263)
• 43e5c34 fix(deps): bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependenc...
• Additional commits viewable in compare view

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 29551f8. Configure here.}

[cursor]

validate-pr.yml downgraded to older commit instead of upgraded

Medium Severity

The validate-pr.yml workflow is being changed to commit 26f565c which is the old 3.3.0 hash (the same hash that danger.yml and update-deps.yml are moving away from). The other workflows correctly update to 607fed74f812e69201531a5185b6c3c57caa4e89 (3.4.0), but validate-pr is effectively downgraded from 71588dd (a newer commit within the 3.4.0 development cycle) back to 3.3.0. It likely needs to point to 607fed7 like the other workflows.

 

^{Reviewed by Cursor Bugbot for commit 29551f8. Configure here.}

[runningcode]

woah, what's going on here?

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

[sentry]

📲 Install Builds

Android

🔗 App Name	App ID	Version	Configuration
SDK Size	io.sentry.tests.size	8.41.0 (1)	release

⚙️ sentry-android Build Distribution Settings

[github-actions]

Performance metrics 🚀

	Plain	With Sentry	Diff
Startup time	389.10 ms	466.86 ms	77.76 ms
Size	0 B	0 B	0 B

Baseline results on branch: main

Startup times

Revision	Plain	With Sentry	Diff
319f256	317.53 ms	370.83 ms	53.29 ms
ab8a72d	316.24 ms	356.38 ms	40.14 ms
cf708bd	434.73 ms	502.96 ms	68.22 ms
91bb874	310.68 ms	359.24 ms	48.56 ms
f634d01	375.06 ms	420.04 ms	44.98 ms
62b579c	299.75 ms	364.84 ms	65.09 ms
6b019b7	403.90 ms	546.09 ms	142.19 ms
d364ace	384.53 ms	453.51 ms	68.98 ms
5b66efd	308.67 ms	363.85 ms	55.18 ms
ee35ac3	346.83 ms	435.48 ms	88.65 ms

App size

Revision	Plain	With Sentry	Diff
319f256	1.58 MiB	2.19 MiB	619.79 KiB
ab8a72d	1.58 MiB	2.12 MiB	551.55 KiB
cf708bd	1.58 MiB	2.11 MiB	539.71 KiB
91bb874	1.58 MiB	2.13 MiB	559.07 KiB
f634d01	1.58 MiB	2.10 MiB	533.40 KiB
62b579c	0 B	0 B	0 B
6b019b7	0 B	0 B	0 B
d364ace	1.58 MiB	2.11 MiB	539.75 KiB
5b66efd	1.58 MiB	2.13 MiB	559.07 KiB
ee35ac3	1.58 MiB	2.13 MiB	558.77 KiB