chore(deps): bump the github-actions group across 1 directory with 6 updates

[dependabot]

Bumps the github-actions group with 6 updates in the / directory:

Package	From	To
codecov/codecov-action	6.0.0	6.0.1
getsentry/craft/.github/workflows/changelog-preview.yml	2.26.3	2.26.6
github/codeql-action	4.35.4	4.36.0
getsentry/github-workflows	3.3.0	3.4.0
actions/create-github-app-token	3.1.1	3.2.0
getsentry/craft	2.26.3	2.26.6

Updates codecov/codecov-action from 6.0.0 to 6.0.1

Release notes

Sourced from codecov/codecov-action's releases.

v6.0.1

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in codecov/codecov-action#1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in codecov/codecov-action#1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in codecov/codecov-action#1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in codecov/codecov-action#1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in codecov/codecov-action#1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in codecov/codecov-action#1872
• docs: fix typo in README by @​datalater in codecov/codecov-action#1866
• Document a codecov-cli version reference example by @​webknjaz in codecov/codecov-action#1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in codecov/codecov-action#1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in codecov/codecov-action#1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in codecov/codecov-action#1864
• Pin actions/github-script by Git SHA by @​martincostello in codecov/codecov-action#1859
• fix: check reqs exist by @​joseph-sentry in codecov/codecov-action#1835
• fix: Typo in README by @​spalmurray in codecov/codecov-action#1838
• docs: Refine OIDC docs by @​spalmurray in codecov/codecov-action#1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in codecov/codecov-action#1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

What's Changed

• build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @​app/dependabot in codecov/codecov-action#1822
• fix: OIDC on forks by @​joseph-sentry in codecov/codecov-action#1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

... (truncated)

Commits

• e79a696 chore(release): 6.0.1 (#1949)
• 51e6422 fix: prevent template injection in run: steps (VULN-1652) (#1947)
• See full diff in compare view

Updates getsentry/craft/.github/workflows/changelog-preview.yml from 2.26.3 to 2.26.6

Release notes

Sourced from getsentry/craft/.github/workflows/changelog-preview.yml's releases.

2.26.6

Bug Fixes 🐛

• (nuget) Move global.json aside during dotnet setversion by @​jamescrosswell in #820
• (security) Override @​tootallnate/once to ^2.0.1 (CVE-2026-3449) by @​BYK in #822
• Improve partial publishing recovery for CocoaPods and GitHub targets by @​BYK in #821

2.26.5

Bug Fixes 🐛

• (security) Bump devalue override to ^5.8.1 (CVE-2026-42570) by @​BYK in #818

2.26.4

Bug Fixes 🐛

• (security) Prevent script injection in changelog-preview workflow by @​fix-it-felix-sentry in #813
• Resolve open dependabot security alerts by @​BYK in #816

Internal Changes 🔧

• (deps-dev) Bump simple-git from 3.33.0 to 3.36.0 by @​dependabot in #814

Changelog

Sourced from getsentry/craft/.github/workflows/changelog-preview.yml's changelog.

Changelog

2.26.6

Bug Fixes 🐛

• (nuget) Move global.json aside during dotnet setversion by @​jamescrosswell in #820
• (security) Override @​tootallnate/once to ^2.0.1 (CVE-2026-3449) by @​BYK in #822
• Improve partial publishing recovery for CocoaPods and GitHub targets by @​BYK in #821

2.26.5

Bug Fixes 🐛

• (security) Bump devalue override to ^5.8.1 (CVE-2026-42570) by @​BYK in #818

2.26.4

Bug Fixes 🐛

• (security) Prevent script injection in changelog-preview workflow by @​fix-it-felix-sentry in #813
• Resolve open dependabot security alerts by @​BYK in #816

Internal Changes 🔧

• (deps-dev) Bump simple-git from 3.33.0 to 3.36.0 by @​dependabot in #814

2.26.3

Bug Fixes 🐛

• Prevent shell injection vulnerabilities in GitHub Actions workflows by @​fix-it-felix-sentry in #811

2.26.2

Security 🔒

• (deps) Bump uuid to ^14.0.0 (fix GHSA-w5hq-g745-h8pq) by @​BYK in #810

Bug Fixes 🐛

• (prepare) Remove --allow-remote-config gate by @​BYK in #809

Internal Changes 🔧

• (deps) Bump astro from 5.18.1 to 6.1.6 in /docs by @​dependabot in #806
• (deps-dev) Bump fast-xml-parser from 5.5.7 to 5.7.0 by @​dependabot in #808

2.26.1

... (truncated)

Commits

• 3e6a0f4 release: 2.26.6
• 2662e81 fix(security): override @​tootallnate/once to ^2.0.1 (CVE-2026-3449) (#822)
• e9a5238 fix: improve partial publishing recovery for CocoaPods and GitHub targets (#821)
• da0e0c1 fix(nuget): move global.json aside during dotnet setversion (#820)
• d1fa7db meta: Bump new development version
• ca52417 Merge branch 'release/2.26.5'
• bc2e6a9 release: 2.26.5
• 60b80e5 fix(security): bump devalue override to ^5.8.1 (CVE-2026-42570) (#818)
• 7bd2931 meta: Bump new development version
• 1389909 Merge branch 'release/2.26.4'
• Additional commits viewable in compare view

Updates github/codeql-action from 4.35.4 to 4.36.0

Release notes

Sourced from github/codeql-action's releases.

v4.36.0

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

v4.35.5

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.36.0 - 22 May 2026

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

... (truncated)

Commits

• 7211b7c Merge pull request #3927 from github/update-v4.36.0-ebc2d9e2b
• 7740f2f Update changelog for v4.36.0
• ebc2d9e Merge pull request #3926 from github/update-bundle/codeql-bundle-v2.25.5
• d1f74b7 Add changelog note
• 2dc40ce Update default bundle to codeql-bundle-v2.25.5
• 8449852 Merge pull request #3910 from github/henrymercer/repo-size-diff-check
• 72ac23c Update excluded required check list
• c5297a2 Merge pull request #3919 from github/henrymercer/workflow-concurrency
• 8ffeae7 CI: Automatically cancel non-generated workflows
• f3f52bf Revert getErrorMessage import
• Additional commits viewable in compare view

Updates getsentry/github-workflows from 3.3.0 to 3.4.0

Release notes

Sourced from getsentry/github-workflows's releases.

3.4.0

Features

• Validate PR - Action is advisory: it posts a single friendly comment on community PRs that don't reference an issue with maintainer discussion. PRs are not closed and no labels are applied. Recommended trigger is types: [opened].
• Validate PR - Skip validation for PRs with fewer than 100 lines changed, excluding common lock files (Cargo.lock, yarn.lock, package-lock.json, Pipfile.lock, etc.). Tiny PRs no longer go through the issue-discussion loop.
• Add validate-pr composite action for validating non-maintainer PRs against contribution guidelines (#153)

Fixes

• Complete script injection hardening across all actions: move remaining step outputs to env vars, validate Danger version against semver (#152)
• Updater - Trigger CI for new PRs without changelog updates (#166)
• Updater - Select the first branch when multiple branches point at HEAD (#165)

Dependencies

• Bump Danger JS from v13.0.4 to v13.0.5 (#160)
  • changelog
  • diff

Commits

• 607fed7 release: 3.4.0
• 82866c1 chore: update getsentry/craft to 2.26.3 (#168)
• 24be696 fix: complete script injection hardening across all actions (#152)
• a940f77 fix(updater): Trigger CI for new PRs without changelog updates (#166)
• 98c1e36 test(updater): Accept either main or master as sentry-cli main branch (#167)
• d81d746 chore: update danger/danger.properties to 13.0.5 (#160)
• 80476a9 fix(updater): Select first matching main branch (#165)
• 43bf14b feat(validate-pr): Make advisory; drop close + labels (#163)
• 71588dd feat(validate-pr): Skip checks for users with write access (#162)
• 02fd7a2 feat(validate-pr): Skip all checks when a maintainer reopens a PR (#161)
• Additional commits viewable in compare view

Updates actions/create-github-app-token from 3.1.1 to 3.2.0

Release notes

Sourced from actions/create-github-app-token's releases.

v3.2.0

3.2.0 (2026-05-12)

Features

• add support for enterprise-level GitHub Apps (#263) (952a2a7)
• support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
• validate private-key input (#376) (f24bbd8)

Changelog

Sourced from actions/create-github-app-token's changelog.

Changelog

3.2.0 (2026-05-12)

Features

• add support for enterprise-level GitHub Apps (#263) (952a2a7)
• support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
• validate private-key input (#376) (f24bbd8)

Commits

• bcd2ba4 chore(main): release 3.2.0 (#370)
• f24bbd8 fix: validate private-key input (#376)
• 363531b docs: capitalize Git as a proper noun in README (#374)
• fd28011 docs: update procedure to configure Git (#287)
• 85eb8dd feat: support full repository names in repositories input (#372)
• c9aabb8 build(deps-dev): bump yaml from 2.8.3 to 2.8.4 in the development-dependencie...
• e02e816 build(deps-dev): bump undici from 7.24.6 to 8.2.0 (#366)
• 8d835bf build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 in the development-depend...
• 952a2a7 feat: add support for enterprise-level GitHub Apps (#263)
• 43e5c34 fix(deps): bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependenc...
• Additional commits viewable in compare view

Updates getsentry/craft from 2.26.3 to 2.26.6

Release notes

Sourced from getsentry/craft's releases.

2.26.6

Bug Fixes 🐛

• (nuget) Move global.json aside during dotnet setversion by @​jamescrosswell in #820
• (security) Override @​tootallnate/once to ^2.0.1 (CVE-2026-3449) by @​BYK in #822
• Improve partial publishing recovery for CocoaPods and GitHub targets by @​BYK in #821

2.26.5

Bug Fixes 🐛

• (security) Bump devalue override to ^5.8.1 (CVE-2026-42570) by @​BYK in #818

2.26.4

Bug Fixes 🐛

• (security) Prevent script injection in changelog-preview workflow by @​fix-it-felix-sentry in #813
• Resolve open dependabot security alerts by @​BYK in #816

Internal Changes 🔧

• (deps-dev) Bump simple-git from 3.33.0 to 3.36.0 by @​dependabot in #814

Changelog

Sourced from getsentry/craft's changelog.

Changelog

2.26.6

Bug Fixes 🐛

• (nuget) Move global.json aside during dotnet setversion by @​jamescrosswell in #820
• (security) Override @​tootallnate/once to ^2.0.1 (CVE-2026-3449) by @​BYK in #822
• Improve partial publishing recovery for CocoaPods and GitHub targets by @​BYK in #821

2.26.5

Bug Fixes 🐛

• (security) Bump devalue override to ^5.8.1 (CVE-2026-42570) by @​BYK in #818

2.26.4

Bug Fixes 🐛

• (security) Prevent script injection in changelog-preview workflow by @​fix-it-felix-sentry in #813
• Resolve open dependabot security alerts by @​BYK in #816

Internal Changes 🔧

• (deps-dev) Bump simple-git from 3.33.0 to 3.36.0 by @​dependabot in #814

2.26.3

Bug Fixes 🐛

• Prevent shell injection vulnerabilities in GitHub Actions workflows by @​fix-it-felix-sentry in #811

2.26.2

Security 🔒

• (deps) Bump uuid to ^14.0.0 (fix GHSA-w5hq-g745-h8pq) by @​BYK in #810

Bug Fixes 🐛

• (prepare) Remove --allow-remote-config gate by @​BYK in #809

Internal Changes 🔧

• (deps) Bump astro from 5.18.1 to 6.1.6 in /docs by @​dependabot in #806
• (deps-dev) Bump fast-xml-parser from 5.5.7 to 5.7.0 by @​dependabot in #808

2.26.1

... (truncated)

Commits

• 3e6a0f4 release: 2.26.6
• 2662e81 fix(security): override @​tootallnate/once to ^2.0.1 (CVE-2026-3449) (#822)
• e9a5238 fix: improve partial publishing recovery for CocoaPods and GitHub targets (#821)
• da0e0c1 fix(nuget): move global.json aside during dotnet setversion (#820)
• d1fa7db meta: Bump new development version
• ca52417 Merge branch 'release/2.26.5'
• bc2e6a9 release: 2.26.5
• 60b80e5 fix(security): bump devalue override to ^5.8.1 (CVE-2026-42570) (#818)
• 7bd2931 meta: Bump new development version
• 1389909 Merge branch 'release/2.26.4'
• Additional commits viewable in compare view

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9391867. Configure here.}

[cursor]

validate-pr action downgraded instead of upgraded to v3.4.0

High Severity

The validate-pr action is being changed to commit 26f565c05d0dd49f703d238706b775883037d76b, which is the old v3.3.0 hash — the same hash that danger.yml and update-deps.yml were on before this PR. Those other two workflows are correctly updated to 607fed74f812e69201531a5185b6c3c57caa4e89 (v3.4.0), but validate-pr is effectively being downgraded from an intermediate commit back to v3.3.0 instead of being upgraded to v3.4.0. This loses features like "skip checks for users with write access" and the security hardening fixes included in v3.4.0.

 

^{Reviewed by Cursor Bugbot for commit 9391867. Configure here.}

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

[sentry]

📲 Install Builds

Android

🔗 App Name	App ID	Version	Configuration
SDK Size	io.sentry.tests.size	8.41.0 (1)	release

⚙️ sentry-android Build Distribution Settings

[github-actions]

Performance metrics 🚀

	Plain	With Sentry	Diff
Startup time	314.12 ms	359.41 ms	45.29 ms
Size	0 B	0 B	0 B

Baseline results on branch: main

Startup times

Revision	Plain	With Sentry	Diff
3d205d0	352.15 ms	432.53 ms	80.38 ms
27d7cf8	369.82 ms	422.62 ms	52.80 ms
33a08cc	267.08 ms	340.45 ms	73.37 ms
b750b96	408.98 ms	480.32 ms	71.34 ms
96eeafa	361.43 ms	455.07 ms	93.63 ms
22f4345	314.79 ms	375.02 ms	60.23 ms
8c1fb22	316.62 ms	352.78 ms	36.16 ms
cf708bd	434.73 ms	502.96 ms	68.22 ms
48277cd	320.38 ms	379.90 ms	59.52 ms
22f4345	307.87 ms	354.51 ms	46.64 ms

App size

Revision	Plain	With Sentry	Diff
3d205d0	1.58 MiB	2.10 MiB	532.97 KiB
27d7cf8	1.58 MiB	2.12 MiB	549.42 KiB
33a08cc	1.58 MiB	2.12 MiB	555.28 KiB
b750b96	1.58 MiB	2.10 MiB	533.19 KiB
96eeafa	1.58 MiB	2.19 MiB	620.21 KiB
22f4345	1.58 MiB	2.29 MiB	719.83 KiB
8c1fb22	0 B	0 B	0 B
cf708bd	1.58 MiB	2.11 MiB	539.71 KiB
48277cd	0 B	0 B	0 B
22f4345	1.58 MiB	2.29 MiB	719.83 KiB