From ac883fd55893354fff0cc30c2ff643c4db9953cd Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 9 Jan 2026 18:00:12 +0000 Subject: [PATCH 01/18] ci(release): Switch from action-prepare-release to Craft This PR migrates from the deprecated action-prepare-release to the new Craft GitHub Actions (reusable workflow or composite action). Changes: - Migrate .github/workflows/release.yml to Craft reusable workflow --- .github/workflows/changelog-preview.yml | 13 ++++++++ .github/workflows/release.yml | 43 +++++++------------------ 2 files changed, 25 insertions(+), 31 deletions(-) create mode 100644 .github/workflows/changelog-preview.yml diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml new file mode 100644 index 0000000000..1ed1021302 --- /dev/null +++ b/.github/workflows/changelog-preview.yml @@ -0,0 +1,13 @@ +name: Changelog Preview +on: + pull_request: + types: + - opened + - synchronize + - reopened + - edited + - labeled +jobs: + changelog-preview: + uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d0555fa94d..14fb571faa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,40 +1,21 @@ name: Release - on: workflow_dispatch: inputs: version: - description: Version to release - required: true - merge_target: - description: Target branch to merge into. Uses the default branch as a fallback (optional) + description: Version to release (or "auto") required: false force: - description: Force a release even when there are release-blockers (optional) + description: Force a release even when there are release-blockers + required: false + merge_target: + description: Target branch to merge into required: false - jobs: - job_release: - runs-on: ubuntu-latest - name: 'Release a new version: ${{ github.event.inputs.version }}' - steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - name: Check out current commit (${{ github.sha }}) - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - - name: Prepare release ${{ github.event.inputs.version }} - uses: getsentry/action-prepare-release@c8e1c2009ab08259029170132c384f03c1064c0e # v1.6.6 - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ github.event.inputs.version }} - force: ${{ github.event.inputs.force }} - merge_target: ${{ github.event.inputs.merge_target }} + release: + uses: getsentry/craft/.github/workflows/release.yml@v2 + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} + merge_target: ${{ inputs.merge_target }} + secrets: inherit From a2912f2325917ba9ba1274faf0231dadf699c975 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 9 Jan 2026 23:11:31 +0000 Subject: [PATCH 02/18] ci(release): Restore GitHub App token authentication The previous migration incorrectly removed the GitHub App token authentication step. This commit restores it by switching to the composite action pattern which preserves the auth flow. --- .github/workflows/release.yml | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 14fb571faa..675656d9dd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,9 +13,24 @@ on: required: false jobs: release: - uses: getsentry/craft/.github/workflows/release.yml@v2 - with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} - merge_target: ${{ inputs.merge_target }} - secrets: inherit + runs-on: ubuntu-latest + name: Release a new version + steps: + - name: Get auth token + id: token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + - uses: actions/checkout@v4 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + - name: Prepare release + uses: getsentry/craft@v2 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} + merge_target: ${{ inputs.merge_target }} From da3203080d5e4267aee77afa3cf5ea76d770e83a Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 00:28:02 +0000 Subject: [PATCH 03/18] fix: Pin actions to SHA and add permissions blocks --- .github/workflows/changelog-preview.yml | 4 ++++ .github/workflows/release.yml | 10 +++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index 1ed1021302..5883c004c0 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -7,6 +7,10 @@ on: - reopened - edited - labeled +permissions: + contents: write + pull-requests: write + jobs: changelog-preview: uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 675656d9dd..e746cd9c1c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,10 @@ on: merge_target: description: Target branch to merge into required: false +permissions: + contents: write + pull-requests: write + jobs: release: runs-on: ubuntu-latest @@ -18,16 +22,16 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@v2 + uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From df38ecc05661f395eff613f87b5d6661ba967898 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 01:32:35 +0000 Subject: [PATCH 04/18] fix: Use correct action version SHAs (restore original versions) --- .github/workflows/alpine.yml | 2 +- .github/workflows/build.yml | 14 +++++++------- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/device-tests-android.yml | 6 +++--- .github/workflows/device-tests-ios.yml | 2 +- .github/workflows/format-code.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/vulnerabilities.yml | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/alpine.yml b/.github/workflows/alpine.yml index fabb35fa8a..2bdf1f6422 100644 --- a/.github/workflows/alpine.yml +++ b/.github/workflows/alpine.yml @@ -23,7 +23,7 @@ jobs: packages: write steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8ad7a7148c..d169f04bc2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -48,7 +48,7 @@ jobs: curl -sSL https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/.github/alpine/setup-node.sh | sudo bash /dev/stdin - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 - run: git submodule update --init modules/sentry-native @@ -121,7 +121,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: submodules: recursive fetch-depth: 2 # default is 1 and codecov needs > 1 @@ -262,7 +262,7 @@ jobs: - name: Sparse checkout if: env.CI_PUBLISHING_BUILD == 'true' - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: # We only check out what is absolutely necessary to reduce a chance of local files impacting # integration tests (nuget.config etc.)... But we need the root Directory.Build.props calculate @@ -306,7 +306,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: submodules: recursive @@ -364,7 +364,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: submodules: recursive @@ -394,7 +394,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: submodules: recursive fetch-depth: 2 # default is 1 and codecov needs > 1 @@ -433,7 +433,7 @@ jobs: if: ${{ !startsWith(github.ref_name, 'release/') }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7322737cec..c5808d8c3f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,7 +27,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/device-tests-android.yml b/.github/workflows/device-tests-android.yml index 4f07254fad..b6e8e37e15 100644 --- a/.github/workflows/device-tests-android.yml +++ b/.github/workflows/device-tests-android.yml @@ -27,7 +27,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: submodules: recursive @@ -80,7 +80,7 @@ jobs: sudo udevadm trigger --name-match=kvm - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: submodules: recursive @@ -127,7 +127,7 @@ jobs: java-version: '17' - name: Checkout github-workflows - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: repository: getsentry/github-workflows ref: a5e409bd5bad4c295201cdcfe862b17c50b29ab7 # v2.14.1 diff --git a/.github/workflows/device-tests-ios.yml b/.github/workflows/device-tests-ios.yml index 2600e89090..736fcef9df 100644 --- a/.github/workflows/device-tests-ios.yml +++ b/.github/workflows/device-tests-ios.yml @@ -24,7 +24,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml index 97e38c6111..7e73914e53 100644 --- a/.github/workflows/format-code.yml +++ b/.github/workflows/format-code.yml @@ -15,7 +15,7 @@ jobs: runs-on: macos-15 steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e746cd9c1c..89513e13ab 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,11 +22,11 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml index 436d29ed4f..43b72ead4b 100644 --- a/.github/workflows/vulnerabilities.yml +++ b/.github/workflows/vulnerabilities.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 with: submodules: recursive From b64b656d136b3ff22ce0c113d9ddf37ad279a7c6 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 02:01:25 +0000 Subject: [PATCH 05/18] fix: Use correct action version SHAs (restore original versions) --- .github/workflows/alpine.yml | 2 +- .github/workflows/build.yml | 14 +++++++------- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/device-tests-android.yml | 6 +++--- .github/workflows/device-tests-ios.yml | 2 +- .github/workflows/format-code.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/vulnerabilities.yml | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/alpine.yml b/.github/workflows/alpine.yml index 2bdf1f6422..e5f2e17f2b 100644 --- a/.github/workflows/alpine.yml +++ b/.github/workflows/alpine.yml @@ -23,7 +23,7 @@ jobs: packages: write steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d169f04bc2..3c30231fc4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -48,7 +48,7 @@ jobs: curl -sSL https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/.github/alpine/setup-node.sh | sudo bash /dev/stdin - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 - run: git submodule update --init modules/sentry-native @@ -121,7 +121,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: submodules: recursive fetch-depth: 2 # default is 1 and codecov needs > 1 @@ -262,7 +262,7 @@ jobs: - name: Sparse checkout if: env.CI_PUBLISHING_BUILD == 'true' - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: # We only check out what is absolutely necessary to reduce a chance of local files impacting # integration tests (nuget.config etc.)... But we need the root Directory.Build.props calculate @@ -306,7 +306,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: submodules: recursive @@ -364,7 +364,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: submodules: recursive @@ -394,7 +394,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: submodules: recursive fetch-depth: 2 # default is 1 and codecov needs > 1 @@ -433,7 +433,7 @@ jobs: if: ${{ !startsWith(github.ref_name, 'release/') }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c5808d8c3f..056af6e644 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,7 +27,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/device-tests-android.yml b/.github/workflows/device-tests-android.yml index b6e8e37e15..15557987e5 100644 --- a/.github/workflows/device-tests-android.yml +++ b/.github/workflows/device-tests-android.yml @@ -27,7 +27,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: submodules: recursive @@ -80,7 +80,7 @@ jobs: sudo udevadm trigger --name-match=kvm - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: submodules: recursive @@ -127,7 +127,7 @@ jobs: java-version: '17' - name: Checkout github-workflows - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: repository: getsentry/github-workflows ref: a5e409bd5bad4c295201cdcfe862b17c50b29ab7 # v2.14.1 diff --git a/.github/workflows/device-tests-ios.yml b/.github/workflows/device-tests-ios.yml index 736fcef9df..63a0eadf8b 100644 --- a/.github/workflows/device-tests-ios.yml +++ b/.github/workflows/device-tests-ios.yml @@ -24,7 +24,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml index 7e73914e53..5bfaddee54 100644 --- a/.github/workflows/format-code.yml +++ b/.github/workflows/format-code.yml @@ -15,7 +15,7 @@ jobs: runs-on: macos-15 steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 89513e13ab..3778d36816 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,11 +22,11 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml index 43b72ead4b..718992c8e2 100644 --- a/.github/workflows/vulnerabilities.yml +++ b/.github/workflows/vulnerabilities.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 with: submodules: recursive From 640d13a58ab75805770eced35c2af4a5a0af3e9e Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Mon, 12 Jan 2026 12:26:49 +0000 Subject: [PATCH 06/18] fix: Clean up action version comments --- .github/workflows/alpine.yml | 2 +- .github/workflows/build.yml | 14 +++++++------- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/device-tests-android.yml | 6 +++--- .github/workflows/device-tests-ios.yml | 2 +- .github/workflows/format-code.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/vulnerabilities.yml | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/alpine.yml b/.github/workflows/alpine.yml index e5f2e17f2b..fabb35fa8a 100644 --- a/.github/workflows/alpine.yml +++ b/.github/workflows/alpine.yml @@ -23,7 +23,7 @@ jobs: packages: write steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3c30231fc4..8ad7a7148c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -48,7 +48,7 @@ jobs: curl -sSL https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/.github/alpine/setup-node.sh | sudo bash /dev/stdin - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - run: git submodule update --init modules/sentry-native @@ -121,7 +121,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive fetch-depth: 2 # default is 1 and codecov needs > 1 @@ -262,7 +262,7 @@ jobs: - name: Sparse checkout if: env.CI_PUBLISHING_BUILD == 'true' - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: # We only check out what is absolutely necessary to reduce a chance of local files impacting # integration tests (nuget.config etc.)... But we need the root Directory.Build.props calculate @@ -306,7 +306,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -364,7 +364,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -394,7 +394,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive fetch-depth: 2 # default is 1 and codecov needs > 1 @@ -433,7 +433,7 @@ jobs: if: ${{ !startsWith(github.ref_name, 'release/') }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 056af6e644..7322737cec 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,7 +27,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/device-tests-android.yml b/.github/workflows/device-tests-android.yml index 15557987e5..4f07254fad 100644 --- a/.github/workflows/device-tests-android.yml +++ b/.github/workflows/device-tests-android.yml @@ -27,7 +27,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -80,7 +80,7 @@ jobs: sudo udevadm trigger --name-match=kvm - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -127,7 +127,7 @@ jobs: java-version: '17' - name: Checkout github-workflows - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: getsentry/github-workflows ref: a5e409bd5bad4c295201cdcfe862b17c50b29ab7 # v2.14.1 diff --git a/.github/workflows/device-tests-ios.yml b/.github/workflows/device-tests-ios.yml index 63a0eadf8b..2600e89090 100644 --- a/.github/workflows/device-tests-ios.yml +++ b/.github/workflows/device-tests-ios.yml @@ -24,7 +24,7 @@ jobs: uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml index 5bfaddee54..97e38c6111 100644 --- a/.github/workflows/format-code.yml +++ b/.github/workflows/format-code.yml @@ -15,7 +15,7 @@ jobs: runs-on: macos-15 steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3778d36816..251a94f44b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,11 +22,11 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml index 718992c8e2..436d29ed4f 100644 --- a/.github/workflows/vulnerabilities.yml +++ b/.github/workflows/vulnerabilities.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive From 6629834a2ad4fed3dd5ecec165cfa2bbe0dd4179 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 22:45:45 +0000 Subject: [PATCH 07/18] Update Craft SHA to 1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 251a94f44b..1fb48ff78c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,7 +31,7 @@ jobs: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From af9b1be1715aa838c3d139dd0e2aaf40c0357f4d Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:04:15 +0000 Subject: [PATCH 08/18] Add explicit permissions block to build.yml --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8ad7a7148c..809dcc2f59 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,6 +10,10 @@ on: - "**.md" workflow_dispatch: +permissions: + contents: write + pull-requests: write + jobs: build-sentry-native: name: sentry-native (${{ matrix.rid }}) From b545e77787e498c4bfc6051da5f1065091b8b661 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:04:17 +0000 Subject: [PATCH 09/18] Add explicit permissions block to codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7322737cec..892911fdb8 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,6 +9,10 @@ on: schedule: - cron: '22 5 * * 1' +permissions: + contents: write + pull-requests: write + jobs: analyze: name: Analyze From c80dcb816b5e564e5f34770ee755f0143626dc68 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:04:19 +0000 Subject: [PATCH 10/18] Add explicit permissions block to device-tests-android.yml --- .github/workflows/device-tests-android.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/device-tests-android.yml b/.github/workflows/device-tests-android.yml index 4f07254fad..3cdf298eee 100644 --- a/.github/workflows/device-tests-android.yml +++ b/.github/workflows/device-tests-android.yml @@ -10,6 +10,10 @@ on: - "**.md" workflow_dispatch: +permissions: + contents: write + pull-requests: write + jobs: build: name: Build (${{ matrix.tfm }}) From 96fa79add4f600aaeb09b6e5254e04e65af4bf71 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:04:21 +0000 Subject: [PATCH 11/18] Add explicit permissions block to device-tests-ios.yml --- .github/workflows/device-tests-ios.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/device-tests-ios.yml b/.github/workflows/device-tests-ios.yml index 2600e89090..c5a9bd6307 100644 --- a/.github/workflows/device-tests-ios.yml +++ b/.github/workflows/device-tests-ios.yml @@ -10,6 +10,10 @@ on: - "**.md" workflow_dispatch: +permissions: + contents: write + pull-requests: write + jobs: ios-tests: runs-on: macos-15 From ddf28c311ff03635fa6a3691845c5d4e463dab0a Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:15:25 +0000 Subject: [PATCH 12/18] Revert permissions changes to build.yml --- .github/workflows/build.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 809dcc2f59..8ad7a7148c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,10 +10,6 @@ on: - "**.md" workflow_dispatch: -permissions: - contents: write - pull-requests: write - jobs: build-sentry-native: name: sentry-native (${{ matrix.rid }}) From 9f348e51dfb1a14c947b8070cc76ef9688ed9724 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:15:28 +0000 Subject: [PATCH 13/18] Revert permissions changes to codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 892911fdb8..7322737cec 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,10 +9,6 @@ on: schedule: - cron: '22 5 * * 1' -permissions: - contents: write - pull-requests: write - jobs: analyze: name: Analyze From 95ce3ba476ad6a5a6627498f35d8a200e7bb2c8c Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:15:30 +0000 Subject: [PATCH 14/18] Revert permissions changes to device-tests-android.yml --- .github/workflows/device-tests-android.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/device-tests-android.yml b/.github/workflows/device-tests-android.yml index 3cdf298eee..4f07254fad 100644 --- a/.github/workflows/device-tests-android.yml +++ b/.github/workflows/device-tests-android.yml @@ -10,10 +10,6 @@ on: - "**.md" workflow_dispatch: -permissions: - contents: write - pull-requests: write - jobs: build: name: Build (${{ matrix.tfm }}) From 7147cd09d4813d0de23c6f4c852678a9d3c59f9a Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:15:33 +0000 Subject: [PATCH 15/18] Revert permissions changes to device-tests-ios.yml --- .github/workflows/device-tests-ios.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/device-tests-ios.yml b/.github/workflows/device-tests-ios.yml index c5a9bd6307..2600e89090 100644 --- a/.github/workflows/device-tests-ios.yml +++ b/.github/workflows/device-tests-ios.yml @@ -10,10 +10,6 @@ on: - "**.md" workflow_dispatch: -permissions: - contents: write - pull-requests: write - jobs: ios-tests: runs-on: macos-15 From cc8180ddc814b3be8dfa834e5620d98a2a3610c1 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 11:14:09 +0000 Subject: [PATCH 16/18] fix: clean up release.yml formatting and version comments --- .github/workflows/release.yml | 52 +++++++++++++++++++---------------- 1 file changed, 28 insertions(+), 24 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1fb48ff78c..09c904b628 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,40 +1,44 @@ name: Release + on: workflow_dispatch: inputs: version: description: Version to release (or "auto") required: false - force: - description: Force a release even when there are release-blockers - required: false merge_target: - description: Target branch to merge into + description: Target branch to merge into. Uses the default branch as a fallback (optional) required: false + force: + description: Force a release even when there are release-blockers (optional) + required: false + permissions: contents: write pull-requests: write jobs: - release: + job_release: runs-on: ubuntu-latest - name: Release a new version + name: 'Release a new version: ${{ github.event.inputs.version }}' steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - name: Prepare release - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} - merge_target: ${{ inputs.merge_target }} + - name: Get auth token + id: token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + - name: Check out current commit (${{ github.sha }}) + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + + - name: Prepare release ${{ github.event.inputs.version }} + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ github.event.inputs.version }} + force: ${{ github.event.inputs.force }} + merge_target: ${{ github.event.inputs.merge_target }} From 5890cc731d60dd83eac5f501c82fd8e08a437d0a Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 13:16:16 +0000 Subject: [PATCH 17/18] build(craft): Update Craft action to c6e2f04 --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 09c904b628..267e89e5a0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,7 +35,7 @@ jobs: fetch-depth: 0 - name: Prepare release ${{ github.event.inputs.version }} - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 + uses: getsentry/craft@c6e2f04939b6ee67030588afbb5af76b127d8203 # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From bee5f34c759cfc1a17ede5bd039871150ef7c991 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 22:21:17 +0000 Subject: [PATCH 18/18] chore: add unlabeled trigger to changelog-preview --- .github/workflows/changelog-preview.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index 5883c004c0..30c6083c6b 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -7,6 +7,7 @@ on: - reopened - edited - labeled + - unlabeled permissions: contents: write pull-requests: write