From d83b777453fc5f02af6215752b2ffdf38f9dc003 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Fri, 9 Jan 2026 17:56:21 +0000
Subject: [PATCH 01/13] ci(release): Switch from action-prepare-release to
 Craft

This PR migrates from the deprecated action-prepare-release to the new
Craft GitHub Actions (reusable workflow or composite action).

Changes:
- Migrate .github/workflows/release.yml to Craft reusable workflow
---
 .github/workflows/changelog-preview.yml | 13 +++++++++
 .github/workflows/release.yml           | 38 ++++++-------------------
 2 files changed, 21 insertions(+), 30 deletions(-)
 create mode 100644 .github/workflows/changelog-preview.yml

diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml
new file mode 100644
index 00000000..1ed10213
--- /dev/null
+++ b/.github/workflows/changelog-preview.yml
@@ -0,0 +1,13 @@
+name: Changelog Preview
+on:
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - edited
+    - labeled
+jobs:
+  changelog-preview:
+    uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
+    secrets: inherit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ce163aed..22a94a9d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,39 +1,17 @@
 name: Release
-
-permissions:
-  contents: read
-
 on:
   workflow_dispatch:
     inputs:
       version:
-        description: Version to release
-        required: true
+        description: Version to release (or "auto")
+        required: false
       force:
-        description: Force a release even when there are release-blockers (optional)
+        description: Force a release even when there are release-blockers
         required: false
-
 jobs:
   release:
-    runs-on: ubuntu-latest
-    name: "Release a new version"
-    steps:
-      - name: Get auth token
-        id: token
-        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
-        with:
-          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
-          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ steps.token.outputs.token }}
-          fetch-depth: 0
-
-      - name: Prepare release
-        uses: getsentry/action-prepare-release@v1
-        env:
-          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
-        with:
-          version: ${{ github.event.inputs.version }}
-          force: ${{ github.event.inputs.force }}
\ No newline at end of file
+    uses: getsentry/craft/.github/workflows/release.yml@v2
+    with:
+      version: ${{ inputs.version }}
+      force: ${{ inputs.force }}
+    secrets: inherit

From 2b321b2c85aed7ba37dd1a18e5d1b9f91cad1c6a Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Fri, 9 Jan 2026 23:02:25 +0000
Subject: [PATCH 02/13] ci(release): Restore GitHub App token authentication

The previous migration incorrectly removed the GitHub App token
authentication step. This commit restores it by switching to the
composite action pattern which preserves the auth flow.
---
 .github/workflows/release.yml | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 22a94a9d..7c309d5b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,8 +10,23 @@ on:
         required: false
 jobs:
   release:
-    uses: getsentry/craft/.github/workflows/release.yml@v2
-    with:
-      version: ${{ inputs.version }}
-      force: ${{ inputs.force }}
-    secrets: inherit
+    runs-on: ubuntu-latest
+    name: Release a new version
+    steps:
+    - name: Get auth token
+      id: token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
+        private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
+    - uses: actions/checkout@v4
+      with:
+        token: ${{ steps.token.outputs.token }}
+        fetch-depth: 0
+    - name: Prepare release
+      uses: getsentry/craft@v2
+      env:
+        GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+      with:
+        version: ${{ inputs.version }}
+        force: ${{ inputs.force }}

From c7cd077b0c769d0173b0a00daf6d3167f3f08275 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Sat, 10 Jan 2026 00:26:38 +0000
Subject: [PATCH 03/13] fix: Pin actions to SHA and add permissions blocks

---
 .github/workflows/changelog-preview.yml     |  4 ++++
 .github/workflows/danger-workflow-tests.yml |  6 +++---
 .github/workflows/release.yml               | 10 +++++++---
 .github/workflows/script-tests.yml          |  4 ++--
 .github/workflows/workflow-tests.yml        |  8 ++++----
 5 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml
index 1ed10213..5883c004 100644
--- a/.github/workflows/changelog-preview.yml
+++ b/.github/workflows/changelog-preview.yml
@@ -7,6 +7,10 @@ on:
     - reopened
     - edited
     - labeled
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   changelog-preview:
     uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
diff --git a/.github/workflows/danger-workflow-tests.yml b/.github/workflows/danger-workflow-tests.yml
index bd24ebbc..fa2b6f72 100644
--- a/.github/workflows/danger-workflow-tests.yml
+++ b/.github/workflows/danger-workflow-tests.yml
@@ -15,7 +15,7 @@ jobs:
   pr-analysis:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       - name: Run danger action
         id: danger
@@ -39,7 +39,7 @@ jobs:
   extra-dangerfile-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       - name: Run danger with extra dangerfile
         id: danger-extra
@@ -64,7 +64,7 @@ jobs:
   extra-packages-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       # Create a test dangerfile that requires curl
       - name: Create test dangerfile requiring curl
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7c309d5b..44e1fcce 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,10 @@ on:
       force:
         description: Force a release even when there are release-blockers
         required: false
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -15,16 +19,16 @@ jobs:
     steps:
     - name: Get auth token
       id: token
-      uses: actions/create-github-app-token@v1
+      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2
       with:
         app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
         private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
       with:
         token: ${{ steps.token.outputs.token }}
         fetch-depth: 0
     - name: Prepare release
-      uses: getsentry/craft@v2
+      uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2
       env:
         GITHUB_TOKEN: ${{ steps.token.outputs.token }}
       with:
diff --git a/.github/workflows/script-tests.yml b/.github/workflows/script-tests.yml
index 2b79699f..9642137c 100644
--- a/.github/workflows/script-tests.yml
+++ b/.github/workflows/script-tests.yml
@@ -20,7 +20,7 @@ jobs:
     steps:
       - run: git config --global core.autocrlf false
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       - run: Invoke-Pester
         working-directory: updater
@@ -35,7 +35,7 @@ jobs:
       run:
         working-directory: danger
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       - uses: actions/setup-node@v4
         with:
diff --git a/.github/workflows/workflow-tests.yml b/.github/workflows/workflow-tests.yml
index e804e2db..61063b3c 100644
--- a/.github/workflows/workflow-tests.yml
+++ b/.github/workflows/workflow-tests.yml
@@ -14,7 +14,7 @@ jobs:
   updater-pr-creation:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       - name: Run updater action
         id: updater
@@ -63,7 +63,7 @@ jobs:
   updater-target-branch:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       - name: Run updater action with target-branch
         id: updater
@@ -113,7 +113,7 @@ jobs:
   updater-no-changes:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       - name: Run updater action
         id: updater
@@ -167,7 +167,7 @@ jobs:
           - macos
           - windows
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       - uses: ./sentry-cli/integration-test/
         with:

From 0fe7898dbf311d4b379b31f78c4d63132aa6e768 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Sat, 10 Jan 2026 01:28:31 +0000
Subject: [PATCH 04/13] fix: Use correct action version SHAs (restore original
 versions)

---
 .github/workflows/danger-workflow-tests.yml | 6 +++---
 .github/workflows/release.yml               | 2 +-
 .github/workflows/script-tests.yml          | 6 +++---
 .github/workflows/workflow-tests.yml        | 8 ++++----
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/danger-workflow-tests.yml b/.github/workflows/danger-workflow-tests.yml
index fa2b6f72..958bc942 100644
--- a/.github/workflows/danger-workflow-tests.yml
+++ b/.github/workflows/danger-workflow-tests.yml
@@ -15,7 +15,7 @@ jobs:
   pr-analysis:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
 
       - name: Run danger action
         id: danger
@@ -39,7 +39,7 @@ jobs:
   extra-dangerfile-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
 
       - name: Run danger with extra dangerfile
         id: danger-extra
@@ -64,7 +64,7 @@ jobs:
   extra-packages-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
 
       # Create a test dangerfile that requires curl
       - name: Create test dangerfile requiring curl
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 44e1fcce..7a92eedd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,7 +23,7 @@ jobs:
       with:
         app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
         private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
       with:
         token: ${{ steps.token.outputs.token }}
         fetch-depth: 0
diff --git a/.github/workflows/script-tests.yml b/.github/workflows/script-tests.yml
index 9642137c..1ec118c5 100644
--- a/.github/workflows/script-tests.yml
+++ b/.github/workflows/script-tests.yml
@@ -20,7 +20,7 @@ jobs:
     steps:
       - run: git config --global core.autocrlf false
 
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
 
       - run: Invoke-Pester
         working-directory: updater
@@ -35,9 +35,9 @@ jobs:
       run:
         working-directory: danger
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '18'
 
diff --git a/.github/workflows/workflow-tests.yml b/.github/workflows/workflow-tests.yml
index 61063b3c..8468aa5f 100644
--- a/.github/workflows/workflow-tests.yml
+++ b/.github/workflows/workflow-tests.yml
@@ -14,7 +14,7 @@ jobs:
   updater-pr-creation:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
 
       - name: Run updater action
         id: updater
@@ -63,7 +63,7 @@ jobs:
   updater-target-branch:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
 
       - name: Run updater action with target-branch
         id: updater
@@ -113,7 +113,7 @@ jobs:
   updater-no-changes:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
 
       - name: Run updater action
         id: updater
@@ -167,7 +167,7 @@ jobs:
           - macos
           - windows
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
 
       - uses: ./sentry-cli/integration-test/
         with:

From 8ea94903b69e4e0a08c9f790a8aa00766a934133 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Sat, 10 Jan 2026 01:57:36 +0000
Subject: [PATCH 05/13] fix: Use correct action version SHAs (restore original
 versions)

---
 .github/workflows/danger-workflow-tests.yml | 6 +++---
 .github/workflows/release.yml               | 2 +-
 .github/workflows/script-tests.yml          | 6 +++---
 .github/workflows/workflow-tests.yml        | 8 ++++----
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/danger-workflow-tests.yml b/.github/workflows/danger-workflow-tests.yml
index 958bc942..56e2daee 100644
--- a/.github/workflows/danger-workflow-tests.yml
+++ b/.github/workflows/danger-workflow-tests.yml
@@ -15,7 +15,7 @@ jobs:
   pr-analysis:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
 
       - name: Run danger action
         id: danger
@@ -39,7 +39,7 @@ jobs:
   extra-dangerfile-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
 
       - name: Run danger with extra dangerfile
         id: danger-extra
@@ -64,7 +64,7 @@ jobs:
   extra-packages-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
 
       # Create a test dangerfile that requires curl
       - name: Create test dangerfile requiring curl
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7a92eedd..c54541c3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,7 +23,7 @@ jobs:
       with:
         app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
         private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
       with:
         token: ${{ steps.token.outputs.token }}
         fetch-depth: 0
diff --git a/.github/workflows/script-tests.yml b/.github/workflows/script-tests.yml
index 1ec118c5..bd4f207e 100644
--- a/.github/workflows/script-tests.yml
+++ b/.github/workflows/script-tests.yml
@@ -20,7 +20,7 @@ jobs:
     steps:
       - run: git config --global core.autocrlf false
 
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
 
       - run: Invoke-Pester
         working-directory: updater
@@ -35,9 +35,9 @@ jobs:
       run:
         working-directory: danger
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
 
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 # v4
         with:
           node-version: '18'
 
diff --git a/.github/workflows/workflow-tests.yml b/.github/workflows/workflow-tests.yml
index 8468aa5f..5e246fb3 100644
--- a/.github/workflows/workflow-tests.yml
+++ b/.github/workflows/workflow-tests.yml
@@ -14,7 +14,7 @@ jobs:
   updater-pr-creation:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
 
       - name: Run updater action
         id: updater
@@ -63,7 +63,7 @@ jobs:
   updater-target-branch:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
 
       - name: Run updater action with target-branch
         id: updater
@@ -113,7 +113,7 @@ jobs:
   updater-no-changes:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
 
       - name: Run updater action
         id: updater
@@ -167,7 +167,7 @@ jobs:
           - macos
           - windows
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
 
       - uses: ./sentry-cli/integration-test/
         with:

From eb64144bd813af3e1d553bec77d948b72d1fe274 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Mon, 12 Jan 2026 12:22:04 +0000
Subject: [PATCH 06/13] fix: Clean up action version comments

---
 .github/workflows/danger-workflow-tests.yml | 6 +++---
 .github/workflows/release.yml               | 4 ++--
 .github/workflows/script-tests.yml          | 6 +++---
 .github/workflows/workflow-tests.yml        | 8 ++++----
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/danger-workflow-tests.yml b/.github/workflows/danger-workflow-tests.yml
index 56e2daee..612c9700 100644
--- a/.github/workflows/danger-workflow-tests.yml
+++ b/.github/workflows/danger-workflow-tests.yml
@@ -15,7 +15,7 @@ jobs:
   pr-analysis:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Run danger action
         id: danger
@@ -39,7 +39,7 @@ jobs:
   extra-dangerfile-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Run danger with extra dangerfile
         id: danger-extra
@@ -64,7 +64,7 @@ jobs:
   extra-packages-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       # Create a test dangerfile that requires curl
       - name: Create test dangerfile requiring curl
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c54541c3..b2ce2fd7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,11 +19,11 @@ jobs:
     steps:
     - name: Get auth token
       id: token
-      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2
+      uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
       with:
         app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
         private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       with:
         token: ${{ steps.token.outputs.token }}
         fetch-depth: 0
diff --git a/.github/workflows/script-tests.yml b/.github/workflows/script-tests.yml
index bd4f207e..83697dba 100644
--- a/.github/workflows/script-tests.yml
+++ b/.github/workflows/script-tests.yml
@@ -20,7 +20,7 @@ jobs:
     steps:
       - run: git config --global core.autocrlf false
 
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - run: Invoke-Pester
         working-directory: updater
@@ -35,9 +35,9 @@ jobs:
       run:
         working-directory: danger
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '18'
 
diff --git a/.github/workflows/workflow-tests.yml b/.github/workflows/workflow-tests.yml
index 5e246fb3..e78656b0 100644
--- a/.github/workflows/workflow-tests.yml
+++ b/.github/workflows/workflow-tests.yml
@@ -14,7 +14,7 @@ jobs:
   updater-pr-creation:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Run updater action
         id: updater
@@ -63,7 +63,7 @@ jobs:
   updater-target-branch:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Run updater action with target-branch
         id: updater
@@ -113,7 +113,7 @@ jobs:
   updater-no-changes:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Run updater action
         id: updater
@@ -167,7 +167,7 @@ jobs:
           - macos
           - windows
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - uses: ./sentry-cli/integration-test/
         with:

From f6cfac9e885368605743f1c9d86c2a7be0d47b0b Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 22:43:14 +0000
Subject: [PATCH 07/13] Update Craft SHA to
 1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b2ce2fd7..fbcac1db 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -28,7 +28,7 @@ jobs:
         token: ${{ steps.token.outputs.token }}
         fetch-depth: 0
     - name: Prepare release
-      uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2
+      uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2
       env:
         GITHUB_TOKEN: ${{ steps.token.outputs.token }}
       with:

From c1995b2fd6a5dde7caf49f3502ed3f9dcdf417bb Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:00:54 +0000
Subject: [PATCH 08/13] Add explicit permissions block to versioning.yml

---
 .github/workflows/versioning.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/versioning.yml b/.github/workflows/versioning.yml
index 7b5f58f7..645f1e02 100644
--- a/.github/workflows/versioning.yml
+++ b/.github/workflows/versioning.yml
@@ -5,6 +5,10 @@ on:
   # release:
   #  types: [published, edited]
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   actions-tagger:
     runs-on: ubuntu-latest

From d606d975a47e138388585d554f5e6675ed7ce955 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:12:38 +0000
Subject: [PATCH 09/13] Revert permissions changes to versioning.yml

---
 .github/workflows/versioning.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/versioning.yml b/.github/workflows/versioning.yml
index 645f1e02..7b5f58f7 100644
--- a/.github/workflows/versioning.yml
+++ b/.github/workflows/versioning.yml
@@ -5,10 +5,6 @@ on:
   # release:
   #  types: [published, edited]
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   actions-tagger:
     runs-on: ubuntu-latest

From 08293469b04762bf9994ddc7ffeb55bdbcec423f Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Tue, 13 Jan 2026 23:56:04 +0000
Subject: [PATCH 10/13] fix: revert extraneous changes to non-release workflow
 files

---
 .github/workflows/danger-workflow-tests.yml | 6 +++---
 .github/workflows/script-tests.yml          | 6 +++---
 .github/workflows/workflow-tests.yml        | 8 ++++----
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/danger-workflow-tests.yml b/.github/workflows/danger-workflow-tests.yml
index 612c9700..bd24ebbc 100644
--- a/.github/workflows/danger-workflow-tests.yml
+++ b/.github/workflows/danger-workflow-tests.yml
@@ -15,7 +15,7 @@ jobs:
   pr-analysis:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
 
       - name: Run danger action
         id: danger
@@ -39,7 +39,7 @@ jobs:
   extra-dangerfile-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
 
       - name: Run danger with extra dangerfile
         id: danger-extra
@@ -64,7 +64,7 @@ jobs:
   extra-packages-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
 
       # Create a test dangerfile that requires curl
       - name: Create test dangerfile requiring curl
diff --git a/.github/workflows/script-tests.yml b/.github/workflows/script-tests.yml
index 83697dba..2b79699f 100644
--- a/.github/workflows/script-tests.yml
+++ b/.github/workflows/script-tests.yml
@@ -20,7 +20,7 @@ jobs:
     steps:
       - run: git config --global core.autocrlf false
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
 
       - run: Invoke-Pester
         working-directory: updater
@@ -35,9 +35,9 @@ jobs:
       run:
         working-directory: danger
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
 
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      - uses: actions/setup-node@v4
         with:
           node-version: '18'
 
diff --git a/.github/workflows/workflow-tests.yml b/.github/workflows/workflow-tests.yml
index e78656b0..e804e2db 100644
--- a/.github/workflows/workflow-tests.yml
+++ b/.github/workflows/workflow-tests.yml
@@ -14,7 +14,7 @@ jobs:
   updater-pr-creation:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
 
       - name: Run updater action
         id: updater
@@ -63,7 +63,7 @@ jobs:
   updater-target-branch:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
 
       - name: Run updater action with target-branch
         id: updater
@@ -113,7 +113,7 @@ jobs:
   updater-no-changes:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
 
       - name: Run updater action
         id: updater
@@ -167,7 +167,7 @@ jobs:
           - macos
           - windows
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
 
       - uses: ./sentry-cli/integration-test/
         with:

From 6ed98305033ee2c9aa49b624046367e140b1039f Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Wed, 14 Jan 2026 11:12:57 +0000
Subject: [PATCH 11/13] fix: clean up release.yml formatting and version
 comments

---
 .github/workflows/release.yml | 47 +++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index fbcac1db..4973797d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,4 +1,8 @@
 name: Release
+
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
@@ -6,31 +10,30 @@ on:
         description: Version to release (or "auto")
         required: false
       force:
-        description: Force a release even when there are release-blockers
+        description: Force a release even when there are release-blockers (optional)
         required: false
-permissions:
-  contents: write
-  pull-requests: write
 
 jobs:
   release:
     runs-on: ubuntu-latest
-    name: Release a new version
+    name: "Release a new version"
     steps:
-    - name: Get auth token
-      id: token
-      uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
-      with:
-        app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
-        private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      with:
-        token: ${{ steps.token.outputs.token }}
-        fetch-depth: 0
-    - name: Prepare release
-      uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2
-      env:
-        GITHUB_TOKEN: ${{ steps.token.outputs.token }}
-      with:
-        version: ${{ inputs.version }}
-        force: ${{ inputs.force }}
+      - name: Get auth token
+        id: token
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        with:
+          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.token.outputs.token }}
+          fetch-depth: 0
+
+      - name: Prepare release
+        uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2
+        env:
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+        with:
+          version: ${{ github.event.inputs.version }}
+          force: ${{ github.event.inputs.force }}
\ No newline at end of file

From 12ea7a235f0ad83ca7e6984cb05dba782a1a2d8c Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Wed, 14 Jan 2026 12:19:11 +0000
Subject: [PATCH 12/13] build(craft): Update Craft action to c6e2f04

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4973797d..30106f99 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,7 +31,7 @@ jobs:
           fetch-depth: 0
 
       - name: Prepare release
-        uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2
+        uses: getsentry/craft@c6e2f04939b6ee67030588afbb5af76b127d8203 # v2
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with:

From 10cbfa5fd504629cb77696eff26a822e29d6f008 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Wed, 14 Jan 2026 22:20:48 +0000
Subject: [PATCH 13/13] chore: add unlabeled trigger to changelog-preview

---
 .github/workflows/changelog-preview.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml
index 5883c004..30c6083c 100644
--- a/.github/workflows/changelog-preview.yml
+++ b/.github/workflows/changelog-preview.yml
@@ -7,6 +7,7 @@ on:
     - reopened
     - edited
     - labeled
+    - unlabeled
 permissions:
   contents: write
   pull-requests: write