From aba74b781188f75b9fe0e0a029021726f8644621 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 9 Jan 2026 17:56:11 +0000 Subject: [PATCH 01/13] ci(release): Switch from action-prepare-release to Craft This PR migrates from the deprecated action-prepare-release to the new Craft GitHub Actions (reusable workflow or composite action). Changes: - Migrate .github/workflows/release.yml to Craft reusable workflow --- .github/workflows/changelog-preview.yml | 13 ++++++++++ .github/workflows/release.yml | 32 +++++++------------------ 2 files changed, 21 insertions(+), 24 deletions(-) create mode 100644 .github/workflows/changelog-preview.yml diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml new file mode 100644 index 00000000..1ed10213 --- /dev/null +++ b/.github/workflows/changelog-preview.yml @@ -0,0 +1,13 @@ +name: Changelog Preview +on: + pull_request: + types: + - opened + - synchronize + - reopened + - edited + - labeled +jobs: + changelog-preview: + uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 885ec353..22a94a9d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,33 +1,17 @@ name: Release - on: workflow_dispatch: inputs: version: - description: Version to release - required: true + description: Version to release (or "auto") + required: false force: - description: Force a release even when there are release-blockers (optional) + description: Force a release even when there are release-blockers required: false jobs: release: - runs-on: ubuntu-latest - name: "Release a new version" - steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v4 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - name: Prepare release - uses: getsentry/action-prepare-release@v1 - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ github.event.inputs.version }} - force: ${{ github.event.inputs.force }} + uses: getsentry/craft/.github/workflows/release.yml@v2 + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} + secrets: inherit From 2cd9491bfea3d0412b66511a6ea0e87966c36f0d Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 9 Jan 2026 23:02:19 +0000 Subject: [PATCH 02/13] ci(release): Restore GitHub App token authentication The previous migration incorrectly removed the GitHub App token authentication step. This commit restores it by switching to the composite action pattern which preserves the auth flow. --- .github/workflows/release.yml | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 22a94a9d..7c309d5b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,8 +10,23 @@ on: required: false jobs: release: - uses: getsentry/craft/.github/workflows/release.yml@v2 - with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} - secrets: inherit + runs-on: ubuntu-latest + name: Release a new version + steps: + - name: Get auth token + id: token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + - uses: actions/checkout@v4 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + - name: Prepare release + uses: getsentry/craft@v2 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} From 55e938fc85931ee4dc503c0e67b13d64eaf175fb Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 00:20:41 +0000 Subject: [PATCH 03/13] fix: Pin actions to SHA and add permissions blocks --- .github/workflows/bootstrap.yml | 4 ++-- .github/workflows/build.yml | 2 +- .github/workflows/changelog-preview.yml | 4 ++++ .github/workflows/integration.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/release.yml | 10 +++++++--- .github/workflows/test.yml | 2 +- 7 files changed, 17 insertions(+), 9 deletions(-) diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index 79f65c30..d22ab8c9 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -26,7 +26,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 - name: install run: | set -u @@ -46,7 +46,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 - name: remove homebrew run: | sudo rm -rf \ diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 094a4268..9e226afa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 - uses: actions/setup-python@v4 with: python-version: 3.11 diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index 1ed10213..5883c004 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -7,6 +7,10 @@ on: - reopened - edited - labeled +permissions: + contents: write + pull-requests: write + jobs: changelog-preview: uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index f8c7970f..8a55f831 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -29,7 +29,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 - name: install devenv run: | set -u diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 2c54ece7..1770de5d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,7 +15,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 - uses: actions/setup-python@v4 with: python-version: 3.11 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7c309d5b..44e1fcce 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,10 @@ on: force: description: Force a release even when there are release-blockers required: false +permissions: + contents: write + pull-requests: write + jobs: release: runs-on: ubuntu-latest @@ -15,16 +19,16 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@v2 + uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8d09e3ea..14235991 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,7 +11,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 - uses: actions/setup-python@v5 with: python-version: | From da506c9330f4385189be73154a3429f3617a3500 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 01:21:45 +0000 Subject: [PATCH 04/13] fix: Use correct action version SHAs (restore original versions) --- .github/workflows/bootstrap.yml | 4 ++-- .github/workflows/build.yml | 2 +- .github/workflows/integration.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index d22ab8c9..ce6347f4 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -26,7 +26,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 - name: install run: | set -u @@ -46,7 +46,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 - name: remove homebrew run: | sudo rm -rf \ diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9e226afa..6b610069 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 - uses: actions/setup-python@v4 with: python-version: 3.11 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 8a55f831..3cfb4153 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -29,7 +29,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 - name: install devenv run: | set -u diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 1770de5d..c6f65fba 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,7 +15,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3 # v2 - uses: actions/setup-python@v4 with: python-version: 3.11 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 44e1fcce..7a92eedd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,7 @@ jobs: with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 14235991..a51f59ee 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,7 +11,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 - uses: actions/setup-python@v5 with: python-version: | From f9039e7816eddd5fc421975dc962703bd27fda1d Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 01:50:48 +0000 Subject: [PATCH 05/13] fix: Use correct action version SHAs (restore original versions) --- .github/workflows/bootstrap.yml | 4 ++-- .github/workflows/build.yml | 2 +- .github/workflows/integration.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index ce6347f4..c9879042 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -26,7 +26,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 - name: install run: | set -u @@ -46,7 +46,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 - name: remove homebrew run: | sudo rm -rf \ diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6b610069..a037d3a9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 - uses: actions/setup-python@v4 with: python-version: 3.11 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 3cfb4153..0f02ef26 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -29,7 +29,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 - name: install devenv run: | set -u diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index c6f65fba..6a082819 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,7 +15,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3 # v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3 # v3 # v2 - uses: actions/setup-python@v4 with: python-version: 3.11 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7a92eedd..c54541c3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,7 @@ jobs: with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a51f59ee..8171d157 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,7 +11,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 - uses: actions/setup-python@v5 with: python-version: | From ad6aaf688521d5ada4297c34554170aeb862a815 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Mon, 12 Jan 2026 12:24:50 +0000 Subject: [PATCH 06/13] fix: Clean up action version comments --- .github/workflows/bootstrap.yml | 4 ++-- .github/workflows/build.yml | 2 +- .github/workflows/integration.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/test.yml | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index c9879042..dfd136fd 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -26,7 +26,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: install run: | set -u @@ -46,7 +46,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: remove homebrew run: | sudo rm -rf \ diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a037d3a9..44c1e0e5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - uses: actions/setup-python@v4 with: python-version: 3.11 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 0f02ef26..9f1697df 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -29,7 +29,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: install devenv run: | set -u diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6a082819..db77fd00 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,7 +15,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3 # v3 # v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3 - uses: actions/setup-python@v4 with: python-version: 3.11 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c54541c3..b2ce2fd7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,11 +19,11 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8171d157..d0d9f97f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,7 +11,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # v4 # v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - uses: actions/setup-python@v5 with: python-version: | From cb3ed6892cb5c7f288bee2b8c969f1f668823fe0 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 22:43:04 +0000 Subject: [PATCH 07/13] Update Craft SHA to 1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b2ce2fd7..fbcac1db 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,7 +28,7 @@ jobs: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From 0b6b1356dd5da6f42a641c8010f0f3e146a5f36d Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:00:42 +0000 Subject: [PATCH 08/13] Add explicit permissions block to build.yml --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 44c1e0e5..efc442fb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,6 +3,10 @@ on: push: branches: [main, release/**] +permissions: + contents: write + pull-requests: write + jobs: dist: name: Create Distribution From d72cbec8e5c8a347d10ae4809879c62707ad8bfa Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:12:30 +0000 Subject: [PATCH 09/13] Revert permissions changes to build.yml --- .github/workflows/build.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index efc442fb..094a4268 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,17 +3,13 @@ on: push: branches: [main, release/**] -permissions: - contents: write - pull-requests: write - jobs: dist: name: Create Distribution runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: python-version: 3.11 From dd2f6cd58d964b2675e9b9e438cf898ca2e3f44a Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:55:54 +0000 Subject: [PATCH 10/13] fix: revert extraneous changes to non-release workflow files --- .github/workflows/bootstrap.yml | 4 ++-- .github/workflows/integration.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/test.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index dfd136fd..79f65c30 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -26,7 +26,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@v4 - name: install run: | set -u @@ -46,7 +46,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@v4 - name: remove homebrew run: | sudo rm -rf \ diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 9f1697df..f8c7970f 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -29,7 +29,7 @@ jobs: SNTY_DEVENV_BRANCH: "${{ github.event.pull_request && github.head_ref || github.ref_name }}" steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@v4 - name: install devenv run: | set -u diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index db77fd00..2c54ece7 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,7 +15,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3 + - uses: actions/checkout@v3 - uses: actions/setup-python@v4 with: python-version: 3.11 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d0d9f97f..8d09e3ea 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,7 +11,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: | From 1a9cd99e88c2dac76254a1024a3453bed689f4ff Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 11:12:51 +0000 Subject: [PATCH 11/13] fix: clean up release.yml formatting and version comments --- .github/workflows/release.yml | 39 ++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fbcac1db..e9d83b96 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,5 @@ name: Release + on: workflow_dispatch: inputs: @@ -6,7 +7,7 @@ on: description: Version to release (or "auto") required: false force: - description: Force a release even when there are release-blockers + description: Force a release even when there are release-blockers (optional) required: false permissions: contents: write @@ -15,22 +16,22 @@ permissions: jobs: release: runs-on: ubuntu-latest - name: Release a new version + name: "Release a new version" steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - name: Prepare release - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} + - name: Get auth token + id: token + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + - uses: actions/checkout@v4 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + - name: Prepare release + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ github.event.inputs.version }} + force: ${{ github.event.inputs.force }} From ae532d0c22ae3a66b59c058f034da305cf923722 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 12:18:57 +0000 Subject: [PATCH 12/13] build(craft): Update Craft action to c6e2f04 --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e9d83b96..e8714687 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,7 +29,7 @@ jobs: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 + uses: getsentry/craft@c6e2f04939b6ee67030588afbb5af76b127d8203 # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From 31fa4e03e729f8fad7cef5e9947914f0e78d738f Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 22:20:45 +0000 Subject: [PATCH 13/13] chore: add unlabeled trigger to changelog-preview --- .github/workflows/changelog-preview.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index 5883c004..30c6083c 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -7,6 +7,7 @@ on: - reopened - edited - labeled + - unlabeled permissions: contents: write pull-requests: write