chore(deps): bump actions/create-github-app-token from 2 to 3 in the release group

[dependabot]

Bumps the release group with 1 update: actions/create-github-app-token.

Updates actions/create-github-app-token from 2 to 3

Release notes

Sourced from actions/create-github-app-token's releases.

v3.0.0

3.0.0 (2026-03-14)

• feat!: node 24 support (#275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

• deps: bump @​actions/core from 1.11.1 to 3.0.0 (#337) (b044133)
• deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)
• deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)
• deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

v3.0.0-beta.5

3.0.0-beta.5 (2026-03-13)

• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (d53a1cd)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

v3.0.0-beta.4

3.0.0-beta.4 (2026-03-13)

Bug Fixes

• deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#257) (bef1eaf)
• deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#256) (5d7307b)
• deps: bump glob from 10.4.5 to 10.5.0 (#305) (5480f43)
• deps: bump p-retry from 6.2.1 to 7.1.0 (#294) (dce3be8)

... (truncated)

Commits

• f8d387b build(release): 3.0.0 [skip ci]
• d2129bd style: remove extra blank line in release workflow
• 77b94ef build: refresh generated artifacts
• 3ab4c66 chore: move undici to devDependencies
• 739cf66 docs: update README action versions
• db40289 build(deps): bump actions versions in test.yml
• 496a7ac test: migrate from AVA to Node.js native test runner (#346)
• 3870dc3 Rename end-to-end proxy job in test workflow
• 4451bcb fix!: require NODE_USE_ENV_PROXY for proxy support (#342)
• dce0ab0 fix: remove custom proxy handling (#143)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	5 file(s)	✅ success
Action Lint	5 file(s)	❌ failure
Pinned Actions	5 file(s)	❌ failure
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	5 file(s)	✅ success
Shell Check	5 file(s)	❌ failure
README Check	5 file(s)	✅ success
Composite Schema	no changes	⏭️ skipped

❌ Failures (3)

Action Lint

.github

• .github (line 491) — �[31m❌ [actionlint] The command ran successfully and some problem was found (found 3 errors, linted 5 files), exit code: 1�[0m

.github/workflows/helm-update-chart.yml

• .github/workflows/helm-update-chart.yml (line 478) — shellcheck reported issue in this script: SC2129:style:6:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects
• .github/workflows/helm-update-chart.yml (line 478) — shellcheck reported issue in this script: SC2129:style:19:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects
• .github/workflows/helm-update-chart.yml (line 417) — shellcheck reported issue in this script: SC2034:warning:4:1: COMMIT_MSG appears unused. Verify use (or export if used externally)

Pinned Actions

.github/workflows/release-notification.yml

• .github/workflows/release-notification.yml (line 117) — External action not pinned by SHA: uses: actions/create-github-app-token@v3 (use full commit SHA with a # vX.Y.Z comment)

.github/workflows/helm-update-chart.yml

• .github/workflows/helm-update-chart.yml (line 189) — External action not pinned by SHA: uses: actions/setup-go@v6 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/helm-update-chart.yml (line 156) — External action not pinned by SHA: uses: actions/checkout@v6 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/helm-update-chart.yml (line 103) — External action not pinned by SHA: uses: actions/create-github-app-token@v3 (use full commit SHA with a # vX.Y.Z comment)

.github/workflows/gptchangelog.yml

• .github/workflows/gptchangelog.yml (line 736) — External action not pinned by SHA: uses: slackapi/slack-github-action@v1.24.0 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/gptchangelog.yml (line 282) — External action not pinned by SHA: uses: crazy-max/ghaction-import-gpg@v7 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/gptchangelog.yml (line 262) — External action not pinned by SHA: uses: actions/checkout@v6 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/gptchangelog.yml (line 255) — External action not pinned by SHA: uses: actions/create-github-app-token@v3 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/gptchangelog.yml (line 142) — External action not pinned by SHA: uses: actions/checkout@v6 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/gptchangelog.yml (line 65) — External action not pinned by SHA: uses: actions/checkout@v6 (use full commit SHA with a # vX.Y.Z comment)

Shell Check

.github

• .github (line 136) — Process completed with exit code 1.
• .github (line 135) — Found 2 shellcheck error(s) in run: blocks.

⚠️ Warnings (2)

Shell Check

.github/workflows/helm-update-chart.yml

• .github/workflows/helm-update-chart.yml — Step "Push branch and create PR" (script line 4): [SC2034] COMMIT_MSG appears unused. Verify use (or export if used externally).
• .github/workflows/helm-update-chart.yml — Step "Build scripts" (script line 1): [SC2164] Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

---

_{🔍 View full scan logs}

[bedatty]

Dependency update reviewed. Major bump (v2 → v3). Breaking changes (proxy handling removal, runner version requirement) do not affect current usage — no custom proxy, GitHub-hosted runners. API inputs remain identical. Auto-approved.

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

Found 2 issue(s): 2 Medium

Severity	Rule	File	Message
🟡 Medium	actions/missing-workflow-permissions	.github/workflows/release-notification.yml:110	Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. C...
🟡 Medium	actions/untrusted-checkout/medium	.github/workflows/helm-update-chart.yml:155	Potential unsafe checkout of untrusted pull request on privileged workflow.

---

_{🔍 View full scan logs | 🛡️ Security tab}