chore(deps): update actions/create-github-app-token action to v2.2.2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/create-github-app-token	action	patch	v2.2.1 → v2.2.2

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v2.2.2

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Update: v2.2.1 → v2.2.2 (patch version)

Type of Changes: Dependency updates and security fixes only

Key Changes:

• Security Fix: undici updated from 7.16.0 to 7.18.2, addressing CVE-2026-22036 (Content-Encoding chain limit to prevent resource exhaustion attacks)
• @actions/core: Updated from 1.11.1 to 3.0.0
• minimatch: Upgraded from 9.0.5 to 9.0.9
• tar: Updated from 7.4.3 to 7.5.11 with zstd compression support and symlink handling security fixes
• Multiple development dependencies: Various minor version updates (esbuild, execa, yaml, lodash, dotenv, etc.)

Breaking Changes: None identified

API Changes: None - all inputs, outputs, and functionality remain identical between v2.2.1 and v2.2.2

🎯 Impact Scope Investigation

Usage Location:

• Single usage found in .github/workflows/release-please.yml:28
• Used to create a GitHub App token for the Release Please workflow
• Current usage pattern:

  - uses: actions/create-github-app-token@...
    with:
      app-id: ${{ vars.RELEASE_PLEASE_APP_ID }}
      private-key: ${{ secrets.RELEASE_PLEASE_APP_PRIVATE_KEY }}
      permission-contents: write
      permission-pull-requests: write
      permission-issues: write

Compatibility Analysis:

• No changes to action interface (inputs/outputs remain identical)
• All three permission inputs used (permission-contents, permission-pull-requests, permission-issues) are stable
• Token output is used in the same manner by googleapis/release-please-action
• No configuration file changes required

Dependency Impact:

• This is a GitHub Action (runs in GitHub's infrastructure), not a direct project dependency
• No impact on the sandbox codebase's Go modules, Docker build, or runtime dependencies
• Update only affects the GitHub Actions workflow execution environment

Security Improvements:

• The undici security patch addresses a resource exhaustion vulnerability (CVE-2026-22036)
• The tar package update includes symlink handling security improvements
• These security fixes enhance the reliability of the workflow execution

💡 Recommended Actions

Immediate Actions:

• ✅ Safe to merge immediately - no code changes or migrations required
• The update is a straightforward patch version bump with backward compatibility maintained
• Security improvements provide additional stability to the release workflow

Post-Merge Verification:

• Monitor the next Release Please workflow execution to confirm successful operation
• No functional changes expected - workflow should behave identically

No Manual Intervention Required:

• All existing inputs, outputs, and configurations remain compatible
• No code modifications needed in the workflow file (beyond the version bump already in the PR)

🔗 Reference Links

• Release v2.2.2
• Comparison: v2.2.1...v2.2.2
• Action Repository
• CVE-2026-22036 (undici security fix)

Generated by koki-develop/claude-renovate-review