chore(deps): bump actions/create-github-app-token from 2.2.2 to 3.1.1

[dependabot]

Bumps actions/create-github-app-token from 2.2.2 to 3.1.1.

Release notes

Sourced from actions/create-github-app-token's releases.

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

• improve error message when app identifier is empty (#362) (07e2b76), closes #249

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

• deps: bump p-retry from 7.1.1 to 8.0.0 (#357) (3bbe07d)

Features

• add client-id input and deprecate app-id (#353) (e6bd4e6)
• update permission inputs (#358) (076e948)

v3.0.0

3.0.0 (2026-03-14)

• feat!: node 24 support (#275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

• deps: bump @​actions/core from 1.11.1 to 3.0.0 (#337) (b044133)
• deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)
• deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)
• deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

... (truncated)

Commits

• 1b10c78 build(release): 3.1.1 [skip ci]
• 07e2b76 fix: improve error message when app identifier is empty (#362)
• ea01216 ci: remove publish-immutable-action workflow (#361)
• 7bd0371 build(release): 3.1.0 [skip ci]
• e6bd4e6 feat: add client-id input and deprecate app-id (#353)
• 076e948 feat: update permission inputs (#358)
• 3bbe07d fix(deps): bump p-retry from 7.1.1 to 8.0.0 (#357)
• 28a99e3 build(deps-dev): bump c8 from 10.1.3 to 11.0.0
• 4df5060 build(deps-dev): bump open-cli from 8.0.0 to 9.0.0
• 4843c53 build(deps-dev): bump the development-dependencies group with 3 updates
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Medium Risk
Upgrades the GitHub App token generation step in the release workflow to a new major version, which could affect CI/release execution if inputs or runner requirements have changed.

Overview
Updates the version-bump.yml release workflow to use actions/create-github-app-token v3.1.1 (pinned SHA) instead of the previous v2 pin for generating the release GitHub App token.

^{Reviewed by Cursor Bugbot for commit 1188d3b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1188d3b. Configure here.}

[cursor]

Deprecated app-id parameter used with Client ID secret

Medium Severity

After bumping to v3.1.1, the workflow still passes secrets.RELEASE_APP_CLIENT_ID to the deprecated app-id parameter. The v3.1.0 release specifically added client-id as the replacement input for Client IDs and deprecated app-id. The secret name strongly indicates it contains a Client ID, which means the parameter should be client-id rather than app-id. While app-id still works as a deprecated fallback, this mismatch risks breakage in a future version and may emit deprecation warnings.

 

^{Reviewed by Cursor Bugbot for commit 1188d3b. Configure here.}

[github-actions]

PR Metrics

Metric	Value
Lines changed (prod code)	+1 / -1
JS bundle size (gzipped)	🟢 1.02 MB → 1.02 MB (-4.4 KB, -0.4%)
Test coverage	🟢 70.79% → 70.79% (+0.0%)
Performance (preview)	Preview not ready — Render deploy may have timed out
Accessibility	—
Best Practices	—
SEO	—

Updated Wed, 06 May 2026 19:51:40 GMT · run #1408