chore(deps): bump actions/create-github-app-token from 2 to 3 in the release group across 1 directory

[dependabot]

Bumps the release group with 1 update in the / directory: actions/create-github-app-token.

Updates actions/create-github-app-token from 2 to 3

Release notes

Sourced from actions/create-github-app-token's releases.

v3.0.0

3.0.0 (2026-03-14)

• feat!: node 24 support (#275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

• deps: bump @​actions/core from 1.11.1 to 3.0.0 (#337) (b044133)
• deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)
• deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)
• deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

v3.0.0-beta.5

3.0.0-beta.5 (2026-03-13)

• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (d53a1cd)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

v3.0.0-beta.4

3.0.0-beta.4 (2026-03-13)

Bug Fixes

• deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#257) (bef1eaf)
• deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#256) (5d7307b)
• deps: bump glob from 10.4.5 to 10.5.0 (#305) (5480f43)
• deps: bump p-retry from 6.2.1 to 7.1.0 (#294) (dce3be8)

... (truncated)

Commits

• f8d387b build(release): 3.0.0 [skip ci]
• d2129bd style: remove extra blank line in release workflow
• 77b94ef build: refresh generated artifacts
• 3ab4c66 chore: move undici to devDependencies
• 739cf66 docs: update README action versions
• db40289 build(deps): bump actions versions in test.yml
• 496a7ac test: migrate from AVA to Node.js native test runner (#346)
• 3870dc3 Rename end-to-end proxy job in test workflow
• 4451bcb fix!: require NODE_USE_ENV_PROXY for proxy support (#342)
• dce0ab0 fix: remove custom proxy handling (#143)
• Additional commits viewable in compare view

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	5 file(s)	✅ success
Action Lint	5 file(s)	✅ success
Pinned Actions	5 file(s)	❌ failure
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	5 file(s)	✅ success
Shell Check	5 file(s)	✅ success
README Check	5 file(s)	✅ success
Composite Schema	no changes	⏭️ skipped

❌ Failures (1)

Pinned Actions

.github

• .github (line 92) — Process completed with exit code 1.
• .github (line 91) — Found 8 external action(s) not pinned by commit SHA. Pin using the full SHA with a version comment (e.g., @abc123 # v6).

.github/workflows/release-notification.yml

• .github/workflows/release-notification.yml (line 124) — External action not pinned by SHA: uses: actions/checkout@v6 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/release-notification.yml (line 117) — External action not pinned by SHA: uses: actions/create-github-app-token@v3 (use full commit SHA with a # vX.Y.Z comment)

.github/workflows/gptchangelog.yml

• .github/workflows/gptchangelog.yml (line 736) — External action not pinned by SHA: uses: slackapi/slack-github-action@v1.24.0 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/gptchangelog.yml (line 282) — External action not pinned by SHA: uses: crazy-max/ghaction-import-gpg@v7 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/gptchangelog.yml (line 262) — External action not pinned by SHA: uses: actions/checkout@v6 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/gptchangelog.yml (line 255) — External action not pinned by SHA: uses: actions/create-github-app-token@v3 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/gptchangelog.yml (line 142) — External action not pinned by SHA: uses: actions/checkout@v6 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/gptchangelog.yml (line 65) — External action not pinned by SHA: uses: actions/checkout@v6 (use full commit SHA with a # vX.Y.Z comment)

---

_{🔍 View full scan logs}

[bedatty]

Dependency update reviewed. Major bump (v2 → v3). Breaking changes (proxy handling removal, runner version requirement) do not affect current usage — no custom proxy, GitHub-hosted runners. API inputs remain identical. Auto-approved.

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

Found 2 issue(s): 2 Medium

Severity	Rule	File	Message
🟡 Medium	actions/missing-workflow-permissions	.github/workflows/release-notification.yml:110	Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. C...
🟡 Medium	actions/untrusted-checkout/medium	.github/workflows/helm-update-chart.yml:155	Potential unsafe checkout of untrusted pull request on privileged workflow.

---

_{🔍 View full scan logs | 🛡️ Security tab}