From dd14da12c513f5d2bcf0c7d87095a52f96a01a54 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Fri, 9 Jan 2026 18:01:06 +0000
Subject: [PATCH 01/22] ci(release): Switch from action-prepare-release to
 Craft

This PR migrates from the deprecated action-prepare-release to the new
Craft GitHub Actions (reusable workflow or composite action).

Changes:
- Migrate .github/workflows/release.yml to Craft reusable workflow
---
 .github/workflows/changelog-preview.yml | 13 +++++++++
 .github/workflows/release.yml           | 38 +++++++------------------
 2 files changed, 23 insertions(+), 28 deletions(-)
 create mode 100644 .github/workflows/changelog-preview.yml

diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml
new file mode 100644
index 0000000000..1ed1021302
--- /dev/null
+++ b/.github/workflows/changelog-preview.yml
@@ -0,0 +1,13 @@
+name: Changelog Preview
+on:
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - edited
+    - labeled
+jobs:
+  changelog-preview:
+    uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
+    secrets: inherit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 84383c760f..aac4158827 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,37 +3,19 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: Version to release
-        required: true
+        description: Version to release (or "auto")
+        required: false
       force:
-        description: Force a release even when there are release-blockers (optional)
+        description: Force a release even when there are release-blockers
         required: false
       merge_target:
-        description: Target branch to merge into. Uses the default branch as a fallback (optional)
+        description: Target branch to merge into
         required: false
-
 jobs:
   release:
-    runs-on: ubuntu-latest
-    name: "Release a new version"
-    steps:
-      - name: Get auth token
-        id: token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-        with:
-          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
-          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-      - uses: actions/checkout@v6
-        with:
-          token: ${{ steps.token.outputs.token }}
-          # Needs to be set, otherwise git describe --tags will fail with: No names found, cannot describe anything
-          fetch-depth: 0
-          submodules: 'recursive'
-      - name: Prepare release
-        uses: getsentry/action-prepare-release@v1
-        env:
-          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
-        with:
-          version: ${{ github.event.inputs.version }}
-          force: ${{ github.event.inputs.force }}
-          merge_target: ${{ github.event.inputs.merge_target }}
+    uses: getsentry/craft/.github/workflows/release.yml@v2
+    with:
+      version: ${{ inputs.version }}
+      force: ${{ inputs.force }}
+      merge_target: ${{ inputs.merge_target }}
+    secrets: inherit

From ecdd1817475e3c5c8958b60dcb429d9049816ff1 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Fri, 9 Jan 2026 23:15:30 +0000
Subject: [PATCH 02/22] ci(release): Restore GitHub App token authentication

The previous migration incorrectly removed the GitHub App token
authentication step. This commit restores it by switching to the
composite action pattern which preserves the auth flow.
---
 .github/workflows/release.yml | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index aac4158827..da677fe82f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,9 +13,24 @@ on:
         required: false
 jobs:
   release:
-    uses: getsentry/craft/.github/workflows/release.yml@v2
-    with:
-      version: ${{ inputs.version }}
-      force: ${{ inputs.force }}
-      merge_target: ${{ inputs.merge_target }}
-    secrets: inherit
+    runs-on: ubuntu-latest
+    name: Release a new version
+    steps:
+    - name: Get auth token
+      id: token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
+        private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
+    - uses: actions/checkout@v4
+      with:
+        token: ${{ steps.token.outputs.token }}
+        fetch-depth: 0
+    - name: Prepare release
+      uses: getsentry/craft@v2
+      env:
+        GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+      with:
+        version: ${{ inputs.version }}
+        force: ${{ inputs.force }}
+        merge_target: ${{ inputs.merge_target }}

From ebb437db10860124c629a7d59b23bb44a09c0e8c Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Sat, 10 Jan 2026 00:34:44 +0000
Subject: [PATCH 03/22] fix: Pin actions to SHA and add permissions blocks

---
 .github/workflows/agp-matrix.yml                    |  2 +-
 .github/workflows/build.yml                         |  2 +-
 .github/workflows/changelog-preview.yml             |  4 ++++
 .github/workflows/changes-in-high-risk-code.yml     |  2 +-
 .github/workflows/codeql-analysis.yml               |  2 +-
 .github/workflows/enforce-license-compliance.yml    |  2 +-
 .github/workflows/format-code.yml                   |  2 +-
 .github/workflows/generate-javadocs.yml             |  2 +-
 .github/workflows/integration-tests-benchmarks.yml  |  4 ++--
 .github/workflows/integration-tests-size.yml        |  2 +-
 .github/workflows/integration-tests-ui-critical.yml |  4 ++--
 .github/workflows/integration-tests-ui.yml          |  2 +-
 .github/workflows/release-build.yml                 |  6 +++++-
 .github/workflows/release.yml                       | 10 +++++++---
 .github/workflows/spring-boot-2-matrix.yml          |  2 +-
 .github/workflows/spring-boot-3-matrix.yml          |  2 +-
 .github/workflows/spring-boot-4-matrix.yml          |  2 +-
 .github/workflows/system-tests-backend.yml          |  2 +-
 18 files changed, 33 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/agp-matrix.yml b/.github/workflows/agp-matrix.yml
index 642133f434..ca6f4c8094 100644
--- a/.github/workflows/agp-matrix.yml
+++ b/.github/workflows/agp-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f4186aaf47..60aaaa45fc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml
index 1ed1021302..5883c004c0 100644
--- a/.github/workflows/changelog-preview.yml
+++ b/.github/workflows/changelog-preview.yml
@@ -7,6 +7,10 @@ on:
     - reopened
     - edited
     - labeled
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   changelog-preview:
     uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
diff --git a/.github/workflows/changes-in-high-risk-code.yml b/.github/workflows/changes-in-high-risk-code.yml
index ba1376ff51..6b0ef1c26f 100644
--- a/.github/workflows/changes-in-high-risk-code.yml
+++ b/.github/workflows/changes-in-high-risk-code.yml
@@ -16,7 +16,7 @@ jobs:
       high_risk_code: ${{ steps.changes.outputs.high_risk_code }}
       high_risk_code_files: ${{ steps.changes.outputs.high_risk_code_files }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
       - name: Get changed files
         id: changes
         uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index a5d3ce5194..2caae90208 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml
index 0a63a7b94c..d629342859 100644
--- a/.github/workflows/enforce-license-compliance.yml
+++ b/.github/workflows/enforce-license-compliance.yml
@@ -20,7 +20,7 @@ jobs:
           java-version: '17'
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       # TODO: remove this when upstream is fixed
       - name: Disable Gradle configuration cache (see https://github.com/fossas/fossa-cli/issues/872)
diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml
index 9981fcef3c..3874d4ad1b 100644
--- a/.github/workflows/format-code.yml
+++ b/.github/workflows/format-code.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/generate-javadocs.yml b/.github/workflows/generate-javadocs.yml
index 22ce834f04..b908de0246 100644
--- a/.github/workflows/generate-javadocs.yml
+++ b/.github/workflows/generate-javadocs.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout 🛎️
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/integration-tests-benchmarks.yml b/.github/workflows/integration-tests-benchmarks.yml
index 8d209842f7..f16d2e9db2 100644
--- a/.github/workflows/integration-tests-benchmarks.yml
+++ b/.github/workflows/integration-tests-benchmarks.yml
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
@@ -77,7 +77,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/integration-tests-size.yml b/.github/workflows/integration-tests-size.yml
index 0cead0c314..11acd293b9 100644
--- a/.github/workflows/integration-tests-size.yml
+++ b/.github/workflows/integration-tests-size.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       - name: Setup Java Version
         uses: actions/setup-java@v5
diff --git a/.github/workflows/integration-tests-ui-critical.yml b/.github/workflows/integration-tests-ui-critical.yml
index c5f51a8290..cd62222dcd 100644
--- a/.github/workflows/integration-tests-ui-critical.yml
+++ b/.github/workflows/integration-tests-ui-critical.yml
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       - name: Set up Java 17
         uses: actions/setup-java@v5
@@ -77,7 +77,7 @@ jobs:
             arch: x86_64
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
 
       - name: Enable KVM
         run: |
diff --git a/.github/workflows/integration-tests-ui.yml b/.github/workflows/integration-tests-ui.yml
index 5d82daf30d..4fec0c5432 100644
--- a/.github/workflows/integration-tests-ui.yml
+++ b/.github/workflows/integration-tests-ui.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 362590ff21..e776c1e762 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -8,6 +8,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release:
     name: Build release artifacts
@@ -15,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index da677fe82f..83f2be278f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,10 @@ on:
       merge_target:
         description: Target branch to merge into
         required: false
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -18,16 +22,16 @@ jobs:
     steps:
     - name: Get auth token
       id: token
-      uses: actions/create-github-app-token@v1
+      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2
       with:
         app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
         private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
       with:
         token: ${{ steps.token.outputs.token }}
         fetch-depth: 0
     - name: Prepare release
-      uses: getsentry/craft@v2
+      uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2
       env:
         GITHUB_TOKEN: ${{ steps.token.outputs.token }}
       with:
diff --git a/.github/workflows/spring-boot-2-matrix.yml b/.github/workflows/spring-boot-2-matrix.yml
index 19fb52f569..721320e70b 100644
--- a/.github/workflows/spring-boot-2-matrix.yml
+++ b/.github/workflows/spring-boot-2-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/spring-boot-3-matrix.yml b/.github/workflows/spring-boot-3-matrix.yml
index 984e418cc1..78f202a98c 100644
--- a/.github/workflows/spring-boot-3-matrix.yml
+++ b/.github/workflows/spring-boot-3-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/spring-boot-4-matrix.yml b/.github/workflows/spring-boot-4-matrix.yml
index 22479e3d1c..d0a3c92263 100644
--- a/.github/workflows/spring-boot-4-matrix.yml
+++ b/.github/workflows/spring-boot-4-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/system-tests-backend.yml b/.github/workflows/system-tests-backend.yml
index 870faec759..26dc5571b7 100644
--- a/.github/workflows/system-tests-backend.yml
+++ b/.github/workflows/system-tests-backend.yml
@@ -88,7 +88,7 @@ jobs:
             agent: "false"
             agent-auto-init: "true"
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
         with:
           submodules: 'recursive'
 

From 2c748c676c1609c93f07ba1ed01130b0f1df59ca Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Sat, 10 Jan 2026 01:45:47 +0000
Subject: [PATCH 04/22] fix: Use correct action version SHAs (restore original
 versions)

---
 .github/workflows/agp-matrix.yml                    | 2 +-
 .github/workflows/build.yml                         | 2 +-
 .github/workflows/changes-in-high-risk-code.yml     | 2 +-
 .github/workflows/codeql-analysis.yml               | 2 +-
 .github/workflows/enforce-license-compliance.yml    | 2 +-
 .github/workflows/format-code.yml                   | 2 +-
 .github/workflows/generate-javadocs.yml             | 2 +-
 .github/workflows/integration-tests-benchmarks.yml  | 4 ++--
 .github/workflows/integration-tests-size.yml        | 2 +-
 .github/workflows/integration-tests-ui-critical.yml | 4 ++--
 .github/workflows/integration-tests-ui.yml          | 2 +-
 .github/workflows/release-build.yml                 | 2 +-
 .github/workflows/release.yml                       | 4 ++--
 .github/workflows/spring-boot-2-matrix.yml          | 2 +-
 .github/workflows/spring-boot-3-matrix.yml          | 2 +-
 .github/workflows/spring-boot-4-matrix.yml          | 2 +-
 .github/workflows/system-tests-backend.yml          | 2 +-
 17 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/agp-matrix.yml b/.github/workflows/agp-matrix.yml
index ca6f4c8094..7361b0056b 100644
--- a/.github/workflows/agp-matrix.yml
+++ b/.github/workflows/agp-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 60aaaa45fc..5150ea38fc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/changes-in-high-risk-code.yml b/.github/workflows/changes-in-high-risk-code.yml
index 6b0ef1c26f..dcae1badfa 100644
--- a/.github/workflows/changes-in-high-risk-code.yml
+++ b/.github/workflows/changes-in-high-risk-code.yml
@@ -16,7 +16,7 @@ jobs:
       high_risk_code: ${{ steps.changes.outputs.high_risk_code }}
       high_risk_code_files: ${{ steps.changes.outputs.high_risk_code_files }}
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
       - name: Get changed files
         id: changes
         uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 2caae90208..c0487d7ad9 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml
index d629342859..68fd08e042 100644
--- a/.github/workflows/enforce-license-compliance.yml
+++ b/.github/workflows/enforce-license-compliance.yml
@@ -20,7 +20,7 @@ jobs:
           java-version: '17'
 
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
 
       # TODO: remove this when upstream is fixed
       - name: Disable Gradle configuration cache (see https://github.com/fossas/fossa-cli/issues/872)
diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml
index 3874d4ad1b..ff3d256ec2 100644
--- a/.github/workflows/format-code.yml
+++ b/.github/workflows/format-code.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/generate-javadocs.yml b/.github/workflows/generate-javadocs.yml
index b908de0246..7185464060 100644
--- a/.github/workflows/generate-javadocs.yml
+++ b/.github/workflows/generate-javadocs.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout 🛎️
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/integration-tests-benchmarks.yml b/.github/workflows/integration-tests-benchmarks.yml
index f16d2e9db2..c60d000f15 100644
--- a/.github/workflows/integration-tests-benchmarks.yml
+++ b/.github/workflows/integration-tests-benchmarks.yml
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
@@ -77,7 +77,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/integration-tests-size.yml b/.github/workflows/integration-tests-size.yml
index 11acd293b9..340c529cb0 100644
--- a/.github/workflows/integration-tests-size.yml
+++ b/.github/workflows/integration-tests-size.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
 
       - name: Setup Java Version
         uses: actions/setup-java@v5
diff --git a/.github/workflows/integration-tests-ui-critical.yml b/.github/workflows/integration-tests-ui-critical.yml
index cd62222dcd..680ac40518 100644
--- a/.github/workflows/integration-tests-ui-critical.yml
+++ b/.github/workflows/integration-tests-ui-critical.yml
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
 
       - name: Set up Java 17
         uses: actions/setup-java@v5
@@ -77,7 +77,7 @@ jobs:
             arch: x86_64
     steps:
       - name: Checkout code
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
 
       - name: Enable KVM
         run: |
diff --git a/.github/workflows/integration-tests-ui.yml b/.github/workflows/integration-tests-ui.yml
index 4fec0c5432..e48e91725d 100644
--- a/.github/workflows/integration-tests-ui.yml
+++ b/.github/workflows/integration-tests-ui.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index e776c1e762..d2fce9f125 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 83f2be278f..af39fddfb7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,11 +22,11 @@ jobs:
     steps:
     - name: Get auth token
       id: token
-      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2
+      uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2
       with:
         app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
         private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
       with:
         token: ${{ steps.token.outputs.token }}
         fetch-depth: 0
diff --git a/.github/workflows/spring-boot-2-matrix.yml b/.github/workflows/spring-boot-2-matrix.yml
index 721320e70b..fe459e3c49 100644
--- a/.github/workflows/spring-boot-2-matrix.yml
+++ b/.github/workflows/spring-boot-2-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/spring-boot-3-matrix.yml b/.github/workflows/spring-boot-3-matrix.yml
index 78f202a98c..4a0e67e373 100644
--- a/.github/workflows/spring-boot-3-matrix.yml
+++ b/.github/workflows/spring-boot-3-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/spring-boot-4-matrix.yml b/.github/workflows/spring-boot-4-matrix.yml
index d0a3c92263..c287e3ca29 100644
--- a/.github/workflows/spring-boot-4-matrix.yml
+++ b/.github/workflows/spring-boot-4-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/system-tests-backend.yml b/.github/workflows/system-tests-backend.yml
index 26dc5571b7..0c454337e6 100644
--- a/.github/workflows/system-tests-backend.yml
+++ b/.github/workflows/system-tests-backend.yml
@@ -88,7 +88,7 @@ jobs:
             agent: "false"
             agent-auto-init: "true"
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
         with:
           submodules: 'recursive'
 

From c38e477898494fcb276f8d40a3728fc1ead3b54c Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Mon, 12 Jan 2026 12:33:11 +0000
Subject: [PATCH 05/22] fix: Clean up action version comments

---
 .github/workflows/agp-matrix.yml                    | 2 +-
 .github/workflows/build.yml                         | 2 +-
 .github/workflows/changes-in-high-risk-code.yml     | 2 +-
 .github/workflows/codeql-analysis.yml               | 2 +-
 .github/workflows/enforce-license-compliance.yml    | 2 +-
 .github/workflows/format-code.yml                   | 2 +-
 .github/workflows/generate-javadocs.yml             | 2 +-
 .github/workflows/integration-tests-benchmarks.yml  | 4 ++--
 .github/workflows/integration-tests-size.yml        | 2 +-
 .github/workflows/integration-tests-ui-critical.yml | 4 ++--
 .github/workflows/integration-tests-ui.yml          | 2 +-
 .github/workflows/release-build.yml                 | 2 +-
 .github/workflows/release.yml                       | 4 ++--
 .github/workflows/spring-boot-2-matrix.yml          | 2 +-
 .github/workflows/spring-boot-3-matrix.yml          | 2 +-
 .github/workflows/spring-boot-4-matrix.yml          | 2 +-
 .github/workflows/system-tests-backend.yml          | 2 +-
 17 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/agp-matrix.yml b/.github/workflows/agp-matrix.yml
index 7361b0056b..97f889cd51 100644
--- a/.github/workflows/agp-matrix.yml
+++ b/.github/workflows/agp-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5150ea38fc..ef13bae7ca 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/changes-in-high-risk-code.yml b/.github/workflows/changes-in-high-risk-code.yml
index dcae1badfa..2969d4dc82 100644
--- a/.github/workflows/changes-in-high-risk-code.yml
+++ b/.github/workflows/changes-in-high-risk-code.yml
@@ -16,7 +16,7 @@ jobs:
       high_risk_code: ${{ steps.changes.outputs.high_risk_code }}
       high_risk_code_files: ${{ steps.changes.outputs.high_risk_code_files }}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
       - name: Get changed files
         id: changes
         uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index c0487d7ad9..a73c362c9d 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml
index 68fd08e042..10017c64b2 100644
--- a/.github/workflows/enforce-license-compliance.yml
+++ b/.github/workflows/enforce-license-compliance.yml
@@ -20,7 +20,7 @@ jobs:
           java-version: '17'
 
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       # TODO: remove this when upstream is fixed
       - name: Disable Gradle configuration cache (see https://github.com/fossas/fossa-cli/issues/872)
diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml
index ff3d256ec2..51aa0ffc1c 100644
--- a/.github/workflows/format-code.yml
+++ b/.github/workflows/format-code.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/generate-javadocs.yml b/.github/workflows/generate-javadocs.yml
index 7185464060..a1e6d19e3b 100644
--- a/.github/workflows/generate-javadocs.yml
+++ b/.github/workflows/generate-javadocs.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout 🛎️
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/integration-tests-benchmarks.yml b/.github/workflows/integration-tests-benchmarks.yml
index c60d000f15..b533a03b41 100644
--- a/.github/workflows/integration-tests-benchmarks.yml
+++ b/.github/workflows/integration-tests-benchmarks.yml
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
@@ -77,7 +77,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/integration-tests-size.yml b/.github/workflows/integration-tests-size.yml
index 340c529cb0..e2fb11f7d4 100644
--- a/.github/workflows/integration-tests-size.yml
+++ b/.github/workflows/integration-tests-size.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Setup Java Version
         uses: actions/setup-java@v5
diff --git a/.github/workflows/integration-tests-ui-critical.yml b/.github/workflows/integration-tests-ui-critical.yml
index 680ac40518..9124d63a94 100644
--- a/.github/workflows/integration-tests-ui-critical.yml
+++ b/.github/workflows/integration-tests-ui-critical.yml
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Set up Java 17
         uses: actions/setup-java@v5
@@ -77,7 +77,7 @@ jobs:
             arch: x86_64
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Enable KVM
         run: |
diff --git a/.github/workflows/integration-tests-ui.yml b/.github/workflows/integration-tests-ui.yml
index e48e91725d..4cd82fc00f 100644
--- a/.github/workflows/integration-tests-ui.yml
+++ b/.github/workflows/integration-tests-ui.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index d2fce9f125..adde846735 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index af39fddfb7..3b221caa38 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,11 +22,11 @@ jobs:
     steps:
     - name: Get auth token
       id: token
-      uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2
+      uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
       with:
         app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
         private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
       with:
         token: ${{ steps.token.outputs.token }}
         fetch-depth: 0
diff --git a/.github/workflows/spring-boot-2-matrix.yml b/.github/workflows/spring-boot-2-matrix.yml
index fe459e3c49..8e07a5c827 100644
--- a/.github/workflows/spring-boot-2-matrix.yml
+++ b/.github/workflows/spring-boot-2-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/spring-boot-3-matrix.yml b/.github/workflows/spring-boot-3-matrix.yml
index 4a0e67e373..fb4a5e710f 100644
--- a/.github/workflows/spring-boot-3-matrix.yml
+++ b/.github/workflows/spring-boot-3-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/spring-boot-4-matrix.yml b/.github/workflows/spring-boot-4-matrix.yml
index c287e3ca29..e8a72b7288 100644
--- a/.github/workflows/spring-boot-4-matrix.yml
+++ b/.github/workflows/spring-boot-4-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/system-tests-backend.yml b/.github/workflows/system-tests-backend.yml
index 0c454337e6..7210407472 100644
--- a/.github/workflows/system-tests-backend.yml
+++ b/.github/workflows/system-tests-backend.yml
@@ -88,7 +88,7 @@ jobs:
             agent: "false"
             agent-auto-init: "true"
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           submodules: 'recursive'
 

From 089968ece4165dd85262dc7d871d9a4b6d6b98b5 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 22:46:03 +0000
Subject: [PATCH 06/22] Update Craft SHA to
 1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3b221caa38..c8f81ad19d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,7 +31,7 @@ jobs:
         token: ${{ steps.token.outputs.token }}
         fetch-depth: 0
     - name: Prepare release
-      uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2
+      uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2
       env:
         GITHUB_TOKEN: ${{ steps.token.outputs.token }}
       with:

From 18d871aae41522ff93afd31fdc40b4338604c188 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:04:44 +0000
Subject: [PATCH 07/22] Add explicit permissions block to agp-matrix.yml

---
 .github/workflows/agp-matrix.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/agp-matrix.yml b/.github/workflows/agp-matrix.yml
index 97f889cd51..45f091ccc6 100644
--- a/.github/workflows/agp-matrix.yml
+++ b/.github/workflows/agp-matrix.yml
@@ -10,6 +10,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   agp-matrix-compatibility:
     timeout-minutes: 30

From b718642e17dbca1c1bb8d1f701414b00c4ed794c Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:04:48 +0000
Subject: [PATCH 08/22] Add explicit permissions block to
 enforce-license-compliance.yml

---
 .github/workflows/enforce-license-compliance.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml
index 10017c64b2..771eaef0f7 100644
--- a/.github/workflows/enforce-license-compliance.yml
+++ b/.github/workflows/enforce-license-compliance.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [master, main]
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   enforce-license-compliance:
     runs-on: ubuntu-latest

From f9ae0d471f49ca35bed2f4d7cd7abe1746657c32 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:04:50 +0000
Subject: [PATCH 09/22] Add explicit permissions block to generate-javadocs.yml

---
 .github/workflows/generate-javadocs.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/generate-javadocs.yml b/.github/workflows/generate-javadocs.yml
index a1e6d19e3b..36a58dfb82 100644
--- a/.github/workflows/generate-javadocs.yml
+++ b/.github/workflows/generate-javadocs.yml
@@ -3,6 +3,10 @@ on:
   release:
     types: [released]
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   build-and-deploy-javadocs:
     name: Build and deploy Javadocs

From 9bd2e2717571f39c901307ecc0488d644f131f06 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:04:51 +0000
Subject: [PATCH 10/22] Add explicit permissions block to
 integration-tests-benchmarks.yml

---
 .github/workflows/integration-tests-benchmarks.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/integration-tests-benchmarks.yml b/.github/workflows/integration-tests-benchmarks.yml
index b533a03b41..42e5f67b47 100644
--- a/.github/workflows/integration-tests-benchmarks.yml
+++ b/.github/workflows/integration-tests-benchmarks.yml
@@ -15,6 +15,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   test:
     name: Benchmarks

From 8df8f2c0bbe6e086c7e14aa03c99cd2e84f0ea1b Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:04:53 +0000
Subject: [PATCH 11/22] Add explicit permissions block to
 integration-tests-ui-critical.yml

---
 .github/workflows/integration-tests-ui-critical.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/integration-tests-ui-critical.yml b/.github/workflows/integration-tests-ui-critical.yml
index 9124d63a94..ed48be60c9 100644
--- a/.github/workflows/integration-tests-ui-critical.yml
+++ b/.github/workflows/integration-tests-ui-critical.yml
@@ -17,6 +17,10 @@ env:
   APK_ARTIFACT_NAME: "sentry-uitest-android-critical-release"
   MAESTRO_VERSION: "1.39.0"
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   build:
     name: Build

From 613fab0f25a1e253a068d83331167cc4cd5248cb Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:04:54 +0000
Subject: [PATCH 12/22] Add explicit permissions block to
 integration-tests-ui.yml

---
 .github/workflows/integration-tests-ui.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/integration-tests-ui.yml b/.github/workflows/integration-tests-ui.yml
index 4cd82fc00f..e3d1ad3368 100644
--- a/.github/workflows/integration-tests-ui.yml
+++ b/.github/workflows/integration-tests-ui.yml
@@ -9,6 +9,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   test:
     name: Ui tests

From 0955cf863468bef9df91996a439a2339aa9c25ba Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:15:40 +0000
Subject: [PATCH 13/22] Revert permissions changes to agp-matrix.yml

---
 .github/workflows/agp-matrix.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/agp-matrix.yml b/.github/workflows/agp-matrix.yml
index 45f091ccc6..642133f434 100644
--- a/.github/workflows/agp-matrix.yml
+++ b/.github/workflows/agp-matrix.yml
@@ -10,10 +10,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   agp-matrix-compatibility:
     timeout-minutes: 30
@@ -32,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 

From 10d2b9075c1841c384e148603f111caa2262a7a4 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:15:43 +0000
Subject: [PATCH 14/22] Revert permissions changes to
 enforce-license-compliance.yml

---
 .github/workflows/enforce-license-compliance.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml
index 771eaef0f7..0a63a7b94c 100644
--- a/.github/workflows/enforce-license-compliance.yml
+++ b/.github/workflows/enforce-license-compliance.yml
@@ -6,10 +6,6 @@ on:
   pull_request:
     branches: [master, main]
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   enforce-license-compliance:
     runs-on: ubuntu-latest
@@ -24,7 +20,7 @@ jobs:
           java-version: '17'
 
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
 
       # TODO: remove this when upstream is fixed
       - name: Disable Gradle configuration cache (see https://github.com/fossas/fossa-cli/issues/872)

From a7846ce2b9997223d516a74345ff368d6f02af24 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:15:45 +0000
Subject: [PATCH 15/22] Revert permissions changes to generate-javadocs.yml

---
 .github/workflows/generate-javadocs.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/generate-javadocs.yml b/.github/workflows/generate-javadocs.yml
index 36a58dfb82..22ce834f04 100644
--- a/.github/workflows/generate-javadocs.yml
+++ b/.github/workflows/generate-javadocs.yml
@@ -3,17 +3,13 @@ on:
   release:
     types: [released]
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   build-and-deploy-javadocs:
     name: Build and deploy Javadocs
     runs-on: ubuntu-latest
     steps:
       - name: Checkout 🛎️
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 

From d4ad5d470b8c8d40234d8ad9ffbefe19bc305b81 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:15:49 +0000
Subject: [PATCH 16/22] Revert permissions changes to
 integration-tests-benchmarks.yml

---
 .github/workflows/integration-tests-benchmarks.yml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/integration-tests-benchmarks.yml b/.github/workflows/integration-tests-benchmarks.yml
index 42e5f67b47..8d209842f7 100644
--- a/.github/workflows/integration-tests-benchmarks.yml
+++ b/.github/workflows/integration-tests-benchmarks.yml
@@ -15,10 +15,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   test:
     name: Benchmarks
@@ -31,7 +27,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 
@@ -81,7 +77,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 

From dedf975baa39138b55799314d8078cdfcfcae91a Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:15:51 +0000
Subject: [PATCH 17/22] Revert permissions changes to
 integration-tests-ui-critical.yml

---
 .github/workflows/integration-tests-ui-critical.yml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/integration-tests-ui-critical.yml b/.github/workflows/integration-tests-ui-critical.yml
index ed48be60c9..c5f51a8290 100644
--- a/.github/workflows/integration-tests-ui-critical.yml
+++ b/.github/workflows/integration-tests-ui-critical.yml
@@ -17,10 +17,6 @@ env:
   APK_ARTIFACT_NAME: "sentry-uitest-android-critical-release"
   MAESTRO_VERSION: "1.39.0"
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   build:
     name: Build
@@ -31,7 +27,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
 
       - name: Set up Java 17
         uses: actions/setup-java@v5
@@ -81,7 +77,7 @@ jobs:
             arch: x86_64
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
 
       - name: Enable KVM
         run: |

From 240710f548e20d60885feddfdd90d6baacfb6258 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Tue, 13 Jan 2026 23:15:54 +0000
Subject: [PATCH 18/22] Revert permissions changes to integration-tests-ui.yml

---
 .github/workflows/integration-tests-ui.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/integration-tests-ui.yml b/.github/workflows/integration-tests-ui.yml
index e3d1ad3368..5d82daf30d 100644
--- a/.github/workflows/integration-tests-ui.yml
+++ b/.github/workflows/integration-tests-ui.yml
@@ -9,10 +9,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   test:
     name: Ui tests
@@ -26,7 +22,7 @@ jobs:
 
     steps:
       - name: Git checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 

From 9889efc5c3dc63b01420d40271d96230b3740a74 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Wed, 14 Jan 2026 00:05:09 +0000
Subject: [PATCH 19/22] fix: revert extraneous changes to non-release workflow
 files

---
 .github/workflows/build.yml                     | 2 +-
 .github/workflows/changes-in-high-risk-code.yml | 2 +-
 .github/workflows/codeql-analysis.yml           | 2 +-
 .github/workflows/format-code.yml               | 2 +-
 .github/workflows/integration-tests-size.yml    | 2 +-
 .github/workflows/release-build.yml             | 6 +-----
 .github/workflows/spring-boot-2-matrix.yml      | 2 +-
 .github/workflows/spring-boot-3-matrix.yml      | 2 +-
 .github/workflows/spring-boot-4-matrix.yml      | 2 +-
 .github/workflows/system-tests-backend.yml      | 2 +-
 10 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ef13bae7ca..f4186aaf47 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/changes-in-high-risk-code.yml b/.github/workflows/changes-in-high-risk-code.yml
index 2969d4dc82..ba1376ff51 100644
--- a/.github/workflows/changes-in-high-risk-code.yml
+++ b/.github/workflows/changes-in-high-risk-code.yml
@@ -16,7 +16,7 @@ jobs:
       high_risk_code: ${{ steps.changes.outputs.high_risk_code }}
       high_risk_code_files: ${{ steps.changes.outputs.high_risk_code_files }}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/checkout@v6
       - name: Get changed files
         id: changes
         uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index a73c362c9d..a5d3ce5194 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml
index 51aa0ffc1c..9981fcef3c 100644
--- a/.github/workflows/format-code.yml
+++ b/.github/workflows/format-code.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/integration-tests-size.yml b/.github/workflows/integration-tests-size.yml
index e2fb11f7d4..0cead0c314 100644
--- a/.github/workflows/integration-tests-size.yml
+++ b/.github/workflows/integration-tests-size.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
 
       - name: Setup Java Version
         uses: actions/setup-java@v5
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index adde846735..362590ff21 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -8,10 +8,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   release:
     name: Build release artifacts
@@ -19,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/spring-boot-2-matrix.yml b/.github/workflows/spring-boot-2-matrix.yml
index 8e07a5c827..19fb52f569 100644
--- a/.github/workflows/spring-boot-2-matrix.yml
+++ b/.github/workflows/spring-boot-2-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/spring-boot-3-matrix.yml b/.github/workflows/spring-boot-3-matrix.yml
index fb4a5e710f..984e418cc1 100644
--- a/.github/workflows/spring-boot-3-matrix.yml
+++ b/.github/workflows/spring-boot-3-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/spring-boot-4-matrix.yml b/.github/workflows/spring-boot-4-matrix.yml
index e8a72b7288..22479e3d1c 100644
--- a/.github/workflows/spring-boot-4-matrix.yml
+++ b/.github/workflows/spring-boot-4-matrix.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 
diff --git a/.github/workflows/system-tests-backend.yml b/.github/workflows/system-tests-backend.yml
index 7210407472..870faec759 100644
--- a/.github/workflows/system-tests-backend.yml
+++ b/.github/workflows/system-tests-backend.yml
@@ -88,7 +88,7 @@ jobs:
             agent: "false"
             agent-auto-init: "true"
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/checkout@v6
         with:
           submodules: 'recursive'
 

From c20b0910b6ed71bc13f16e376284f436963ed8b4 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Wed, 14 Jan 2026 11:14:29 +0000
Subject: [PATCH 20/22] fix: clean up release.yml formatting and version
 comments

---
 .github/workflows/release.yml | 45 +++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c8f81ad19d..4d1c70d482 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,11 +6,12 @@ on:
         description: Version to release (or "auto")
         required: false
       force:
-        description: Force a release even when there are release-blockers
+        description: Force a release even when there are release-blockers (optional)
         required: false
       merge_target:
-        description: Target branch to merge into
+        description: Target branch to merge into. Uses the default branch as a fallback (optional)
         required: false
+
 permissions:
   contents: write
   pull-requests: write
@@ -18,23 +19,25 @@ permissions:
 jobs:
   release:
     runs-on: ubuntu-latest
-    name: Release a new version
+    name: "Release a new version"
     steps:
-    - name: Get auth token
-      id: token
-      uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
-      with:
-        app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
-        private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
-      with:
-        token: ${{ steps.token.outputs.token }}
-        fetch-depth: 0
-    - name: Prepare release
-      uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2
-      env:
-        GITHUB_TOKEN: ${{ steps.token.outputs.token }}
-      with:
-        version: ${{ inputs.version }}
-        force: ${{ inputs.force }}
-        merge_target: ${{ inputs.merge_target }}
+      - name: Get auth token
+        id: token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
+      - uses: actions/checkout@v6
+        with:
+          token: ${{ steps.token.outputs.token }}
+          # Needs to be set, otherwise git describe --tags will fail with: No names found, cannot describe anything
+          fetch-depth: 0
+          submodules: 'recursive'
+      - name: Prepare release
+        uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2
+        env:
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+        with:
+          version: ${{ github.event.inputs.version }}
+          force: ${{ github.event.inputs.force }}
+          merge_target: ${{ github.event.inputs.merge_target }}

From f230601d5d46a76ee33c556d2e599ad1555c1345 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Wed, 14 Jan 2026 13:16:29 +0000
Subject: [PATCH 21/22] build(craft): Update Craft action to c6e2f04

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4d1c70d482..bd4d5551be 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,7 +34,7 @@ jobs:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Prepare release
-        uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2
+        uses: getsentry/craft@c6e2f04939b6ee67030588afbb5af76b127d8203 # v2
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with:

From f85e220f402b932de906571860d25ca5e96aedc2 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <ben@byk.im>
Date: Wed, 14 Jan 2026 22:21:24 +0000
Subject: [PATCH 22/22] chore: add unlabeled trigger to changelog-preview

---
 .github/workflows/changelog-preview.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml
index 5883c004c0..30c6083c6b 100644
--- a/.github/workflows/changelog-preview.yml
+++ b/.github/workflows/changelog-preview.yml
@@ -7,6 +7,7 @@ on:
     - reopened
     - edited
     - labeled
+    - unlabeled
 permissions:
   contents: write
   pull-requests: write