chore(deps): update actions/create-github-app-token action to v2

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
actions/create-github-app-token	action	major	v1 → v2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v2.2.2

Compare Source

Bug Fixes

• deps: bump @​actions/core from 1.11.1 to 3.0.0 (#​337) (b044133)
• deps: bump minimatch from 9.0.5 to 9.0.9 (#​335) (5cbc656)
• deps: bump the production-dependencies group with 4 updates (#​336) (6bda5bc)
• deps: bump undici from 7.16.0 to 7.18.2 (#​323) (b4f638f)

v2.2.1

Compare Source

Bug Fixes

• deps: bump the production-dependencies group with 2 updates (#​311) (b212e6a)

v2.2.0

Compare Source

Bug Fixes

• deps: bump glob from 10.4.5 to 10.5.0 (#​305) (5480f43)
• deps: bump p-retry from 6.2.1 to 7.1.0 (#​294) (dce3be8)
• deps: bump the production-dependencies group with 2 updates (#​292) (55e2a4b)

Features

• update permission inputs (#​296) (d90aa53)

v2.1.4

Compare Source

Bug Fixes

• deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#​257) (bef1eaf)

v2.1.3

Compare Source

Bug Fixes

• deps: bump undici from 7.8.0 to 7.10.0 in the production-dependencies group (#​254) (f3d5ec2)

v2.1.2

Compare Source

Bug Fixes

• deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#​256) (5d7307b)

v2.1.1

Compare Source

Bug Fixes

• revert "use node24 as runner" (#​278) (5204204), closes actions/create-github-app-token#267

v2.1.0

Compare Source

Features

• use node24 as runner (#​267) (a1cbe0f)

v2.0.6

Compare Source

Bug Fixes

• replace - with _ (#​246) (3336784)

v2.0.5

Compare Source

Bug Fixes

• deps: bump the production-dependencies group with 3 updates (#​240) (d64d7d7)

v2.0.4

Compare Source

Bug Fixes

• permission input handling (#​243) (2950cbc)

v2.0.3

Compare Source

Bug Fixes

• README: use v2 in examples (#​234) (9ba274d), closes #​232
• use core.getBooleanInput() to retrieve boolean input values (#​223) (c3c17c7)

v2.0.2

Compare Source

Bug Fixes

• improve log messages for token creation (#​226) (eaef294)

v2.0.1

Compare Source

Bug Fixes

• deps: bump the production-dependencies group across 1 directory with 2 updates (#​228) (2411bfc)

v2.0.0

Compare Source

• feat!: remove deprecated inputs (#​213) (5cc811b)

BREAKING CHANGES

• Removed deprecated inputs (app_id, private_key, skip_token_revoke) and made app-id and private-key required in the action configuration.

v2

Compare Source

v1.12.0

Compare Source

Features

• permissions (#​168) (0e0aa99)

v1.11.7

Compare Source

Bug Fixes

• deps: bump undici from 5.28.4 to 7.5.0 (#​214) (a24b46a)

v1.11.6

Compare Source

Bug Fixes

• deps: bump the production-dependencies group with 2 updates (#​210) (1ff1dea)

v1.11.5

Compare Source

Bug Fixes

• deps: bump @​octokit/request from 9.2.0 to 9.2.2 (#​209) (8cedd97), closes #​740 #​738 #​740 #​737 #​738 #​736 #​735 #​734 #​733 #​732
• deps: bump @​octokit/request-error from 6.1.6 to 6.1.7 (#​208) (415f6a5), closes #​494 #​491 #​490 #​488 #​486 #​487 #​485 #​484

v1.11.4

Compare Source

Bug Fixes

• deps: bump @​octokit/endpoint from 10.1.1 to 10.1.3 (#​207) (d30def8), closes #​507 #​514 #​512 #​511 #​509 #​508 #​507 #​506 #​505 #​504

v1.11.3

Compare Source

Bug Fixes

• deps: bump the production-dependencies group with 3 updates (#​203) (8e85a3c), closes #​665 #​665 #​663 #​662 #​661 #​659 #​660 #​658 #​656 #​657 #​655 #​731 nodejs/undici#4016 nodejs/undici#4017 nodejs/undici#4018 nodejs/undici#4008 nodejs/undici#3991 nodejs/undici#4001 nodejs/undici#3980 nodejs/undici#4003 nodejs/undici#3965 nodejs/undici#4002 nodejs/undici#4006 nodejs/undici#3956 nodejs/undici#3964 nodejs/undici#3447 #​3966 nodejs/undici#3967 nodejs/undici#3971 nodejs/undici#3954 nodejs/undici#3972 nodejs/undici#3974 nodejs/undici#3976 #​3975 nodejs/undici#3977 nodejs/undici#3978 nodejs/undici#3981 nodejs/undici#3983 nodejs/undici#3986 #​4021 #​4018 #​4017 #​4016 #​4008 #​4007 #​4006 #​3965

v1.11.2

Compare Source

Bug Fixes

• deps: bump @​octokit/request from 9.1.3 to 9.1.4 in the production-dependencies group (#​196) (b4192a5), closes #​730 #​730 #​729 #​727 #​726 #​723 #​724 #​722 #​721 #​720 #​719
• deps: bump undici from 6.19.8 to 7.2.0 (#​198) (29aa051), closes nodejs/undici#3958 nodejs/undici#3955 nodejs/undici#3962 nodejs/undici#3921 nodejs/undici#3923 nodejs/undici#3925 nodejs/undici#3926 nodejs/undici#3924 nodejs/undici#3933 nodejs/undici#3916 nodejs/undici#3930 nodejs/undici#3938 #​3937 nodejs/undici#3940 nodejs/undici#3931 nodejs/undici#3941 nodejs/undici#3911 nodejs/undici#3888 nodejs/undici#3939 nodejs/undici#3947 nodejs/undici#3945 nodejs/undici#3916 nodejs/undici#3893 nodejs/undici#3902 #​3901 nodejs/undici#3903 nodejs/undici#3905 nodejs/undici#3900 nodejs/undici#3913 nodejs/undici#3910 nodejs/undici#3909 nodejs/undici#3906 nodejs/undici#3922 #​3962 #​3955 #​3958 #​3945 #​3947 #​3939 #​3888 #​3911 #​3941

v1.11.1

Compare Source

What's Changed

Bug Fixes

• deps: bump the production-dependencies group across 1 directory with 3 updates by @​dependabot in #​193

Full Changelog: actions/create-github-app-token@v1.11.0...v1.11.1

v1.11.0

Compare Source

What's Changed

Features

• Allow repositories input to be comma or newline-separated by @​peter-evans in #​169

New Contributors

• @​peter-evans made their first contribution in #​169

Full Changelog: actions/create-github-app-token@v1.10.4...v1.11.0

v1.10.4

Compare Source

What's Changed

• build(deps-dev): bump the development-dependencies group with 4 updates by @​dependabot in #​150
• docs(README): fix the git committer string and Configure git CLI examples by @​maboloshi in #​151
• docs(readme): document how a Base64 private key could be decoded by @​vleon1a in #​155
• test: fix test file extensions and inputs for repositories by @​parkerbxyz in #​161
• build(deps-dev): bump the development-dependencies group across 1 directory with 4 updates by @​dependabot in #​167

Bug Fixes

• bump the production-dependencies group across 1 directory with 3 updates by @​dependabot in #​166

New Contributors

• @​vleon1a made their first contribution in #​155

Full Changelog: actions/create-github-app-token@v1.10.3...v1.10.4

v1.10.3

Compare Source

What's Changed

• docs(README): fix committer string example and add git config example by @​anuraaga in #​145

Bug Fixes

• fix(deps): bump undici from 6.18.2 to 6.19.2 in the production-dependencies group by @​dependabot in #​149

New Contributors

• @​anuraaga made their first contribution in #​145

Full Changelog: actions/create-github-app-token@v1.10.2...v1.10.3

v1.10.2

Compare Source

Bug Fixes

• do not revoke token if already expired (#​147) (66a7045), closes #​140 #​95

v1.10.1

Compare Source

Bug Fixes

• deps: bump the production-dependencies group with 2 updates (#​138) (8d81a59), closes #​606 #​606 #​605 #​604 nodejs/undici#3295 nodejs/undici#3298 nodejs/undici#3294 nodejs/undici#3281 nodejs/undici#3286 nodejs/undici#3284 nodejs/undici#3291 nodejs/undici#3290 nodejs/undici#3283 nodejs/undici#3281 nodejs/undici#3263 nodejs/undici#3279 nodejs/undici#3227 nodejs/undici#3234 nodejs/undici#3240 nodejs/undici#3245 nodejs/undici#3241 nodejs/undici#3247 nodejs/undici#3248 nodejs/undici#3219 nodejs/undici#3251 nodejs/undici#3254 nodejs/undici#3258 nodejs/undici#3257 nodejs/undici#3259 nodejs/undici#3262 nodejs/undici#3264 nodejs/undici#3118 nodejs/undici#3269 #​3301 #​3294 #​3298 #​3295 #​3293 #​3283 #​3290 #​3291 #​3284 #​3286

v1.10.0

Compare Source

Features

• private-key: escaped newlines will be replaced (#​132) (9d23fb9)

v1.9.3

Compare Source

Bug Fixes

• deps: bump undici from 6.10.2 to 6.11.1 (#​125) (3c223c7), closes #​3024 nodejs/undici#3044 #​3023 nodejs/undici#3025 nodejs/undici#3024 nodejs/undici#3034 nodejs/undici#3038 nodejs/undici#2947 nodejs/undici#3040 nodejs/undici#3036 nodejs/undici#3041 #​3024 #​3041 #​3036

v1.9.2

Compare Source

Bug Fixes

• deps: bump the production-dependencies group with 1 update (#​123) (beea7b8), closes nodejs/undici#2978 nodejs/undici#2971 nodejs/undici#2980 #​2982 nodejs/undici#2983 nodejs/undici#2987 nodejs/undici#2991 #​2986 nodejs/undici#2992 nodejs/undici#2985 nodejs/undici#2993 nodejs/undici#2995 nodejs/undici#2998 #​2863 nodejs/undici#2999 nodejs/undici#3001 nodejs/undici#2971 nodejs/undici#2980 nodejs/undici#2983 nodejs/undici#2987 nodejs/undici#2991 nodejs/undici#2985 nodejs/undici#2995 nodejs/undici#2960 nodejs/undici#2959 nodejs/undici#2969 nodejs/undici#2962 nodejs/undici#2974 nodejs/undici#2967 nodejs/undici#2966 nodejs/undici#2969 nodejs/undici#2962 nodejs/undici#2826 nodejs/undici#2952 #​3001 #​2863 #​2999 #​2998 #​2993 #​2986 #​2992 #​2991 #​2987

v1.9.1

Compare Source

Bug Fixes

• clarify owner input description (#​118) (d9bc169)

v1.9.0

Compare Source

Features

• outputs: app-slug and installation-id (#​105) (babaff4)

v1.8.2

Compare Source

Bug Fixes

• deps: bump the production-dependencies group with 3 updates (#​107) (f83fb27), closes #​579 #​579 #​576 #​577 #​574 #​572 #​571 #​567 #​681 #​678 #​667 #​681 #​680 #​609 #​678 #​676 #​673 #​669 #​667 #​671 nodejs/undici#2683 nodejs/undici#2645 nodejs/undici#2695 nodejs/undici#2699 nodejs/undici#2703 nodejs/undici#2644 nodejs/undici#2702 nodejs/undici#2706 nodejs/undici#2707 nodejs/undici#2644 #​2707 #​2706 #​2702 #​2644 #​2703 #​2699 #​2695 #​2645 #​2683

v1.8.1

Compare Source

Bug Fixes

• deps: bump undici from 6.6.0 to 6.6.1 (#​103) (5195df7)

v1.8.0

Compare Source

Features

• add proxy support (#​102) (1f82f7d)

v1.7.0

Compare Source

Features

• github-api-url (#​88) (837e275), closes #​77

v1.6.4

Compare Source

Bug Fixes

• revocation: avoid revoking expired tokens and fail gracefully (#​95) (0c01407), closes #​72

v1.6.3

Compare Source

Bug Fixes

• deps: bump the production-dependencies group with 2 updates (#​94) (323044f), closes #​562 #​557 #​562 #​560 #​559 #​558 #​557 #​553 #​552 #​551 #​75 #​75

v1.6.2

Compare Source

Bug Fixes

• handle clock skew (#​87) (495056a)

v1.6.1

Compare Source

Bug Fixes

• deps: bump dependencies(#​84) (474769d), closes #​651 #​648 #​649 #​651 #​648 #​646

v1.6.0

Compare Source

Features

• add retry (#​79) (0f3b4d7), closes #​71

v1.5.1

Compare Source

Bug Fixes

• deps: bump the production-dependencies group with 1 update (#​68) (6375dce)

v1.5.0

Compare Source

Features

• use dash notation for inputs (deprecates underscore notation) (#​59) (7b1d2ae), closes #​57 /github.com/actions/create-github-app-token/issues/57#issuecomment-1751272252

v1.4.0

Compare Source

Features

• Add a skip_token_revoke input for configuring token revocation (#​54) (9ec88c4), closes 1#L46-L47 1#L132

v1.3.0

Compare Source

Features

• support tokens scoped to multiple repositories within organization (#​46) (20fd863)

v1.2.2

Compare Source

Bug Fixes

• deps: bump the production-dependencies group with 3 updates (#​51) (6d98b25), closes #​1511 #​535 #​535 #​533 #​531 #​530 #​524 #​637 #​637 #​631 #​626

v1.2.1

Compare Source

Bug Fixes

• GHES: respect GITHUB_API_URL when creating installation access token (#​38) (c08c5ac), closes #​36

v1.2.0

Compare Source

Features

• add GitHub Enterprise Server (GHES) support (#​36) (ede6c15)

v1.1.5

Compare Source

Bug Fixes

• release: update version in package.json (#​35) (1dccc4c), closes #​34

v1.1.4

Compare Source

Bug Fixes

• release: build dist/ before release (#​33) (9a6a017), closes #​31

v1.1.3

Compare Source

Bug Fixes

• check for token before revoking (#​30) (2540ed4)

v1.1.2

Compare Source

Bug Fixes

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by . View repository job log here

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github/​actions/​create-github-app-token@​d72941d797fd3113feb6b93fd0dec494b13a2547 ⏵ fee1f7d63c2ff003460e3d139729b119787bc349	-14

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: github actions/create-github-app-token is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: .github/workflows/format-if-needed.yml → github/actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report