Bump actions/create-github-app-token from 3.1.1 to 3.2.0

[dependabot]

Bumps actions/create-github-app-token from 3.1.1 to 3.2.0.

Release notes

Sourced from actions/create-github-app-token's releases.

v3.2.0

3.2.0 (2026-05-12)

Features

• add support for enterprise-level GitHub Apps (#263) (952a2a7)
• support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
• validate private-key input (#376) (f24bbd8)

Changelog

Sourced from actions/create-github-app-token's changelog.

3.2.0 (2026-05-12)

Features

• add support for enterprise-level GitHub Apps (#263) (952a2a7)
• support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
• validate private-key input (#376) (f24bbd8)

Commits

• bcd2ba4 chore(main): release 3.2.0 (#370)
• f24bbd8 fix: validate private-key input (#376)
• 363531b docs: capitalize Git as a proper noun in README (#374)
• fd28011 docs: update procedure to configure Git (#287)
• 85eb8dd feat: support full repository names in repositories input (#372)
• c9aabb8 build(deps-dev): bump yaml from 2.8.3 to 2.8.4 in the development-dependencie...
• e02e816 build(deps-dev): bump undici from 7.24.6 to 8.2.0 (#366)
• 8d835bf build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 in the development-depend...
• 952a2a7 feat: add support for enterprise-level GitHub Apps (#263)
• 43e5c34 fix(deps): bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependenc...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

🤖 Claude Code Review

Code Review: Bump actions/create-github-app-token from v3.1.1 to v3.2.0

This is a dependency version bump across 4 GitHub Actions workflow files. Here is my evaluation:

---

Code Quality

• ✅ Style guide: YAML formatting is unchanged; only the version string is updated.
• ✅ No commented-out code: None introduced.
• ✅ Meaningful variable names: N/A — no new variables.
• ✅ DRY principle: All 6 usages of the action across all 4 workflow files have been updated consistently. No missed instances.
• ✅ Defects/bugs/security: This is a patch/minor version bump (v3.1.1 → v3.2.0) for a well-known GitHub-maintained action. The change is safe and expected. No logic is altered.

---

Testing

• ✅ N/A — CI configuration change; no application code modified. The CI pipelines themselves serve as the integration test.

---

Documentation

• ✅ README: No update needed.
• ✅ API docs: No update needed.
• ⚠️ CHANGELOG.md: Not updated. Dependency bumps to CI tooling are often omitted from changelogs, but if the project's convention is to log all dependency changes, this should be noted. For a garage/experimental project, omitting this is acceptable.

---

Security

• ✅ No hardcoded credentials: All sensitive values use ${{ secrets.* }} correctly.
• ✅ Input validation: N/A.
• ✅ No sensitive data in logs: N/A.
• ✅ No license files (.lic): None present in the diff.
• ✅ Pinned version: The action uses a semantic version tag (v3.2.0) rather than a floating @v3, which is good practice. For maximum supply-chain security, pinning to a full commit SHA would be ideal, but using a versioned tag is the project's established pattern and is consistent here.

---

Summary

Approved. This is a clean, low-risk dependency bump with no issues. All 6 action usages across the 4 workflow files are updated consistently.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter