getsentry
diff --git a/‎.github/workflows/update-deps.yml‎
Lines changed: 21 additions & 0 deletions b/‎.github/workflows/update-deps.yml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 38 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 38 additions & 1 deletion
diff --git a/‎danger/action.yml‎
Lines changed: 7 additions & 1 deletion b/‎danger/action.yml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎danger/danger.properties‎
Lines changed: 2 additions & 0 deletions b/‎danger/danger.properties‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎updater/README.md‎
Lines changed: 45 additions & 0 deletions b/‎updater/README.md‎
Lines changed: 45 additions & 0 deletions
@@ -0,0 +1,21 @@
+name: Update dependencies
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run weekly on Mondays at 8:00 UTC
+    - cron: '0 8 * * 1'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  danger:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: getsentry/github-workflows/updater@main
+        with:
+          path: danger/danger.properties
+          name: Danger JS
+          api-token: ${{ secrets.GITHUB_TOKEN }}
@@ -2,9 +2,29 @@
 
 ## Unreleased
 
+### Features
+
+- Updater - Add `post-update-script` input parameter to run custom scripts after dependency updates ([#130](https://github.com/getsentry/github-workflows/pull/130), [#133](https://github.com/getsentry/github-workflows/pull/133))
+  - Scripts receive original and new version as arguments
+  - Support both bash (`.sh`) and PowerShell (`.ps1`) scripts
+  - Enables workflows like updating lock files, running code generators, or modifying configuration files
+- Updater - Add SSH key support and comprehensive authentication validation ([#134](https://github.com/getsentry/github-workflows/pull/134))
+  - Add `ssh-key` input parameter for deploy key authentication
+  - Support using both `ssh-key` (for git) and `api-token` (for GitHub API) together
+  - Add detailed token validation with actionable error messages
+  - Detect common token issues: expiration, whitespace, SSH keys in wrong input, missing scopes
+  - Validate SSH key format when provided
+
 ### Fixes
 
 - Updater - Fix boolean input handling for `changelog-entry` parameter and add input validation ([#127](https://github.com/getsentry/github-workflows/pull/127))
+- Updater - Fix cryptic authentication errors with better validation and error messages ([#134](https://github.com/getsentry/github-workflows/pull/134), closes [#128](https://github.com/getsentry/github-workflows/issues/128))
+
+### Dependencies
+
+- Bump Danger JS from v11.3.1 to v13.0.4 ([#132](https://github.com/getsentry/github-workflows/pull/132))
+  - [changelog](https://github.com/danger/danger-js/blob/main/CHANGELOG.md#1304)
+  - [diff](https://github.com/danger/danger-js/compare/11.3.1...13.0.4)
 
 ## 3.0.0
 
@@ -27,6 +47,7 @@
 - Updater and Danger reusable workflows are now composite actions ([#114](https://github.com/getsentry/github-workflows/pull/114))
 
   To update your existing Updater workflows:
+
   ```yaml
   ### Before
     native:
@@ -38,7 +59,7 @@
         # If a custom token is used instead, a CI would be triggered on a created PR.
         api-token: ${{ secrets.CI_DEPLOY_KEY }}
 
-  ### After
+  ### After (v3.0)
     native:
       runs-on: ubuntu-latest
       steps:
@@ -49,7 +70,23 @@
             api-token: ${{ secrets.CI_DEPLOY_KEY }}
   ```
 
+  **Note**: If you were using SSH deploy keys with the v2 reusable workflow, the v3.0 composite action initially only supported tokens.
+  SSH key support was restored in v3.1 ([#134](https://github.com/getsentry/github-workflows/pull/134)). To use SSH keys, update to v3.1+ and use the `ssh-key` input:
+
+  ```yaml
+  ### With SSH key (v3.1+)
+    native:
+      runs-on: ubuntu-latest
+      steps:
+        - uses: getsentry/github-workflows/updater@v3
+          with:
+            path: scripts/update-sentry-native-ndk.sh
+            name: Native SDK
+            ssh-key: ${{ secrets.CI_DEPLOY_KEY }}
+  ```
+
   To update your existing Danger workflows:
+
   ```yaml
   ### Before
     danger:
 
@@ -26,6 +26,12 @@ runs:
         token: ${{ inputs.api-token }}
         fetch-depth: 0
 
+    # Read the Danger version from the properties file
+    - name: Get Danger version
+      id: config
+      shell: pwsh
+      run: Get-Content '${{ github.action_path }}/danger.properties' | Tee-Object $env:GITHUB_OUTPUT -Append
+
     # Using a pre-built docker image in GitHub container registry instead of NPM to reduce possible attack vectors.
     - name: Run DangerJS
       id: danger
@@ -41,5 +47,5 @@ runs:
           -e GITHUB_TOKEN="${{ inputs.api-token }}" \
           -e DANGER_DISABLE_TRANSPILATION="true" \
           -e EXTRA_DANGERFILE_INPUT="${{ inputs.extra-dangerfile }}" \
-          ghcr.io/danger/danger-js:13.0.1 \
+          ghcr.io/danger/danger-js:${{ steps.config.outputs.version }} \
           --failOnErrors --dangerfile ${{ github.action_path }}/dangerfile.js
@@ -0,0 +1,2 @@
+version=13.0.4
+repo=https://github.com/danger/danger-js
@@ -95,6 +95,18 @@ jobs:
           target-branch: v7
           pattern: '^1\.'  # Limit to major version '1'
           api-token: ${{ secrets.CI_DEPLOY_KEY }}
+
+  # Use a post-update script (sh or ps1) to make additional changes after dependency update
+  # The script receives two arguments: original version and new version
+  post-update-script:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: getsentry/github-workflows/updater@v3
+        with:
+          path: modules/sentry-cocoa
+          name: Cocoa SDK
+          post-update-script: scripts/post-update.sh  # Receives args: $1=old version, $2=new version
+          api-token: ${{ secrets.CI_DEPLOY_KEY }}
 ```
 
 ## Inputs
@@ -135,12 +147,45 @@ jobs:
   * type: string
   * required: false
   * default: '' (uses repository default branch)
+* `post-update-script`: Optional script to run after successful dependency update. Can be a bash script (`.sh`) or PowerShell script (`.ps1`). The script will be executed in the repository root directory before PR creation. The script receives two arguments:
+  * `$1` / `$args[0]` - The original version (version before update)
+  * `$2` / `$args[1]` - The new version (version after update)
+  * type: string
+  * required: false
+  * default: ''
 * `api-token`: Token for the repo. Can be passed in using `${{ secrets.GITHUB_TOKEN }}`.
   If you provide the usual `${{ github.token }}`, no followup CI will run on the created PR.
   If you want CI to run on the PRs created by the Updater, you need to provide custom user-specific auth token.
   * type: string
   * required: true
 
+### Post-Update Script Example
+
+**Bash script** (`scripts/post-update.sh`):
+
+```bash
+#!/usr/bin/env bash
+set -euo pipefail
+
+ORIGINAL_VERSION="$1"
+NEW_VERSION="$2"
+
+echo "Updated from $ORIGINAL_VERSION to $NEW_VERSION"
+# Make additional changes to repository files here
+```
+
+**PowerShell script** (`scripts/post-update.ps1`):
+
+```powershell
+param(
+    [Parameter(Mandatory = $true)][string] $OriginalVersion,
+    [Parameter(Mandatory = $true)][string] $NewVersion
+)
+
+Write-Output "Updated from $OriginalVersion to $NewVersion"
+# Make additional changes to repository files here
+```
+
 ## Outputs
 
 * `prUrl`: The created/updated PR's URL.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+version=13.0.4`
	`2`	`+repo=https://github.com/danger/danger-js`