Merge branch 'main' into ref/cwe-676-dangerous-functions

Author: philprime

.claude/skills

@@ -0,0 +1 @@
+../.agents/skills

.cursor/mcp.json

@@ -0,0 +1,15 @@
+{
+  "mcpServers": {
+    "XcodeBuildMCP": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "xcodebuildmcp@2.0.7",
+        "mcp"
+      ]
+    },
+    "sentry": {
+      "url": "https://mcp.sentry.dev/mcp/sentry-sdks/sentry-cocoa"
+    }
+  }
+}

.github/AGENTS.md

@@ -0,0 +1,108 @@
+# .github
+
+> Instructions for LLM agents. Keep edits minimal (headers + bullets). Use `/agents-md` skill when editing.
+
+## Workflow Naming
+
+**Workflow names** — concise, action-oriented: `[Action] [Subject]`
+
+- `Release`, `UI Tests`, `Benchmarking`, `Lint SwiftLint`, `Test CocoaPods`
+
+**Job names** — no redundant prefixes, use action verbs, max 3-4 words, no tool versions:
+
+| Category | Examples                                                                |
+| -------- | ----------------------------------------------------------------------- |
+| Build    | `Build XCFramework Slice`, `${{matrix.sdk}}`                            |
+| Test     | `Test ${{matrix.name}} V3 # Up the version...`, `Unit ${{matrix.name}}` |
+| Validate | `Validate XCFramework`, `Check API Stability`                           |
+| Lint     | `Lint` (when workflow name already specifies tool)                      |
+| Utility  | `Collect App Metrics`, `Detect File Changes`                            |
+
+### Flaky Test Tracking
+
+Version number in BOTH job name AND comment (monitoring captures names, ignores comments):
+
+```yaml
+name: Test iOS Swift V5 # Up the version with every change to keep track of flaky tests
+```
+
+## Concurrency
+
+### Pattern 1: Conditional (most common)
+
+```yaml
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+```
+
+Cancels PR runs on new push. Never cancels main/release/schedule.
+
+### Pattern 2: Always Cancel (PR-only workflows)
+
+```yaml
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+```
+
+### Pattern 3: Fixed Group (special cases)
+
+```yaml
+concurrency:
+  group: "auto-update-tools"
+  cancel-in-progress: true
+```
+
+Each concurrency block must include comments explaining purpose, resource considerations, and branch protection logic.
+
+## File Filters (`file-filters.yml`)
+
+- Every directory with code/tests/config must appear in at least one filter
+- Use `**` for recursive matching (`Sources/**`, not `Sources/*`)
+- Include related workflow and config files in each filter group
+
+### Templates
+
+```yaml
+# Unit tests
+run_unit_tests_for_prs:
+  - "Sources/**"
+  - "Tests/**"
+  - "SentryTestUtils/**"
+  - "SentryTestUtilsDynamic/**"
+  - "SentryTestUtilsTests/**"
+  - ".github/workflows/test.yml"
+  - ".github/file-filters.yml"
+  - "scripts/ci-*.sh"
+  - "test-server/**"
+  - "**/*.xctestplan"
+  - "Plans/**"
+  - "Sentry.xcodeproj/**"
+```
+
+```yaml
+# Lint
+run_lint_swift_formatting_for_prs:
+  - "**/*.swift"
+  - ".github/workflows/lint-swift-formatting.yml"
+  - ".github/file-filters.yml"
+  - ".swiftlint.yml"
+```
+
+```yaml
+# Build
+run_build_for_prs:
+  - "Sources/**"
+  - "Samples/**"
+  - ".github/workflows/build.yml"
+  - ".github/file-filters.yml"
+  - "Sentry.xcodeproj/**"
+  - "Package*.swift"
+```
+
+### When changing project structure
+
+1. List all new/renamed directories
+2. Check each against `file-filters.yml`
+3. Add missing patterns to appropriate filter groups

.github/ISSUE_TEMPLATE/bug.yml

@@ -44,6 +44,25 @@ body:
     validations:
       required: true
 
+  - type: dropdown
+    id: other_error_monitoring
+    attributes:
+      description: Are you using any other error monitoring solution alongside Sentry?
+      label: Other Error Monitoring Solution
+      options:
+        - "Yes"
+        - "No"
+    validations:
+      required: true
+
+  - type: input
+    id: other_error_monitoring_name
+    attributes:
+      label: Other Error Monitoring Solution Name
+      description: If you're using another error monitoring solution side-by-side, please enter the name of the other solution.
+    validations:
+      required: false
+
   - type: input
     id: version
     attributes:

.github/file-filters.yml

@@ -40,6 +40,7 @@ run_unit_tests_for_prs: &run_unit_tests_for_prs
   - "scripts/tests-with-thread-sanitizer.sh"
   - "scripts/ci-boot-simulator.sh"
   - "scripts/ci-ensure-runtime-loaded.sh"
+  - "scripts/prepare-package.sh"
 
   # Test infrastructure
   - "test-server/**"
@@ -105,33 +106,25 @@ run_integration_test_for_prs: &run_integration_test_for_prs
   - "fastlane/**"
   - "Gemfile.lock"
 
-run_benchmarking_for_prs: &run_benchmarking_for_prs
-  - "Sources/**"
-
-  # GH Actions
+# Benchmarks always run on main, but on PRs they only run when benchmarking-related files change.
+# We intentionally exclude Sources/**, Tests/**, and other broad patterns here because benchmarks
+# are expensive (SauceLabs devices) and slow down PR CI. SDK source changes are covered by the
+# benchmarks running on every push to main.
+run_benchmarking_for_prs: &run_benchmarking_for_prs # GH Actions
   - ".github/workflows/benchmarking.yml"
   - ".github/file-filters.yml"
 
-  # Benchmarking implementation
-  - "Samples/iOS-Swift/**"
+  # Benchmarking test target and implementation
+  - "Samples/iOS-Swift/iOS-Benchmarking/**"
+  - "Samples/iOS-Swift/iOS-Benchmarking.xcconfig"
+  - "Samples/iOS-Swift/iOS-Swift/Profiling/BenchmarkingViewController.swift"
+  - "Samples/iOS-Swift/iOS-Swift/Tools/SentryBenchmarking.h"
+  - "Samples/iOS-Swift/iOS-Swift/Tools/SentryBenchmarking.mm"
+  - "Samples/iOS-Swift/iOS-Swift.yml"
+  - "Samples/SentrySampleShared/SentrySampleUITestShared/**"
   - ".sauce/benchmarking-config.yml"
   - "Plans/iOS-Benchmarking_Base.xctestplan"
 
-  # Scripts
-  - "scripts/ci-select-xcode.sh"
-  - "scripts/ci-diagnostics.sh"
-  - "scripts/ci-utils.sh"
-
-  # Project files
-  - "Samples/iOS-Swift/iOS-Swift.yml"
-  - "Samples/iOS-Swift/iOS-Swift.xcconfig"
-  - "Samples/iOS-Swift/iOS-SwiftClip.xcconfig"
-  - "Samples/iOS-Swift/iOS-Benchmarking.xcconfig"
-  - "Package*.swift"
-
-  # Build configuration
-  - "fastlane/**"
-
 run_test_cross_platform_for_prs: &run_test_cross_platform_for_prs
   - "Sources/**"
 
@@ -257,6 +250,7 @@ run_release_for_prs: &run_release_for_prs
   - "scripts/assemble-xcframework.sh"
   - "scripts/generate_release_matrix.sh"
   - "scripts/xcframework-generated-run.sh"
+  - "scripts/prepare-package.sh"
 
   # Project files
   - "Sentry.xcworkspace/**"
@@ -354,6 +348,7 @@ run_build_for_prs: &run_build_for_prs
   - "scripts/sentry-xcodebuild.sh"
   - "scripts/check-ui-framework-linkage.sh"
   - "scripts/ci-utils.sh"
+  - "scripts/prepare-package.sh"
 
   # Build configuration
   - "fastlane/**"

.github/last-release-runid

@@ -1 +1 @@
-22398130588
+22957182287

.github/workflows/analyze-language-trends.yml

@@ -37,7 +37,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y cmake pkg-config libicu-dev
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
+        uses: ruby/setup-ruby@6ca151fd1bfcfd6fe0c4eb6837eb0584d0134a0c # v1.290.0
         with:
           bundler-cache: true
 

.github/workflows/assemble-xcframework-variant.yml

@@ -71,7 +71,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup Ruby
-        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
+        uses: ruby/setup-ruby@6ca151fd1bfcfd6fe0c4eb6837eb0584d0134a0c # v1.290.0
         if: ${{ inputs.signed }}
         with:
           bundler-cache: true
@@ -111,7 +111,7 @@ jobs:
           fi
 
       - name: Download ${{inputs.variant-id}} Slices
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           pattern: xcframework-${{inputs.variant-id}}-slice-*
           path: xcframework-slices
@@ -169,7 +169,7 @@ jobs:
         shell: bash
 
       - name: Upload XCFramework
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         env:
           XCFRAMEWORK_NAME: ${{ env.XCFRAMEWORK_NAME }}
         with:

.github/workflows/auto-update-tools.yml

@@ -61,8 +61,17 @@ jobs:
     needs: files-changed
     runs-on: macos-15
     steps:
+      - name: Generate GitHub App Token
+        id: app_token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ vars.SENTRY_DEPENDENCY_UPDATER_GITHUB_APP_ID }}
+          private-key: ${{ secrets.SENTRY_DEPENDENCY_UPDATER_GITHUB_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ steps.app_token.outputs.token }}
       - name: Update Homebrew
         run: brew update
 
@@ -84,6 +93,7 @@ jobs:
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
         with:
+          token: ${{ steps.app_token.outputs.token }}
           add-paths: scripts/.clang-format-version
           branch: github-actions/auto-update-tools-clang-format
           commit-message: "chore(deps): Update clang-format version"
@@ -96,6 +106,7 @@ jobs:
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
         with:
+          token: ${{ steps.app_token.outputs.token }}
           add-paths: scripts/.swiftlint-version
           branch: github-actions/auto-update-tools-swiftlint
           commit-message: "chore(deps): Update swiftlint version"

.github/workflows/benchmarking.yml

@@ -64,7 +64,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - run: ./scripts/ci-select-xcode.sh 26.1.1
       - name: Setup Ruby
-        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
+        uses: ruby/setup-ruby@6ca151fd1bfcfd6fe0c4eb6837eb0584d0134a0c # v1.290.0
         with:
           bundler-cache: true
       - run: make init-ci-build
@@ -106,7 +106,7 @@ jobs:
 
       - name: Upload Built Apps for SauceLabs
         if: needs.files-changed.outputs.is_dependabot != 'true'
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: benchmark-apps
           path: |
@@ -133,7 +133,7 @@ jobs:
         suite: ["High-end device", "Mid-range device", "Low-end device"]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: actions/download-artifact@v7
+      - uses: actions/download-artifact@v8
         with:
           name: benchmark-apps
       - run: npm install -g saucectl@0.197.2