Merge branch 'main' into antonis/upgrade-perf-test-apps-rn-0.85.1

antonis · web-flow · commit a7c5dd40bda9 · 2026-05-06T10:03:31.000+02:00
diff --git a/.github/workflows/release-comment-issues.yml b/.github/workflows/release-comment-issues.yml
@@ -0,0 +1,38 @@
+name: "Automation: Notify issues for release"
+on:
+  release:
+    types:
+      - published
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Which version to notify issues for
+        required: true
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: read
+
+jobs:
+  release-comment-issues:
+    runs-on: ubuntu-latest
+    name: "Notify issues"
+    steps:
+      - name: Get version
+        id: get_version
+        env:
+          INPUTS_VERSION: ${{ github.event.inputs.version }}
+          RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+        run: echo "version=${INPUTS_VERSION:-$RELEASE_TAG_NAME}" >> "$GITHUB_OUTPUT"
+
+      - name: Comment on linked issues that are mentioned in release
+        if: |
+          steps.get_version.outputs.version != ''
+          && !contains(steps.get_version.outputs.version, '-beta.')
+          && !contains(steps.get_version.outputs.version, '-alpha.')
+          && !contains(steps.get_version.outputs.version, '-rc.')
+        uses: getsentry/release-comment-issues-gh-action@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          version: ${{ steps.get_version.outputs.version }}
diff --git a/scripts/check-additional-danger.js b/scripts/check-additional-danger.js
@@ -11,4 +11,5 @@ module.exports = async function ({ fail, warn, message, markdown, danger }) {
   await safeRun('./check-github-label', { fail, warn, message, markdown, danger });
   await safeRun('./check-replay-stubs', { fail, warn, message, markdown, danger });
   await safeRun('./check-android-sdk-mismatch', { fail, warn, message, markdown, danger });
+  await safeRun('./check-auth-token-changes', { fail, warn, message, markdown, danger });
 };
diff --git a/scripts/check-auth-token-changes.js b/scripts/check-auth-token-changes.js
@@ -0,0 +1,47 @@
+const AUTH_TOKEN_PATTERN = /\b(SENTRY_AUTH_TOKEN|auth[._]token)\b|[Aa]uth[Tt]oken/;
+
+const EXCLUDED_PATHS = [
+  /^\.github\//,
+  /^CHANGELOG\.md$/,
+];
+
+module.exports = async function ({ fail, warn, __, ___, danger }) {
+  const allChangedFiles = [
+    ...danger.git.modified_files,
+    ...danger.git.created_files,
+  ].filter(file => !EXCLUDED_PATHS.some(pattern => pattern.test(file)));
+
+  const flaggedFiles = [];
+
+  for (const file of allChangedFiles) {
+    try {
+      const diff = await danger.git.structuredDiffForFile(file);
+      if (!diff) {
+        continue;
+      }
+
+      const hasAuthTokenChange = diff.chunks.some(chunk =>
+        chunk.changes.some(change =>
+          change.add && AUTH_TOKEN_PATTERN.test(change.content)
+        )
+      );
+
+      if (hasAuthTokenChange) {
+        flaggedFiles.push(file);
+      }
+    } catch (_error) {
+      // Skip files where diff fails (e.g. binary files)
+    }
+  }
+
+  if (flaggedFiles.length > 0) {
+    const fileList = flaggedFiles.map(file => `- \`${file}\``).join("\n");
+    warn(
+      `### ⚠️ Auth token handling changes detected\n\n` +
+      `This PR modifies code related to Sentry auth token handling. ` +
+      `Please ensure no auth tokens are accidentally exposed or mishandled. ` +
+      `See [GHSA-68c2-4mpx-qh95](https://github.com/getsentry/sentry-react-native/security/advisories/GHSA-68c2-4mpx-qh95) for context.\n\n` +
+      `Files with auth token changes:\n${fileList}`
+    );
+  }
+};
