chore(deps): update actions/create-github-app-token action to v2.2.2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/create-github-app-token	action	patch	v2.2.1 → v2.2.2

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v2.2.2

Compare Source

Bug Fixes

• deps: bump @​actions/core from 1.11.1 to 3.0.0 (#​337) (b044133)
• deps: bump minimatch from 9.0.5 to 9.0.9 (#​335) (5cbc656)
• deps: bump the production-dependencies group with 4 updates (#​336) (6bda5bc)
• deps: bump undici from 7.16.0 to 7.18.2 (#​323) (b4f638f)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Change: v2.2.1 → v2.2.2 (Patch Release)

Release Type: Maintenance and security update focusing exclusively on dependency bumps

Key Changes:

• Security Fix: Updated undici from 7.16.0 to 7.18.2, addressing CVE-2026-22036 (Content-Encoding chain limit to prevent resource exhaustion via decompression attacks)
• Core Dependencies: Bumped @actions/core from 1.11.1 to 3.0.0
• Pattern Matching: Updated minimatch from 9.0.5 to 9.0.9
• Production Dependencies: Updated 4 additional production-level packages
• No Breaking Changes: No modifications to action.yml, action inputs/outputs, or core functionality
• No API Changes: The action interface remains completely unchanged

Breaking Changes: None

Security Fixes:

• Critical undici CVE patch preventing DoS attacks
• tar library security improvements for symlink handling
• lodash security update

🎯 Impact Scope Investigation

Usage Location:

• Single usage in .github/workflows/release-please.yml:46
• Used to generate a GitHub App token for Homebrew tap repository updates during releases
• Configuration parameters remain unchanged:
  • app-id: ${{ secrets.HOMEBREW_TAP_APP_ID }}
  • private-key: ${{ secrets.HOMEBREW_TAP_APP_PRIVATE_KEY }}
  • owner: ${{ github.repository_owner }}
  • repositories: homebrew-tap
  • permission-contents: write

Impact Analysis:

• ✅ No changes required to workflow configuration
• ✅ No changes required to secrets or inputs
• ✅ Token generation behavior remains identical
• ✅ All CI checks passing (Build, Lint, Test, actionlint, ghalint, zizmor)
• ✅ Renovate stability-days check passed

Dependency Impact:

• This is a GitHub Action dependency, isolated to the workflow execution environment
• No impact on Go codebase or runtime dependencies
• No impact on build process or release artifacts

💡 Recommended Actions

Immediate Action: ✅ Safe to merge immediately

Justification:

1. Patch version bump with zero breaking changes
2. Only dependency updates, no functional changes
3. Includes important security fixes (undici CVE)
4. No modifications to action inputs, outputs, or behavior
5. All automated checks passing
6. No code changes required in the repository

Post-Merge:

• No manual intervention needed
• No configuration updates required
• Monitor next release workflow execution to confirm functionality (expected to work identically)

🔗 Reference Links

• Release Notes v2.2.2
• Comparison v2.2.1...v2.2.2
• PR #337 - @actions/core update
• PR #335 - minimatch update
• PR #323 - undici CVE fix
• PR #336 - Production dependencies

Generated by koki-develop/claude-renovate-review