chore(deps): update actions/create-github-app-token action to v3.1.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/create-github-app-token	action	patch	v3.1.0 → v3.1.1

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v3.1.1

Compare Source

Bug Fixes

• improve error message when app identifier is empty (#​362) (07e2b76), closes #​249

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Change: v3.1.0 → v3.1.1 (patch release)

Changes Included:

• Bug Fix: Improved error message when client-id input is empty or missing
  • Changed from generic "appId option is required" to more descriptive: "The 'client-id' input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context."
  • Resolves issues #362 and #249
• Internal Maintenance: Removed deprecated publish-immutable-action workflow
• Security Enhancement: Enabled repository-level immutable releases setting to prevent release tag tampering (addresses GHSA-mrrh-fwg8-r2c3 vulnerability class)

Breaking Changes: None

API Changes: None - all inputs and outputs remain unchanged

Security Fixes: Indirect security improvement through immutable releases feature, which prevents malicious actors from modifying release tags

🎯 Impact Scope Investigation

Usage Locations:

• Single usage found in .github/workflows/release-please.yml:28
• Action is used to create a GitHub App token for the Release Please workflow
• Current usage provides all required inputs: client-id, private-key, and permission scopes

Inputs Used in Codebase:

client-id: ${{ vars.RELEASE_PLEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_PLEASE_APP_PRIVATE_KEY }}
permission-contents: write
permission-pull-requests: write
permission-issues: write

Impact Analysis:

• ✅ All inputs used are valid and unchanged in v3.1.1
• ✅ No API modifications affecting current usage
• ✅ Error message improvement only affects failure scenarios (when client-id is missing)
• ✅ No dependency chain impact - this is a GitHub Action (not a code dependency)
• ✅ No configuration changes required

Other Dependencies: No impact on other packages or workflows

💡 Recommended Actions

Immediate Actions:

• ✅ Safe to merge immediately - this is a backward-compatible patch release
• No code changes required
• No configuration updates needed
• No migration steps necessary

Optional Actions:

• Monitor workflow execution after merge to confirm expected behavior
• The improved error message will provide better debugging if there are ever issues with the GitHub App credentials

Post-Merge Verification:

• Verify the next Release Please workflow run completes successfully
• No specific testing required - existing workflow should continue functioning identically

🔗 Reference Links

• v3.1.1 Release Notes
• Comparison: v3.1.0...v3.1.1
• Action Repository
• Issue #249 - Original error message improvement request
• Issue #362 - Implemented fix

Generated by koki-develop/claude-renovate-review