Bump actions/create-github-app-token from 2 to 3

[dependabot]

Bumps actions/create-github-app-token from 2 to 3.

Release notes

Sourced from actions/create-github-app-token's releases.

v3.0.0

3.0.0 (2026-03-14)

• feat!: node 24 support (#275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

• deps: bump @​actions/core from 1.11.1 to 3.0.0 (#337) (b044133)
• deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)
• deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)
• deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

v3.0.0-beta.5

3.0.0-beta.5 (2026-03-13)

• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (d53a1cd)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

v3.0.0-beta.4

3.0.0-beta.4 (2026-03-13)

Bug Fixes

• deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#257) (bef1eaf)
• deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#256) (5d7307b)
• deps: bump glob from 10.4.5 to 10.5.0 (#305) (5480f43)
• deps: bump p-retry from 6.2.1 to 7.1.0 (#294) (dce3be8)

... (truncated)

Commits

• f8d387b build(release): 3.0.0 [skip ci]
• d2129bd style: remove extra blank line in release workflow
• 77b94ef build: refresh generated artifacts
• 3ab4c66 chore: move undici to devDependencies
• 739cf66 docs: update README action versions
• db40289 build(deps): bump actions versions in test.yml
• 496a7ac test: migrate from AVA to Node.js native test runner (#346)
• 3870dc3 Rename end-to-end proxy job in test workflow
• 4451bcb fix!: require NODE_USE_ENV_PROXY for proxy support (#342)
• dce0ab0 fix: remove custom proxy handling (#143)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	6		0	0	0.06s
✅ JSON	jsonlint	11		0	0	0.17s
✅ JSON	npm-package-json-lint	yes		no	no	2.74s
✅ JSON	prettier	11		0	0	1.06s
✅ JSON	v8r	11		0	0	11.13s
✅ MARKDOWN	markdownlint	1		0	0	0.65s
✅ REPOSITORY	checkov	yes		no	no	23.83s
✅ REPOSITORY	gitleaks	yes		no	no	1.31s
✅ REPOSITORY	git_diff	yes		no	no	0.04s
❌ REPOSITORY	grype	yes		9	no	51.17s
✅ REPOSITORY	secretlint	yes		no	no	1.2s
✅ REPOSITORY	syft	yes		no	no	5.93s
✅ REPOSITORY	trivy-sbom	yes		no	no	3.12s
✅ REPOSITORY	trufflehog	yes		no	no	160.56s
✅ TYPESCRIPT	prettier	30		0	0	1.44s
✅ YAML	prettier	18		0	0	0.8s
✅ YAML	v8r	18		0	0	12.0s
✅ YAML	yamllint	18		0	0	0.57s

Detailed Issues

❌ REPOSITORY / grype - 9 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME        INSTALLED  FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS           RISK   
handlebars  4.7.8      4.7.9     npm   GHSA-2w6w-674q-4c4q  Critical  0.2% (48th)    0.2    
handlebars  4.7.8      4.7.9     npm   GHSA-3mfm-83xf-c92r  High      < 0.1% (20th)  < 0.1  
handlebars  4.7.8      4.7.9     npm   GHSA-xhpv-hc6g-r9c6  High      < 0.1% (13th)  < 0.1  
handlebars  4.7.8      4.7.9     npm   GHSA-9cx6-37pm-9jff  High      < 0.1% (11th)  < 0.1  
yaml        2.8.2      2.8.3     npm   GHSA-48c2-rrv3-qjmp  Medium    < 0.1% (13th)  < 0.1  
handlebars  4.7.8      4.7.9     npm   GHSA-xjpj-3mr7-gcpf  High      < 0.1% (4th)   < 0.1  
handlebars  4.7.8      4.7.9     npm   GHSA-2qvq-rjwj-gvw9  Medium    < 0.1% (8th)   < 0.1  
handlebars  4.7.8      4.7.9     npm   GHSA-7rx3-28cr-v5wh  Medium    N/A            N/A    
handlebars  4.7.8      4.7.9     npm   GHSA-442j-39wm-28r2  Low       N/A            N/A
[0051] ERROR discovered vulnerabilities at or above the severity threshold

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,TYPESCRIPT_PRETTIER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository