fix(ci): set explicit commit author for update-binaries job

[philprime]

The stefanzweifel/git-auto-commit-action in the update-binaries job
defaults commit_author to ${{ github.actor }}. For scheduled workflow
runs, GitHub resolves github.actor to a former org member (brustolin),
causing the "bump bundled binaries" commit to be attributed to them
instead of the GitHub App.

This sets explicit commit_author, commit_user_name, and
commit_user_email using the GitHub App identity from the
actions/create-github-app-token output (app-slug), following
GitHub's bot email convention ({APP_ID}+{SLUG}[bot]@users.noreply.github.com).

#skip-changelog

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

This PR will not appear in the changelog.

---

_{🤖 This preview updates automatically when you update the PR.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: App ID used instead of bot user ID in email
  • Added a step that fetches the [bot] machine user ID via gh api users/{slug}%5Bbot%5D and uses that ID in the noreply email instead of the GitHub App ID.

Or push these changes by commenting:

@cursor push b9348db254

Preview (b9348db254)

diff --git a/.github/workflows/update-deps.yml b/.github/workflows/update-deps.yml
--- a/.github/workflows/update-deps.yml
+++ b/.github/workflows/update-deps.yml
@@ -58,11 +58,18 @@
           token: ${{ steps.app_token.outputs.token }}
       - name: Download latest binaries.
         run: script/sentry-cli-download.sh
+      - name: Resolve bot user ID for noreply email
+        id: bot_user
+        env:
+          GH_TOKEN: ${{ steps.app_token.outputs.token }}
+        run: |
+          BOT_ID=$(gh api "users/${{ steps.app_token.outputs.app-slug }}%5Bbot%5D" --jq .id)
+          echo "id=${BOT_ID}" >> "${GITHUB_OUTPUT}"
       - name: Commit latest binaries.
         uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
         with:
           branch: ${{ needs.update-cli.outputs.prBranch }}
           commit_message: bump bundled binaries
-          commit_author: "${{ steps.app_token.outputs.app-slug }}[bot] <${{ vars.SENTRY_FASTLANE_PLUGIN_UPDATER_GITHUB_APP_ID }}+${{ steps.app_token.outputs.app-slug }}[bot]@users.noreply.github.com>"
+          commit_author: "${{ steps.app_token.outputs.app-slug }}[bot] <${{ steps.bot_user.outputs.id }}+${{ steps.app_token.outputs.app-slug }}[bot]@users.noreply.github.com>"
           commit_user_name: "${{ steps.app_token.outputs.app-slug }}[bot]"
-          commit_user_email: "${{ vars.SENTRY_FASTLANE_PLUGIN_UPDATER_GITHUB_APP_ID }}+${{ steps.app_token.outputs.app-slug }}[bot]@users.noreply.github.com"
+          commit_user_email: "${{ steps.bot_user.outputs.id }}+${{ steps.app_token.outputs.app-slug }}[bot]@users.noreply.github.com"

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[cursor]

App ID used instead of bot user ID in email

Medium Severity

The noreply email uses vars.SENTRY_FASTLANE_PLUGIN_UPDATER_GITHUB_APP_ID (the GitHub App ID), but GitHub's noreply email convention for bots requires the bot user ID — the numeric ID of the {slug}[bot] machine user account, which is a different number. The app ID is confirmed by its use as the app-id input to create-github-app-token. Using the wrong ID means commits will be created successfully but won't display the [bot] badge or link to the App's profile on GitHub, partially defeating the purpose of this change. The bot user ID can be obtained via gh api "/users/{slug}%5Bbot%5D" --jq .id.

 

[itaybre]

LGTM