chore: Add PR validation workflow

[stephanie-anderson]

Summary

• Adds a validate-pr.yml workflow to automatically validate non-maintainer PRs
• Checks that PRs reference a GitHub issue with prior discussion between the author and a maintainer
• Closes PRs that don't meet contribution guidelines (no issue reference, no maintainer discussion, or issue assigned to someone else)
• Enforces that all PRs start as drafts

Rollout of getsentry/sentry-python#4233 across all SDK repos.

Test plan

• Verify workflow file is valid YAML
• Confirm SDK_MAINTAINER_BOT_APP_ID var and SDK_MAINTAINER_BOT_PRIVATE_KEY secret are available to this repo
• Test with a non-maintainer PR that has no issue reference (should be closed)
• Test with a maintainer PR (should be skipped)

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

[github-actions]

Semver Impact of This PR

⚪ None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

Breaking Changes 🛠

• The _Metrics_ APIs are now stable: removed Experimental from SentrySdk, SentryOptions and IHub by Flash0ver in #5023

Features ✨

• Report a new _Diagnostic_ (SENTRY1001) when a Metrics-API is invoked with an unsupported numeric type by Flash0ver in #4840

Fixes 🐛

• fix: include Data set via ITransactionTracer in SentryTransaction by Flash0ver in #4148
• fix: CaptureFeedback now applies event processors by jamescrosswell in #4942

Dependencies ⬆️

Deps

• chore(deps): update CLI to v3.3.4 by github-actions in #5068
• chore(deps): update Java SDK to v8.37.0 by github-actions in #5069
• chore(deps): update Cocoa SDK to v9.8.0 by github-actions in #5044
• chore(deps): update Java SDK to v8.36.0 by github-actions in #5036
• chore(deps): update epitaph to 0.1.1 by github-actions in #5036
• chore(deps): update Native SDK to v0.13.3 by github-actions in #5045
• chore(deps): update Cocoa SDK to v9.7.0 by github-actions in #5015
• chore(deps): update Java SDK to v8.35.0 by github-actions in #5017
• chore(deps): replaced the heavy protobuf-javalite 3.25.8 dependency with a light-weight epitaph 0.1.0 alternative on Android (getsentry/sentry-java#5157) by github-actions in #5017
• chore(deps): update CLI to v3.3.3 by github-actions in #5002
• chore(deps): update Cocoa SDK to v9.6.0 by github-actions in #4958

Other

• chore: Add PR validation workflow by stephanie-anderson in #5078

• ref: Use .NET 6.0 ArgumentNullException throw helpers by copilot-swe-agent in #4985

---

_{🤖 This preview updates automatically when you update the PR.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.01%. Comparing base (3e2eae9) to head (7c9774c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5078   +/-   ##
=======================================
  Coverage   74.00%   74.01%           
=======================================
  Files         499      499           
  Lines       18066    18066           
  Branches     3518     3518           
=======================================
+ Hits        13370    13371    +1     
  Misses       3837     3837           
+ Partials      859      858    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sentry]

Bug: The maintainer check at line 204 incorrectly uses the PR's repository (repo.owner, repo.repo) instead of the issue's repository (ref.owner, ref.repo) for validation.
_{Severity: HIGH}

Suggested Fix

Update the call to the isMaintainer function to use the correct variables for the issue's repository. Change isMaintainer(repo.owner, repo.repo, user) to isMaintainer(ref.owner, ref.repo, user).

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/validate-pr.yml#L204

Potential issue: The workflow is designed to check if a maintainer has participated in a
linked issue, even if that issue is in a different repository. However, the call to
`isMaintainer` on line 204 incorrectly uses the PR's repository details (`repo.owner`,
`repo.repo`) instead of the issue's repository details (`ref.owner`, `ref.repo`). This
causes the check to fail when a maintainer of the issue's repository (but not the PR's
repository) comments on the issue, leading to the PR being incorrectly closed for
lacking maintainer discussion.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[sentry]

Bug: The enforce-draft job incorrectly runs on maintainer PRs because the was-closed output is unset, causing the conditional check to pass erroneously.
_{Severity: MEDIUM}

Suggested Fix

The validate-non-maintainer-pr job should produce an output to indicate if the author was a maintainer. The enforce-draft job's conditional check should be updated to use this new output to skip execution for maintainers.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/validate-pr.yml#L262-L265

Potential issue: When a maintainer opens a pull request, the
`validate-non-maintainer-pr` job correctly exits early but fails to set the `was-closed`
output. This output defaults to an empty string. The subsequent `enforce-draft` job has
a condition `needs.validate-non-maintainer-pr.outputs.was-closed != 'true'`, which
evaluates to `true` because an empty string is not equal to `'true'`. As a result, the
`enforce-draft` job incorrectly runs and converts the maintainer's non-draft PR into a
draft, which is contrary to the intended design.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Wrong token used for converting PR to draft

High Severity

The Convert PR to draft step sets GH_TOKEN to ${{github.token}} (the default GITHUB_TOKEN), but gh pr ready --undo uses the convertPullRequestToDraft GraphQL mutation, which is known to fail with the default GITHUB_TOKEN — even with pull-requests: write permission. The app token is generated in the previous step specifically for this purpose but goes unused here. GH_TOKEN needs to use ${{ steps.app-token.outputs.token }} instead.

Additional Locations (1)

• .github/workflows/validate-pr.yml#L270-L276

 

[cursor]

Maintainer check uses PR's repo instead of issue's repo

Medium Severity

The comment on line 193 says "admin/maintain access on the issue's repo," but isMaintainer is called with repo.owner, repo.repo (the PR's target repo) instead of ref.owner, ref.repo (the referenced issue's repo). For cross-repo references (e.g., a PR to sentry-dotnet referencing getsentry/sentry#123), a sentry maintainer who discussed the issue would not be recognized, incorrectly closing the PR for "missing maintainer discussion."

Additional Locations (1)

• .github/workflows/validate-pr.yml#L192-L193