fix: update GitHub Actions workflow permissions

[stephanie-anderson]

Seems the action needs contents: write after all

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

Deps

• Bump babel-loader from 10.0.0 to 10.1.1 by dependabot in #19997
• Bump handlebars from 4.7.7 to 4.7.9 by dependabot in #20008

Nuxt

• Add middleware instrumentation compatibility for Nuxt 5 by s1gr1d in #19968
• Support parametrized SSR routes in Nuxt 5 by s1gr1d in #19977

Other

• (browser) Replace element timing spans with metrics by logaretm in #19869
• (bun) Add bunRuntimeMetricsIntegration by chargome in #19979
• (core) Support embedding APIs in google-genai by nicohrubec in #19797
• (node) Add nodeRuntimeMetricsIntegration by chargome in #19923

Bug Fixes 🐛

• (e2e) Pin @opentelemetry/api to 1.9.0 in ts3.8 test app by logaretm in #19992
• (node) Ensure startNewTrace propagates traceId in OTel environments by logaretm in #19963
• (nuxt) Use virtual module for Nuxt pages data (SSR route parametrization) by s1gr1d in #20020
• (opentelemetry) Convert seconds timestamps in span.end() to milliseconds by logaretm in #19958

• Update GitHub Actions workflow permissions by stephanie-anderson in #20034

Documentation 📚

• (release) Update publishing-a-release.md by nicohrubec in #19982

Internal Changes 🔧

Core

• Introduce instrumented method registry for AI integrations by nicohrubec in #19981
• Consolidate getOperationName into one shared utility by nicohrubec in #19971

Deps

• Bump amqplib from 0.10.7 to 0.10.9 by dependabot in #20000
• Bump actions/upload-artifact from 6 to 7 by dependabot in #19569
• Bump srvx from 0.11.12 to 0.11.13 by dependabot in #20001
• Bump @apollo/server from 5.4.0 to 5.5.0 by dependabot in #20007

Deps Dev

• Remove esbuild override in astro-5-cf-workers E2E test by isaacs in #20024
• Bump node-forge from 1.3.2 to 1.4.0 by dependabot in #20012
• Bump yaml from 2.8.2 to 2.8.3 by dependabot in #19985

Other

• (deno) Expand Deno E2E test coverage by chargome in #19957
• (e2e) Add e2e tests for nodeRuntimeMetricsIntegration by chargome in #19989

---

_{🤖 This preview updates automatically when you update the PR.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Elevated contents: write on pull_request_target workflow
  • Removed unnecessary contents:write permission as the validate-pr action only needs pull-requests:write to close PRs, convert to draft, add labels, and create comments without ever modifying repository contents.

Or push these changes by commenting:

@cursor push 5719c69ec4

Preview (5719c69ec4)

diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@@ -9,7 +9,6 @@
     runs-on: ubuntu-24.04
     permissions:
       pull-requests: write
-      contents: write
     steps:
       - uses: getsentry/github-workflows/validate-pr@4ff40ada546d4a31b852a4279828b989a6193497
         with:

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[cursor]

Elevated contents: write on pull_request_target workflow

Medium Severity

Adding contents: write to a pull_request_target-triggered workflow grants the GITHUB_TOKEN write access to repository contents for PRs originating from forks. This is a well-documented attack vector — recent incidents (Trivy breach, hackerbot-claw campaign, March 2026) exploited exactly this pattern to push malicious code and exfiltrate secrets. A PR validation workflow typically only needs to read content and comment on PRs, making contents: write broader than expected. Flagged per the review rules' security vulnerability guidelines.

 

^{Triggered by project rule: PR Review Guidelines for Cursor Bot}

[github-actions]

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path	Size	% Change	Change
@sentry/browser	25.69 kB	-	-
@sentry/browser - with treeshaking flags	24.17 kB	-	-
@sentry/browser (incl. Tracing)	42.17 kB	-	-
@sentry/browser (incl. Tracing, Profiling)	46.79 kB	-	-
@sentry/browser (incl. Tracing, Replay)	80.98 kB	-	-
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	70.6 kB	-	-
@sentry/browser (incl. Tracing, Replay with Canvas)	85.7 kB	-	-
@sentry/browser (incl. Tracing, Replay, Feedback)	97.97 kB	-	-
@sentry/browser (incl. Feedback)	42.48 kB	-	-
@sentry/browser (incl. sendFeedback)	30.35 kB	-	-
@sentry/browser (incl. FeedbackAsync)	35.4 kB	-	-
@sentry/browser (incl. Metrics)	26.96 kB	-	-
@sentry/browser (incl. Logs)	27.1 kB	-	-
@sentry/browser (incl. Metrics & Logs)	27.78 kB	-	-
@sentry/react	27.45 kB	-	-
@sentry/react (incl. Tracing)	44.52 kB	-	-
@sentry/vue	30.13 kB	-	-
@sentry/vue (incl. Tracing)	44.08 kB	-	-
@sentry/svelte	25.7 kB	-	-
CDN Bundle	28.39 kB	-	-
CDN Bundle (incl. Tracing)	43.2 kB	-	-
CDN Bundle (incl. Logs, Metrics)	29.76 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics)	44.25 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics)	68.56 kB	-	-
CDN Bundle (incl. Tracing, Replay)	80.08 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	81.16 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback)	85.62 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.67 kB	-	-
CDN Bundle - uncompressed	82.93 kB	-	-
CDN Bundle (incl. Tracing) - uncompressed	128.07 kB	-	-
CDN Bundle (incl. Logs, Metrics) - uncompressed	87.07 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	131.48 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	210.06 kB	-	-
CDN Bundle (incl. Tracing, Replay) - uncompressed	244.95 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	248.34 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	257.86 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	261.25 kB	-	-
@sentry/nextjs (client)	46.93 kB	-	-
@sentry/sveltekit (client)	42.67 kB	-	-
@sentry/node-core	56.51 kB	+0.03%	+13 B 🔺
@sentry/node	173.6 kB	+0.01%	+12 B 🔺
@sentry/node - without tracing	96.54 kB	+0.01%	+5 B 🔺
@sentry/aws-serverless	113.54 kB	+0.01%	+8 B 🔺

View base workflow run

[github-actions]

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	9,209	-	8,837	+4%
GET With Sentry	1,595	17%	1,654	-4%
GET With Sentry (error only)	5,743	62%	6,073	-5%
POST Baseline	1,139	-	1,202	-5%
POST With Sentry	585	51%	591	-1%
POST With Sentry (error only)	1,048	92%	1,051	-0%
MYSQL Baseline	3,245	-	3,229	+0%
MYSQL With Sentry	447	14%	487	-8%
MYSQL With Sentry (error only)	2,653	82%	2,640	+0%

View base workflow run