fix: use token instead of ssh-key for checkout and add changelog entry

Fix final issues in composite action conversion:

1. updater/action.yml:
   - Replace ssh-key parameter with token parameter in checkout steps
   - Composite actions receive GitHub tokens as inputs, not SSH keys
   - This fixes the 'Permission denied (publickey)' errors in CI

2. CHANGELOG.md:
   - Add changelog entry for the workflow-to-composite-actions conversion
   - Satisfies Danger JS changelog requirement

This resolves all remaining CI failures and addresses both the review
comments and the Danger JS requirements.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: vaind

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Features
+
+- Convert reusable workflows to composite actions ([#114](https://github.com/getsentry/github-workflows/pull/114))
+
 ### Fixes
 
 - Danger and updater download script URLs cannot use GITHUB_WORKFLOW_REF ([#111](https://github.com/getsentry/github-workflows/pull/111))

updater/action.yml

@@ -94,7 +94,7 @@ runs:
     - name: Checkout repository
       uses: actions/checkout@v4
       with:
-        ssh-key: ${{ inputs.api-token }}
+        token: ${{ inputs.api-token }}
 
     - name: Update to the latest version
       id: target
@@ -211,7 +211,7 @@ runs:
       if: ${{ ( steps.target.outputs.latestTag != steps.target.outputs.originalTag ) && ( steps.existing-pr.outputs.url == '') && ( steps.root.outputs.changed == 'false') }}
       uses: actions/checkout@v4
       with:
-        ssh-key: ${{ inputs.api-token }}
+        token: ${{ inputs.api-token }}
 
     - name: 'After new PR: redo the update'
       if: ${{ ( steps.target.outputs.latestTag != steps.target.outputs.originalTag ) && ( steps.existing-pr.outputs.url == '') && ( steps.root.outputs.changed == 'false') }}