feat!: convert workflows to composite actions

Convert moved workflow files to proper composite action structure:

updater/action.yml:
- Convert workflow_call trigger to composite action metadata
- Flatten 3 jobs (cancel-previous-run, validate-inputs, update) into sequential steps
- Convert secrets.api-token to inputs.api-token
- Replace ${{ runner.temp }}/ghwf/... script paths with ${{ github.action_path }}/scripts/...
- Remove _workflow_version input (no longer needed with bundled scripts)
- Add proper shell declarations for all steps
- Update PR body reference to point to new action location

danger/action.yml:
- Convert workflow_call trigger to composite action metadata
- Remove _workflow_version input and wget script downloads
- Replace ${{ runner.temp }}/dangerfile.js with ${{ github.action_path }}/dangerfile.js
- Single job conversion to composite steps
- Add proper shell declaration for Docker step

Both actions now bundle scripts locally instead of downloading at runtime,
improving reliability and performance.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: vaind

danger/action.yml

@@ -1,43 +1,32 @@
-# Runs DangerJS with a pre-configured set of rules on a Pull Request.
-on:
-  workflow_call:
-    inputs:
-      _workflow_version:
-        description: 'Internal: specify github-workflows (this repo) revision to use when checking out scripts.'
-        type: string
-        required: false
-        default: '2.14.1' # Note: this is updated during release process
-    outputs:
-      outcome:
-        description: Whether the Danger run finished successfully. Possible values are success, failure, cancelled, or skipped.
-        value: ${{ jobs.danger.outputs.outcome }}
+name: 'Danger JS'
+description: 'Runs DangerJS with a pre-configured set of rules on a Pull Request'
+author: 'Sentry'
 
-jobs:
-  danger:
-    runs-on: ubuntu-latest
-    outputs:
-      outcome: ${{ steps.danger.outcome }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+outputs:
+  outcome:
+    description: 'Whether the Danger run finished successfully. Possible values are success, failure, cancelled, or skipped.'
+    value: ${{ steps.danger.outcome }}
 
-      - name: Download dangerfile.js and utilities
-        run: |
-          wget https://raw.githubusercontent.com/getsentry/github-workflows/${{ inputs._workflow_version }}/danger/dangerfile.js -P ${{ runner.temp }}
-          wget https://raw.githubusercontent.com/getsentry/github-workflows/${{ inputs._workflow_version }}/danger/dangerfile-utils.js -P ${{ runner.temp }}
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
 
-      # Using a pre-built docker image in GitHub container registry instaed of NPM to reduce possible attack vectors.
-      - name: Run DangerJS
-        id: danger
-        run: |
-          docker run \
-            --volume ${{ github.workspace }}:/github/workspace \
-            --volume ${{ runner.temp }}:${{ runner.temp }} \
-            --workdir /github/workspace \
-            --user $UID \
-            -e "INPUT_ARGS" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true \
-            -e GITHUB_TOKEN="${{ github.token }}" \
-            -e DANGER_DISABLE_TRANSPILATION="true" \
-            ghcr.io/danger/danger-js:11.3.1 \
-            --failOnErrors --dangerfile ${{ runner.temp }}/dangerfile.js
+    # Using a pre-built docker image in GitHub container registry instead of NPM to reduce possible attack vectors.
+    - name: Run DangerJS
+      id: danger
+      shell: bash
+      run: |
+        docker run \
+          --volume ${{ github.workspace }}:/github/workspace \
+          --volume ${{ github.action_path }}:${{ github.action_path }} \
+          --workdir /github/workspace \
+          --user $UID \
+          -e "INPUT_ARGS" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true \
+          -e GITHUB_TOKEN="${{ github.token }}" \
+          -e DANGER_DISABLE_TRANSPILATION="true" \
+          ghcr.io/danger/danger-js:11.3.1 \
+          --failOnErrors --dangerfile ${{ github.action_path }}/dangerfile.js