ci: Add Danger check to warn about auth token handling changes

[antonis]

📢 Type of change

• Bugfix
• New feature
• Enhancement
• Refactoring

📜 Description

Adds a Danger check that warns PR reviewers when changes touch code related to Sentry auth token handling (authToken, SENTRY_AUTH_TOKEN, auth.token, auth_token).

When matched, the check posts a warning comment listing the affected files, linking to the prior security advisory for context.

• Scans only added lines in the diff (not removals)
• Excludes .github/ files (which legitimately reference SENTRY_AUTH_TOKEN as a secret) and CHANGELOG.md
• Uses danger.git.structuredDiffForFile() — consistent with the org-wide Danger setup

💡 Motivation and Context

Prevents future incidents like GHSA-68c2-4mpx-qh95 by surfacing auth token changes for extra review.

Closes #3683

💚 How did you test it?

• Verified regex matches expected patterns (authToken, getAuthToken, sentryAuthToken, SENTRY_AUTH_TOKEN, auth.token, auth_token)
• Verified regex rejects false positives (authenticate, authorization, reauthorize, tokenize)
• Verified module loads and exports correctly
• YAML/JS syntax validation

📝 Checklist

• I added tests to verify changes
• No new PII added or SDK only sends newly added PII if sendDefaultPII is enabled
• I updated the docs if needed.
• I updated the wizard if needed.
• All tests passing
• No breaking changes

🔮 Next steps

[github-actions]

Semver Impact of This PR

⚪ None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

• ci: Add Danger check to warn about auth token handling changes by antonis in #6087

• Fix PNPM iOS Upload Debug Symbol fail in EAS Build by alwx in #6086
• chore(deps): update Sentry Android Gradle Plugin to v6.6.0 by github-actions in #6085
• fix(e2e): Remove flaky iOS replay assertion from captureReplay test by antonis in #6072
• chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 by dependabot in #6078
• fix: Prevent shell injection vulnerability in GitHub Actions workflow by fix-it-felix-sentry in #6077
• chore(deps): update Maestro to v2.5.1 by github-actions in #6075

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

	Fails
🚫	Pull request is not ready for merge, please add the "ready-to-merge" label to the pull request

	Warnings
⚠️	⚠️ Auth token handling changes detected This PR modifies code related to Sentry auth token handling. Please ensure no auth tokens are accidentally exposed or mishandled. See GHSA-68c2-4mpx-qh95 for context. Files with auth token changes: scripts/check-auth-token-changes.js

Generated by 🚫 dangerJS against 0bc5bca

[lucas-zimerman]

LGTM!

[lucas-zimerman]

Fails
🚫 Pull request is not ready for merge, please add the "ready-to-merge" label to the pull request
Warnings
⚠️

⚠️ Auth token handling changes detected

This PR modifies code related to Sentry auth token handling. Please ensure no auth tokens are accidentally exposed or mishandled. See GHSA-68c2-4mpx-qh95 for context.

Files with auth token changes:

* `scripts/check-auth-token-changes.js`

Generated by 🚫 dangerJS against 0bc5bca

That's a nice way to validate it