chore: Add PR validation workflow

[stephanie-anderson]

Summary

• Adds a validate-pr.yml workflow to automatically validate non-maintainer PRs
• Checks that PRs reference a GitHub issue with prior discussion between the author and a maintainer
• Closes PRs that don't meet contribution guidelines (no issue reference, no maintainer discussion, or issue assigned to someone else)
• Enforces that all PRs start as drafts

Rollout of getsentry/sentry-python#4233 across all SDK repos.

Test plan

• Verify workflow file is valid YAML
• Confirm SDK_MAINTAINER_BOT_APP_ID var and SDK_MAINTAINER_BOT_PRIVATE_KEY secret are available to this repo
• Test with a non-maintainer PR that has no issue reference (should be closed)
• Test with a maintainer PR (should be skipped)

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

Internal Changes 🔧

Deps

• Update CLI to v3.3.4 by github-actions in #2604
• Update Java SDK to v8.37.1 by github-actions in #2605
• Update Cocoa SDK to v9.8.0 by github-actions in #2596
• Update Native SDK to v0.13.3 by github-actions in #2597
• Update Java SDK to v8.36.0 by github-actions in #2591

Other

• Add PR validation workflow by stephanie-anderson in #2608

• Pin GitHub Actions to full-length commit SHAs by joshuarli in #2601

Other

• Fix command injection vulnerability in iOS workflow by fix-it-felix-sentry in #2598

---

_{🤖 This preview updates automatically when you update the PR.}

[sentry]

Bug: The cross-repo maintainer check validates against the PR's repository instead of the issue's repository, causing valid PRs to be incorrectly closed.
_{Severity: MEDIUM}

Suggested Fix

Update the call to isMaintainer on line 204 to use the issue's repository context. The call should be changed from isMaintainer(repo.owner, repo.repo, user) to isMaintainer(ref.owner, ref.repo, user) to align the code with the documented intent.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/validate-pr.yml#L204

Potential issue: When a pull request references an issue from a different repository,
the GitHub workflow incorrectly checks for maintainer permissions on the pull request's
repository instead of the issue's repository. The code on line 204 calls
`isMaintainer(repo.owner, repo.repo, user)`, where `repo` is the PR's repository. This
contradicts the code comment on line 193, which states the check should be on "the
issue's repo". This will cause the workflow to incorrectly close valid PRs from
non-maintainers that reference cross-repo issues, even when a maintainer of the issue's
repository has participated in the discussion.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Comment contradicts code: wrong repo checked for maintainer

Medium Severity

The comment on line 193 states maintainer access is checked "on the issue's repo," but the isMaintainer call on line 204 passes repo.owner, repo.repo (the PR's repo) instead of ref.owner, ref.repo (the issue's repo). For cross-repo references (e.g., an issue in getsentry/sentry referenced from a different SDK repo), this means a maintainer of the issue's repo who commented would not be recognized unless they also maintain the PR's repo, or vice versa. Either the comment is misleading or the code has the wrong arguments.

Additional Locations (1)

• .github/workflows/validate-pr.yml#L192-L193