chore(deps): bump @actions/github to v9 to remove undici 5.29.0#40265
Conversation
Updates release-action's GitHub Action deps to their latest majors: - @actions/core 1.11.1 -> 3.0.1 - @actions/exec 1.1.1 -> 3.0.0 - @actions/github 6.0.1 -> 9.1.1 - @octokit/core 5.0.2 -> 7.0.6 - @octokit/plugin-throttling 6.1.0 -> 11.0.3 @actions/github@6 pulled undici@^5.28.5 (resolving to 5.29.0), which appears in Dependabot alerts. The 9.x line uses undici@^6.23.0, and @actions/core/exec 3.x pull in @actions/http-client@4 which drops the last undici 5.x reference from the tree. Release-action builds clean with the new APIs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Looks like this PR is not ready to merge, because of the following issues:
Please fix the issues and try again If you have any trouble, please check the PR guidelines |
|
WalkthroughThe Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
/jira ARCH-2083 |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/release-action/package.json`:
- Around line 12-16: The dependency bumps require an end-to-end verification:
run the release action in GitHub Actions and confirm the workflow completes
successfully; specifically exercise the codepaths in setupOctokit.ts (ensure the
`@octokit/plugin-throttling` callback still accepts the same parameters), the
module imports from `@actions/github` (verify GitHub / getOctokitOptions imports
work), and the REST calls in publishRelease.ts and bumpNextVersion.ts (validate
API responses and error handling with the new `@octokit/core/`@actions/github
versions). If anything fails, update import calls or callback signatures in
setupOctokit.ts and adjust REST call usage in
publishRelease.ts/bumpNextVersion.ts to match the new client APIs, then re-run
the workflow until it passes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 02ba99ed-5810-4a08-8b58-91fc7b6c8c39
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (1)
packages/release-action/package.json
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: 📦 Build Packages
- GitHub Check: CodeQL-Build
- GitHub Check: CodeQL-Build
🧰 Additional context used
🧠 Learnings (1)
📓 Common learnings
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.
Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40159
File: .github/actions/setup-node/action.yml:44-59
Timestamp: 2026-04-14T23:26:19.461Z
Learning: In RocketChat/Rocket.Chat's CI composite actions (e.g. `.github/actions/setup-node/action.yml`), writing resolved tool versions directly to `$GITHUB_ENV` via `echo "VAR=value" >> $GITHUB_ENV` (without multiline heredoc form or explicit empty-value guards) is an accepted, intentional pattern. The source files (`package.json` engines field and `.tool-versions`) are considered stable and trusted, so flagging the absence of newline/empty validation or the use of the heredoc form is not warranted.
| "@actions/core": "^3.0.1", | ||
| "@actions/exec": "^3.0.0", | ||
| "@actions/github": "^9.1.1", | ||
| "@octokit/core": "^7.0.6", | ||
| "@octokit/plugin-throttling": "^11.0.3", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
@octokit/plugin-throttling v11 onRateLimit callback signature breaking changes
💡 Result:
There are no breaking changes to the onRateLimit callback signature in @octokit/plugin-throttling v11. The current signature in v11.0.3 (latest as of Oct 2025) is onRateLimit: (retryAfter, options, octokit, retryCount) => boolean, and onSecondaryRateLimit: (retryAfter, options, octokit) => boolean. This matches the documentation across official sources including GitHub repo README and npm page. v11.0.0's only breaking change was dropping Node.js v18 support (requires >= v20 now), with no mentions of API changes to callbacks in release notes, tags, or compare views between v10 and v11. Older docs mentioning onAbuseLimit appear outdated; current uses onSecondaryRateLimit.
Citations:
- 1: https://github.com/octokit/plugin-throttling.js/
- 2: https://github.com/octokit/plugin-throttling.js/blob/main/README.md
- 3: https://www.npmjs.com/package/@octokit/plugin-throttling
- 4: https://github.com/octokit/plugin-throttling.js/releases
- 5: http://www.npmjs.com/package/@octokit/plugin-throttling
- 6: https://registry.npmjs.org/@octokit/plugin-throttling
- 7: https://www.npmjs.com/package/@octokit/plugin-throttling?activeTab=readme
- 8: Pass
octokitas third argument toonAbuseLimit/onRateLimitoctokit/plugin-throttling.js#219 - 9: octokit/plugin-throttling.js@v10.0.0...v11.0.1
🌐 Web query:
@actions/github v9 lib/utils getOctokitOptions GitHub plugin export
💡 Result:
In @actions/github v9.0.0, getOctokitOptions is exported from the subpath ./lib/utils. It is a utility function that formats Octokit options for use with custom Octokit constructors, particularly when extending with plugins. Key details: - Import: import { getOctokitOptions } from '@actions/github/lib/utils'; - Usage: Takes a token (string) and optional options?: OctokitOptions. Adds authentication (auth: \token ${token}\ or from options), shallow clones options, and returns OctokitOptions. - Related exports from ./lib/utils: GitHub (pre-configured Octokit constructor with REST and pagination plugins), defaults (base OctokitOptions with proxy-aware request config and API baseUrl). - Purpose: Used for advanced customization, e.g., adding enterprise plugins: import { GitHub, getOctokitOptions } from '@actions/github/lib/utils'; import { enterpriseServer220Admin } from '@octokit/plugin-enterprise-server'; const CustomOctokit = GitHub.plugin(enterpriseServer220Admin); const token = core.getInput('myToken'); const octokit = new CustomOctokit(getOctokitOptions(token)); - The main getOctokit(token, options) from @actions/github internally uses this function combined with GitHub. - Confirmed ESM-only in v9; subpath exports supported per package.json. - "GitHub plugin export" refers to the GitHub class/constructor from ./lib/utils, which is an Octokit instance with built-in plugins that can be further extended via .plugin. This is part of the GitHub Actions Toolkit for creating authenticated Octokit clients in actions.
Citations:
- 1: https://github.com/actions/toolkit/blob/main/packages/github/package.json
- 2: https://github.com/actions/toolkit/blob/main/packages/github/README.md
- 3: https://github.com/actions/toolkit/blob/main/packages/github/src/github.ts
- 4: https://github.com/actions/toolkit/blob/main/packages/github/src/utils.ts
- 5: https://www.npmjs.com/package/@actions/github
- 6: https://github.com/actions/toolkit/blob/main/packages/github/src/internal/utils.ts
🏁 Script executed:
#!/bin/bash
# Sanity: confirm the call sites we need to re-validate against the new majors.
rg -nP -C2 '@actions/(github|exec|core)|@octokit/(core|plugin-throttling)' packages/release-action/src
rg -nP -C2 'onRateLimit|onSecondaryRateLimit|GitHub\.plugin|getOctokitOptions|octokit\.rest\.' packages/release-action/src
# Confirm how dist is produced (tsc vs bundler) — relevant for ESM-only transitive deps.
cat packages/release-action/package.json
fd -t f 'action.ya?ml|ncc|esbuild|rollup' packages/release-actionRepository: RocketChat/Rocket.Chat
Length of output: 8808
Confirm the release action works correctly with these major version bumps before merging.
These dependency updates are significant (e.g., @actions/github v6→v9, @octokit/plugin-throttling v6→v11, @octokit/core v5→v7). While the import paths and callback signatures are compatible with the versions specified:
@actions/githubv9 confirms that@actions/github/lib/utilsexportsGitHubandgetOctokitOptionsas expected.- The throttling plugin callback signature in
setupOctokit.tsmatches@octokit/plugin-throttlingv11.0.3.
A manual test run of the release action (via GitHub Actions) is required before merge to verify end-to-end functionality with the new versions, particularly the REST API calls in publishRelease.ts and bumpNextVersion.ts. The PR description already flags this as pending; please confirm it completes successfully.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/release-action/package.json` around lines 12 - 16, The dependency
bumps require an end-to-end verification: run the release action in GitHub
Actions and confirm the workflow completes successfully; specifically exercise
the codepaths in setupOctokit.ts (ensure the `@octokit/plugin-throttling` callback
still accepts the same parameters), the module imports from `@actions/github`
(verify GitHub / getOctokitOptions imports work), and the REST calls in
publishRelease.ts and bumpNextVersion.ts (validate API responses and error
handling with the new `@octokit/core/`@actions/github versions). If anything
fails, update import calls or callback signatures in setupOctokit.ts and adjust
REST call usage in publishRelease.ts/bumpNextVersion.ts to match the new client
APIs, then re-run the workflow until it passes.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #40265 +/- ##
===========================================
- Coverage 69.83% 69.82% -0.01%
===========================================
Files 3296 3296
Lines 119173 119173
Branches 21480 21482 +2
===========================================
- Hits 83219 83217 -2
- Misses 32645 32670 +25
+ Partials 3309 3286 -23
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
ggazzo
added
the
stat: QA assured
@actions/core@3, @actions/exec@3, @actions/github@9, @octokit/core@7, and @octokit/plugin-throttling@11 (bumped in #40265) are ESM-only. The existing tsc CJS output fails at require time with ERR_PACKAGE_PATH_NOT_EXPORTED. Replace `tsc` build with `tsc --noEmit && esbuild --bundle --format=cjs` so the action ships a single self-contained CJS file. No source changes.
2 participants
Summary
Bumps
packages/release-actionGitHub Action deps to their latest majors soundici@5.29.0falls out of the dependency tree.Before
After
Bumps
@actions/core1.11.1 → 3.0.1@actions/exec1.1.1 → 3.0.0@actions/github6.0.1 → 9.1.1@octokit/core5.0.2 → 7.0.6@octokit/plugin-throttling6.1.0 → 11.0.3All majors, but scope is limited to
packages/release-action(release automation only — not runtime / app code).Test plan
tscruns with no errors)🤖 Generated with Claude Code
Summary by CodeRabbit
Task: ARCH-2112