Skip to content

Bundle Dependabot NPM updates with ESM compatibility fixes for @actions/github v9 #14512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 2 commits into from
Feb 8, 2026
Merged

Bundle Dependabot NPM updates with ESM compatibility fixes for @actions/github v9 #14512

pelikhan merged 2 commits into from
Feb 8, 2026
+289 −126

Conversation

Copy link
Contributor

Copilot AI commented Feb 8, 2026
edited
Loading

Bundles 5 Dependabot updates for actions/setup/js/: @actions/core (3.0.0), @actions/io (3.0.2), @actions/github (9.0.0), @actions/glob (0.6.1), and vitest (4.0.18).

ESM Migration

@actions/github v9.0.0 is ESM-only ("type": "module"), breaking CommonJS require() imports. Converted to dynamic imports:

// Before: synchronous require
const { getOctokit } = require("@actions/github");
const octokit = getOctokit(token);

// After: async dynamic import
async function setupProjectGitHubClient() {
  const { getOctokit } = await import("@actions/github");
  const octokit = getOctokit(token);
  return octokit;
}

Changes

  • safe_output_unified_handler_manager.cjs: Made setupProjectGitHubClient() async, uses dynamic import, updated call site with await
  • frontmatter_hash_github_api.test.cjs: Moved import inside test function that conditionally uses GitHub API
  • test-live-github-api.cjs: Moved import into async main function
  • safe_output_unified_handler_manager.test.cjs: Updated assertions for async function (expect(...).rejects instead of expect(() => ...))

Package lock regenerated with npm install.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Dependabot Burner] Dependabot: NPM Dependencies - actions/setup/js/ directory</issue_title>
<issue_description>## 📦 Dependency Update Bundle

This issue tracks Dependabot dependency updates for the actions/setup/js/ directory (npm/yarn packages).

Pull Requests Included

Summary

Runtime: npm/yarn
Manifest: /actions/setup/js
PRs: 5

⚠️ Breaking Changes: Several of these updates involve breaking changes (ESM-only packages). Careful testing required.

Next Steps

  1. Review all PRs together for compatibility
  2. Test the combined changes locally (especially ESM migration)
  3. Merge all PRs in sequence or create a combined PR
  4. Close this parent issue once complete

This issue was created by the Dependabot Burner workflow to bundle related dependency updates.

AI generated by Dependabot Burner

  • expires on Feb 15, 2026, 12:29 PM UTC

Comments on the Issue (you are @copilot in this section)

  • Fixes github/gh-aw#14508

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@pelikhan
Update NPM dependencies in actions/setup/js
6f09548 
- Update @actions/core from 2.0.2 to 3.0.0
- Update @actions/io from 2.0.0 to 3.0.2
- Update @actions/github from 7.0.0 to 9.0.0
- Update @actions/glob from 0.5.0 to 0.6.1
- Update vitest from 4.0.17 to 4.0.18
- Update @vitest/coverage-v8 and @vitest/ui to 4.0.18

Convert @actions/github imports to dynamic imports for ESM compatibility:
- @actions/github v9.0.0 is now ESM-only
- Use dynamic import() in safe_output_unified_handler_manager.cjs
- Use dynamic import() in frontmatter_hash_github_api.test.cjs
- Use dynamic import() in test-live-github-api.cjs
- Update setupProjectGitHubClient to be async
- Update tests to await setupProjectGitHubClient calls

All 164 JavaScript test files pass (3400 tests)

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update NPM dependencies in actions/setup/js directory Bundle Dependabot NPM updates with ESM compatibility fixes for @actions/github v9 Feb 8, 2026
Copilot AI requested a review from pelikhan February 8, 2026 12:44
@pelikhan pelikhan marked this pull request as ready for review February 8, 2026 19:38
Copilot AI review requested due to automatic review settings February 8, 2026 19:38
Copilot AI reviewed Feb 8, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Bundles several npm dependency bumps under actions/setup/js/ and updates codepaths that use @actions/github to be compatible with @actions/github@9 (ESM-only) by switching from require() to dynamic import() and propagating async/await where needed.

Changes:

  • Bumped @actions/* and vitest versions and regenerated package-lock.json.
  • Migrated @actions/github usage to dynamic imports to support ESM-only @actions/github@9.
  • Updated related tests/scripts to handle the now-async GitHub client setup.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
actions/setup/js/test-live-github-api.cjs Switches @actions/github import to dynamic import() in the live API script.
actions/setup/js/safe_output_unified_handler_manager.cjs Makes setupProjectGitHubClient() async and uses dynamic import; updates call site with await.
actions/setup/js/safe_output_unified_handler_manager.test.cjs Updates tests to await the async GitHub client setup and assert async errors correctly.
actions/setup/js/frontmatter_hash_github_api.test.cjs Moves @actions/github import into the token-gated live test via dynamic import.
actions/setup/js/package.json Updates dependency versions (@actions/*, vitest).
actions/setup/js/package-lock.json Lockfile regeneration reflecting the dependency bumps.
Files not reviewed (1)
  • actions/setup/js/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

actions/setup/js/safe_output_unified_handler_manager.cjs
Comment on lines 169 to 172
// Lazy-load @actions/github only when needed (may not be installed for workflows without project safe outputs)
const { getOctokit } = require("@actions/github");
// Use dynamic import for ESM module compatibility
const { getOctokit } = await import("@actions/github");
const octokit = getOctokit(projectToken);
Copy link

Copilot AI Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

setupProjectGitHubClient() now uses await import("@actions/github"), but actions/setup/setup.sh still installs @actions/github@^7.0.0 when safe-output-projects is enabled. This creates a version mismatch with the updated package.json (^9.0.0) and means production runs may still be exercising v7 (or may behave differently than CI). Update the runtime installer to install @actions/github@^9.0.0 (or, if v7 is intentional for runtime, revert the dependency bump / adjust the migration accordingly).

Copilot uses AI. Check for mistakes.
@pelikhan pelikhan merged commit 6ec467f into main Feb 8, 2026
165 checks passed
@pelikhan pelikhan deleted the copilot/update-dependencies-actions-setup-js branch February 8, 2026 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan