⬆️ Updates actions/github-script action to v9

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/github-script	action	major	v3.1 → v9.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/github-script (actions/github-script)

v9

Compare Source

v9.0.0

Compare Source

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@​actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@​actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@​actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in #​695
• ci: use deployment: false for integration test environments by @​salmanmkc in #​712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in #​700

New Contributors

• @​Copilot made their first contribution in #​695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v8: .0.0

Compare Source

What's Changed

• Update Node.js version support to 24.x by @​salmanmkc in #​637
• README for updating actions/github-script from v7 to v8 by @​sneha-krip in #​653

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

• @​salmanmkc made their first contribution in #​637
• @​sneha-krip made their first contribution in #​653

Full Changelog: actions/github-script@v7.1.0...v8.0.0

v8.0.0

Compare Source

v7.1.0

Compare Source

What's Changed

• Upgrade husky to v9 by @​benelan in #​482
• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​485
• Upgrade IA Publish by @​Jcambass in #​486
• Fix workflow status badges by @​joshmgross in #​497
• Update usage of actions/upload-artifact by @​joshmgross in #​512
• Clear up package name confusion by @​joshmgross in #​514
• Update dependencies with npm audit fix by @​joshmgross in #​515
• Specify that the used script is JavaScript by @​timotk in #​478
• chore: Add Dependabot for NPM and Actions by @​nschonni in #​472
• Define permissions in workflows and update actions by @​joshmgross in #​531
• chore: Add Dependabot for .github/actions/install-dependencies by @​nschonni in #​532
• chore: Remove .vscode settings by @​nschonni in #​533
• ci: Use github/setup-licensed by @​nschonni in #​473
• make octokit instance available as octokit on top of github, to make it easier to seamlessly copy examples from GitHub rest api or octokit documentations by @​iamstarkov in #​508
• Remove octokit README updates for v7 by @​joshmgross in #​557
• docs: add "exec" usage examples by @​neilime in #​546
• Bump ruby/setup-ruby from 1.213.0 to 1.222.0 by @​dependabot[bot] in #​563
• Bump ruby/setup-ruby from 1.222.0 to 1.229.0 by @​dependabot[bot] in #​575
• Clearly document passing inputs to the script by @​joshmgross in #​603
• Update README.md by @​nebuk89 in #​610

New Contributors

• @​benelan made their first contribution in #​482
• @​Jcambass made their first contribution in #​485
• @​timotk made their first contribution in #​478
• @​iamstarkov made their first contribution in #​508
• @​neilime made their first contribution in #​546
• @​nebuk89 made their first contribution in #​610

Full Changelog: actions/github-script@v7...v7.1.0

v7.0.1

Compare Source

What's Changed

• Avoid setting baseUrl to undefined when input is not provided by @​joshmgross in #​439

Full Changelog: actions/github-script@v7.0.0...v7.0.1

v7.0.0

Compare Source

What's Changed

• Add base-url option by @​robandpdx in #​429
• Expose async-function argument type by @​viktorlott in #​402, see for details https://github.com/actions/github-script#use-scripts-with-jsdoc-support
• Update dependencies and use Node 20 by @​joshmgross in #​425

New Contributors

• @​navarroaxel made their first contribution in #​285
• @​robandpdx made their first contribution in #​429
• @​viktorlott made their first contribution in #​402

Full Changelog: actions/github-script@v6.4.1...v7.0.0

v7

Compare Source

v6.4.1

Compare Source

What's Changed

• Add @​octokit/plugin-request-log, to produce debug output for requests by @​mjpieters in #​358
• fix input handling by @​mjpieters in #​357
• Remove unused dependencies by @​mjpieters in #​356
• Default debug to current runner debug state by @​mjpieters in #​363

New Contributors

• @​mjpieters made their first contribution in #​358

Full Changelog: actions/github-script@v6.4.0...v6.4.1

v6.4.0

Compare Source

What's Changed

• Bump json5 from 2.1.3 to 2.2.3 by @​dependabot in #​319
• Bump minimatch from 3.0.4 to 3.1.2 by @​dependabot in #​320
• Add node-fetch by @​danmichaelo in #​321

New Contributors

• @​jongwooo made their first contribution in #​313
• @​austinvazquez made their first contribution in #​306
• @​danmichaelo made their first contribution in #​321

Full Changelog: actions/github-script@v6.3.3...v6.4.0

v6.3.3

Compare Source

What's Changed

• Update @actions/glob to 0.3.0 by @​nineinchnick in #​279

New Contributors

• @​nineinchnick made their first contribution in #​279

Full Changelog: actions/github-script@v6.3.2...v6.3.3

v6.3.2

Compare Source

What's Changed

• Update @​actions/core to 1.10.0 by @​rentziass in #​295

New Contributors

• @​rentziass made their first contribution in #​295

Full Changelog: actions/github-script@v6.3.1...v6.3.2

v6.3.1

Compare Source

What's Changed

• Fix overriding request options from @​actions/github by @​luketomlinson in #​293

Full Changelog: actions/github-script@v6.3.0...v6.3.1

v6.3.0

Compare Source

What's Changed

• Add retry plugin and related options by @​luketomlinson in #​288, see https://github.com/actions/github-script/tree/v6.3.0#retries for more information.

New Contributors

• @​luketomlinson made their first contribution in #​288

Full Changelog: actions/github-script@v6.2.0...v6.3.0

v6.2.0

Compare Source

What's Changed

• Update @octokit/plugin-rest-endpoint-methods to version 6.x by @​desrosj in #​283

New Contributors

• @​desrosj made their first contribution in #​283

Full Changelog: actions/github-script@v6.1.1...v6.2.0

v6.1.1

Compare Source

What's Changed

• Bump shell-quote from 1.7.2 to 1.7.3 by @​dependabot in #​270
• Bump @​actions/core to 1.9.1 by @​cory-miller in #​280

Non-code changes

• Create codeql-analysis.yml by @​joshmgross in #​267
• Improve grammar by @​kevgo in #​269

New Contributors

• @​kevgo made their first contribution in #​269
• @​cory-miller made their first contribution in #​280

Full Changelog: actions/github-script@v6.1.0...v6.1.1

v6.1.0

Compare Source

What's Changed

• Bump minimist from 1.2.5 to 1.2.6 by @​dependabot in #​251
• Update @actions/core to 1.8.1 by @​smaeda-ks in #​263

New Contributors

• @​josh- made their first contribution in #​252
• @​dlech made their first contribution in #​254
• @​smaeda-ks made their first contribution in #​263

Full Changelog: actions/github-script@v6.0.0...v6.1.0

v6.0.0

Compare Source

What's Changed

• Update default runtime to node16 by @​thboop in #​235
• Update node-fetch by @​joshmgross in #​237
• Update @actions/core to 1.6.0 by @​joshmgross in #​238

Breaking Changes

With the update to Node 16 in #​235, all scripts will now be run with Node 16 rather than Node 12.

New Contributors

• @​thboop made their first contribution in #​235

Full Changelog: actions/github-script@v5...v6.0.0

v6

Compare Source

v5.2.0

Compare Source

What's Changed

• Upgrade @​actions/core to 1.10.0 for v5 by @​rentziass in #​350

Full Changelog: actions/github-script@v5.1.1...v5.2.0

v5.1.1

Compare Source

What's Changed

• Bump @​actions/core to 1.9.1 by @​cory-miller in #​281

Full Changelog: actions/github-script@v5.1.0...v5.1.1

v5.1.0

Compare Source

What's Changed

• Update to latest versions for dev dependencies by @​joshmgross in #​204
• update plugin dependencies by @​PeterNitscheMI in #​216
• Update licenses and use jonabc/setup-licensed in workflow by @​joshmgross in #​228

New Contributors

• @​johan-lindqvist made their first contribution in #​201
• @​ansgarm made their first contribution in #​215
• @​PeterNitscheMI made their first contribution in #​216

Full Changelog: actions/github-script@v5.0.0...v5.1.0

v5.0.0

Compare Source

What's Changed

• Upgrade to the latest version of Octokit by @​joshmgross in #​193 (Thanks to @​IronSean for contributing to this fix)

Breaking Changes

As part of this update, the Octokit context available via github no longer has REST methods directly. These methods are available via github.rest.* - https://github.com/octokit/plugin-rest-endpoint-methods.js/releases/tag/v5.0.0

See https://github.com/actions/github-script#breaking-changes-in-v5

Full Changelog: actions/github-script@v4.1.1...v5.0.0

v5

Compare Source

v4.2.0

Compare Source

What's Changed

• Upgrade @​actions/core to 1.10.0 for v4 by @​rentziass in #​349

Full Changelog: actions/github-script@v4.1.1...v4.2.0

v4.1.1

Compare Source

What's Changed

• Update minor versions of dependencies by @​joshmgross in #​192

Full Changelog: actions/github-script@v4.1.0...v4.1.1

v4.1.0

Compare Source

What's Changed

• Adding @​actions/exec to github-script by @​bhavanakonchada in #​178
• Run npm audit and update dev dependencies by @​joshmgross in #​181

New Contributors

• @​MichaelDeBoey made their first contribution in #​145
• @​oscard0m made their first contribution in #​174
• @​brcrista made their first contribution in #​177
• @​bhavanakonchada made their first contribution in #​178

Full Changelog: actions/github-script@v4.0.2...v4.1.0

v4.1

Compare Source

v4.0.2: Update @​actions/core package

Compare Source

This release updates the @actions/core package to 1.2.7 - #​137

v4.0.1: Fix "require" search path

Compare Source

Previously, the wrapped require searched the existing module.paths and then process.cwd(). We now only search process.cwd(). See #​136 for details.

v4.0.0: Add support for relative and npm package require

Compare Source

This release adds support for relative require paths, as well as requiring npm modules installed in the working directory.

v4.0

Compare Source

v4

Compare Source

v3.2.0

Compare Source

What's Changed

• Upgrade @​actions/core to 1.10.0 for v3 by @​rentziass in #​348

Full Changelog: actions/github-script@v3.1.1...v3.2.0

v3.1.1: Add @actions/glob package

Compare Source

This releases adds the @actions/glob package, which can be used in scripts via the glob variable - #​127

---

Configuration

📅 Schedule: (in timezone Europe/Moscow)

• Branch creation
  • "after 10pm every weekday,before 5am every weekday,every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

[github-actions]

🏷️ [bumpr]
Next version:v1.14.1
Changes:v1.14.0...AlexRogalskiy:renovate/actions-github-script-9.x

[github-actions]

🏷️ [bumpr]
Next version:v1.14.1
Changes:v1.14.0...AlexRogalskiy:renovate/actions-github-script-9.x

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Secrets Audit	0	427	0	0	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint@​7.19.0
	jest@​27.0.0-next.2
	expect@​26.6.2
	cz-conventional-changelog@​3.3.0
	git-cz@​4.7.6
	husky@​4.3.8
	eslint-plugin-github@​4.1.1
	eslint-plugin-import@​2.22.1
	editorconfig-checker@​3.3.0
	eslint-config-prettier@​6.15.0
	jest-circus@​26.6.3
	eslint-plugin-prettier@​3.3.1
	lint-staged@​10.5.4
	eslint-plugin-jest@​23.20.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 2.5.4 From: package-lock.json → npm/form-data@2.3.3 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@2.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Handlebars.js has JavaScript Injection via AST Type Confusion CVE: GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion (CRITICAL) Affected versions: >= 4.0.0 < 4.7.9 Patched version: 4.7.9 From: package-lock.json → npm/@semantic-release/release-notes-generator@7.3.5 → npm/handlebars@4.7.7 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.7.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm json-schema is vulnerable to Prototype Pollution CVE: GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution (CRITICAL) Affected versions: < 0.4.0 Patched version: 0.4.0 From: package-lock.json → npm/json-schema@0.2.3 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json-schema@0.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Prototype Pollution in npm minimist CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 1.2.6 From: package-lock.json → npm/cz-conventional-changelog@3.3.0 → npm/jest@27.0.0-next.2 → npm/jest-circus@26.6.3 → npm/@semantic-release/release-notes-generator@7.3.5 → npm/minimist@1.2.5 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimist@1.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm npm is 94.0% likely obfuscated Confidence: 0.94 Location: Package overview From: package-lock.json → npm/@semantic-release/npm@5.3.5 → npm/npm@6.14.11 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm@6.14.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report