chore(deps): bump actions/github-script from 8 to 9

[dependabot]

Bumps actions/github-script from 8 to 9.

Release notes

Sourced from actions/github-script's releases.

v9.0.0

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in actions/github-script#695
• ci: use deployment: false for integration test environments by @​salmanmkc in actions/github-script#712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in actions/github-script#700

New Contributors

• @​Copilot made their first contribution in actions/github-script#695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

Commits

• 3a2844b Merge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...
• ca10bbd fix: use @​octokit/core/types import for v7 compatibility
• 86e48e2 merge: incorporate main branch changes
• c108472 chore: rebuild dist for v9 upgrade and getOctokit factory
• afff112 Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...
• ff8117e ci: fix user-agent test to handle orchestration ID
• 81c6b78 ci: use deployment: false to suppress deployment noise from integration tests
• 3953caf docs: update README examples from @​v8 to @​v9, add getOctokit docs and v9 brea...
• c17d55b ci: add getOctokit integration test job
• a047196 test: add getOctokit integration tests via callAsyncFunction
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codescene-delta-analysis]

No application code in the PR — skipped Code Health checks.

See analysis details in CodeScene

Quality Gate Profile: Clean Code Collective
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.

[claude]

Code Review: chore(deps): bump actions/github-script from 8 to 9

Note: This PR is already merged. Review provided for record-keeping purposes.

Overview

This is a Dependabot-generated bump of actions/github-script from v8 to v9 across three steps in .github/workflows/ci-metrics.yml. The change is purely a version pin update — no script logic is modified.

---

Breaking Changes Analysis (v9)

The v9 release includes three notable breaking changes:

Breaking Change	Impact on This PR
require('@actions/github') no longer works (ESM-only)	No usage of require in any script
const getOctokit / let getOctokit causes SyntaxError (now injected)	No getOctokit declarations in any script
Access to @actions/github internals beyond github/octokit client	Scripts only use github.rest.*, core.*, and context.*

All three scripts are safe for the v9 upgrade.

---

Observations (Pre-existing, not introduced by this PR)

• Suspicious action versions: .github/workflows/ci-metrics.yml references actions/checkout@v6 and actions/setup-node@v6. Neither of those versions exists — the latest stable releases are v4. These should be corrected to @v4 to avoid workflows silently breaking (non-existent tags typically resolve to the default branch, which can be unstable).
• Expression injection risk (low): The Check for performance degradation step interpolates workflow step outputs directly into script strings via ${{ steps.metrics.outputs.pass_rate }}. Since these values are produced by internal workflow computation (not user-controlled), the injection risk is effectively zero here, but it is generally safer to pass them via env: variables and read with process.env in more sensitive contexts.

---

Summary

The version bump itself is correct and safe — no script patterns are affected by the v9 breaking changes. The pre-existing @v6 references for actions/checkout and actions/setup-node are worth a follow-up fix in a separate PR.

Reviewed with Claude Code