Skip to content

chore(deps): bump @actions/core to 3.x and @actions/tool-cache to 4.x#159

Merged
TerryHowe merged 3 commits intomainfrom
chore/bump-actions-deps
Apr 6, 2026
Merged

chore(deps): bump @actions/core to 3.x and @actions/tool-cache to 4.x#159
TerryHowe merged 3 commits intomainfrom
chore/bump-actions-deps

Conversation

@TerryHowe
Copy link
Copy Markdown
Member

@TerryHowe TerryHowe commented Apr 6, 2026

Summary

Bumps the GitHub Actions toolkit to current major versions, replacing the two dependabot PRs that fail `check-dist`:

Both 3.x (`@actions/core`) and 4.x (`@actions/tool-cache`) are now ESM-only packages. `@vercel/ncc` (webpack-based) cannot bundle ESM-only packages in CJS mode, so this PR also replaces `ncc` with `esbuild` as the bundler. `esbuild` handles ESM→CJS bundling natively and requires no changes to the TypeScript source.

Changes

  • `package.json`: bump `@actions/core` `^2.0.3` → `^3.0.0`, `@actions/tool-cache` `^3.0.1` → `^4.0.0`; replace `@vercel/ncc` with `esbuild ^0.28.0`; update build script
  • `package-lock.json`: updated resolved versions
  • `dist/index.js`: rebuilt with `esbuild` and updated dependencies

Test plan

  • `npm run build` succeeds locally
  • `npm audit` reports 0 vulnerabilities
  • CI: `check-dist` passes
  • CI: test workflow passes on ubuntu/macos/windows

@TerryHowe
chore(deps): bump @actions/core to 3.x and @actions/tool-cache to 4.x
7368d90 
Replace @vercel/ncc with esbuild to support ESM-only packages.
Upgrade @actions/core from ^2.0.3 to ^3.0.0 (closes #138).
Upgrade @actions/tool-cache from ^3.0.1 to ^4.0.0 (closes #137).
Rebuild dist/ with updated dependencies.

Signed-off-by: Terry Howe <terrylhowe@gmail.com>
@TerryHowe TerryHowe requested a review from Copilot April 6, 2026 11:44
Copilot AI reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the GitHub Actions toolkit dependencies to their current major versions and adjusts the build pipeline to accommodate the toolkits’ move to ESM-only packages by switching bundlers.

Changes:

  • Bump @actions/core to ^3.0.0 and @actions/tool-cache to ^4.0.0.
  • Replace @vercel/ncc with esbuild for bundling and update the build script accordingly.
  • Update the lockfile and regenerate dist/index.js with the new bundler/dependency graph.

Reviewed changes

Copilot reviewed 1 out of 3 changed files in this pull request and generated 2 comments.

File Description
package.json Updates toolkit deps and replaces ncc build with esbuild bundling.
package-lock.json Lockfile updates for the new toolkit majors and added esbuild dependency tree.
dist/index.js Rebuilt bundled action output to work with ESM-only toolkit packages.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

TerryHowe added 2 commits April 6, 2026 06:03
@TerryHowe
chore: add --format=cjs and regenerate licenses.txt via esbuild
74871f8 
Add --format=cjs to build script to make CJS output explicit.
Add --legal-comments=external so licenses.txt is kept in sync with
bundled dependencies on every build.
Rebuild dist/ with updated build script.

Signed-off-by: Terry Howe <terrylhowe@gmail.com>
@TerryHowe
chore: restore full license attribution for all bundled packages
563353c 
Replace --legal-comments=external (which only captured inline comments)
with a generate-licenses.js script that reads actual LICENSE files from
node_modules for every package bundled by esbuild.
The build now uses --metafile to identify bundled packages, then runs
the script to write dist/licenses.txt, matching the ncc-generated format.

Signed-off-by: Terry Howe <terrylhowe@gmail.com>
@TerryHowe TerryHowe requested a review from Copilot April 6, 2026 12:15
shizhMSFT
shizhMSFT approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copilot AI reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 5 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@TerryHowe TerryHowe merged commit bbd8d79 into main Apr 6, 2026
16 checks passed
@TerryHowe TerryHowe mentioned this pull request Apr 6, 2026
Merged
TerryHowe added a commit that referenced this pull request Apr 6, 2026
@TerryHowe
chore: release v2.0.0 (#160)
38de303 
Bump \`package.json\` version to \`2.0.0\` in preparation for the v2.0.0
release.

## What's in v2.0.0

- Bump \`@actions/core\` from \`^2.0.3\` to \`^3.0.0\` (#138)
- Bump \`@actions/tool-cache\` from \`^3.0.1\` to \`^4.0.0\` (#137)
- Replace \`@vercel/ncc\` with \`esbuild\` to support ESM-only toolkit
packages (#159)
- Add \`scripts/generate-licenses.js\` to regenerate
\`dist/licenses.txt\` from bundled packages on every build (#159)
- Pin \`undici\` to \`>=6.24.1\` to address 5 CVEs (#155)

Signed-off-by: Terry Howe <terrylhowe@gmail.com>
@marcusmai-telia marcusmai-telia mentioned this pull request Apr 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shizhMSFT shizhMSFT shizhMSFT approved these changes

@wangxiaoxuan273 wangxiaoxuan273 Awaiting requested review from wangxiaoxuan273 wangxiaoxuan273 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TerryHowe @shizhMSFT