Skip to content

Bump actions/github-script from 8 to 9#144

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions/github-script-9
Open

Bump actions/github-script from 8 to 9#144
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions/github-script-9

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 30, 2026

Bumps actions/github-script from 8 to 9.

Release notes

Sourced from actions/github-script's releases.

v9.0.0

New features:

  • getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
  • Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

  • require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
  • getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
  • If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

New Contributors

Full Changelog: actions/github-script@v8.0.0...v9.0.0

Commits
  • 3a2844b Merge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...
  • ca10bbd fix: use @​octokit/core/types import for v7 compatibility
  • 86e48e2 merge: incorporate main branch changes
  • c108472 chore: rebuild dist for v9 upgrade and getOctokit factory
  • afff112 Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...
  • ff8117e ci: fix user-agent test to handle orchestration ID
  • 81c6b78 ci: use deployment: false to suppress deployment noise from integration tests
  • 3953caf docs: update README examples from @​v8 to @​v9, add getOctokit docs and v9 brea...
  • c17d55b ci: add getOctokit integration test job
  • a047196 test: add getOctokit integration tests via callAsyncFunction
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump actions/github-script from 8 to 9
b28a213 
Bumps [actions/github-script](https://github.com/actions/github-script) from 8 to 9.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@v8...v9)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot requested a review from a team as a code owner April 30, 2026 10:45
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 30, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026

🤖 Claude Code Review

PR Code Review

This PR bumps actions/github-script from v8 to v9 across three GitHub Actions workflow files.

Code Quality

✅ No commented-out code — Clean change.

✅ DRY / meaningful names — Not applicable; this is a version bump only.

❌ Logic/naming inconsistency (pre-existing, but worth flagging)

Two workflow files have a mismatch between the step name and the actual threshold:

  • .github/workflows/maven-darwin.yaml line 92: step is named "Fail PR if overall coverage is less than 80%" but the condition checks < 20.0 and the failure message says 'Overall coverage is less than 20%!'
  • .github/workflows/maven-windows.yaml line 88: same issue — name says 80%, condition and message say 20%
  • .github/workflows/maven-linux.yaml line 88: consistent — name, condition, and message all say 20%

This is a pre-existing bug not introduced by this PR, but it is visible in the diff context and should be corrected.

✅ No defects introduced by this change — The version bump itself is straightforward and correct.

Testing

✅ N/A — CI configuration change; no unit/integration tests required.

Documentation

✅ No README or API doc changes needed — This is a dependency version bump in CI.

✅ CHANGELOG — Not required for a dependency bump of this scope unless project policy mandates it; no issue flagged.

Security

✅ No hardcoded credentials

✅ No sensitive data in logs

✅ No license files (.lic) checked in

✅ Upgrading to actions/github-script@v9 is a positive security practice — pinning to a newer major version addresses any vulnerabilities fixed between v8 and v9. Note: for stronger supply-chain security, consider pinning to a full commit SHA (e.g., actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea) rather than a mutable tag, but this is a broader project convention question and not a blocker.

Summary

Category Status
Code Quality ❌ Pre-existing step name/threshold mismatch in darwin & windows workflows
Testing
Documentation
Security

Recommendation: Approve with a suggestion to fix the step name mismatch in maven-darwin.yaml (line 92) and maven-windows.yaml (line 88) — either rename the step to "Fail PR if overall coverage is less than 20%" to match the actual condition, or correct the condition to check < 80.0 if 80% was always the intended threshold.

Automated code review analyzing defects and coding standards

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@kernelsam kernelsam

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kernelsam @senzingdevops