Skip to content

Update github actions (major)#1552

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-github-actions
Open

Update github actions (major)#1552
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-github-actions

Conversation

@renovate

@renovate renovate Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v4v7
actions/deploy-pages action major v4v5
actions/github-script action major v7v9

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

v7

Compare Source

v6.0.3

Compare Source

v6.0.2

Compare Source

v6.0.1

Compare Source

v6.0.0

Compare Source

v6

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v5

Compare Source

actions/deploy-pages (actions/deploy-pages)

v5.0.0

Compare Source

Changelog

See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v5

Compare Source

actions/github-script (actions/github-script)

v9.0.0

Compare Source

New features:

  • getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
  • Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

  • require('@​actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@​actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@​actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
  • getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
  • If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.
What's Changed
New Contributors

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v9

Compare Source

v8.0.0

Compare Source

v8: .0.0

Compare Source

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

Full Changelog: actions/github-script@v7.1.0...v8.0.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the 🚚 private-dependencies Private dependency label Jun 30, 2026
@renovate renovate Bot enabled auto-merge June 30, 2026 00:28
@renovate renovate Bot added the 🚚 private-dependencies Private dependency label Jun 30, 2026
@github-actions github-actions Bot added the :shipit: merge Shipit! label Jun 30, 2026
@github-actions github-actions Bot added this to the v1.3.0 milestone Jun 30, 2026
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

Test Results

0 tests  ±0   0 ✅ ±0   0s ⏱️ ±0s
0 suites ±0   0 💤 ±0 
0 files   ±0   0 ❌ ±0 

Results for commit e7fbaac. ± Comparison against base commit 952dd4b.

♻️ This comment has been updated with latest results.

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes.

@codacy-production codacy-production Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

The major version updates to GitHub Actions in this PR are up to general quality standards, but they introduce significant functional risks that require verification. Specifically, the upgrade to actions/upload-pages-artifact@v5 now excludes hidden files by default, which may prevent .nojekyll files from being published and break documentation rendering. Additionally, the move to actions/github-script@v9 transitions to an ESM-only environment, which may break scripts relying on the require() function for built-ins like fs. Finally, updates to synchronized workflows must be applied to the source templates to avoid regressions during the next template sync.

About this PR

  • Major version upgrades to core actions in this PR introduce breaking changes in script execution (ESM migration) and artifact packaging (dotfile exclusion). Ensure all automation scripts and deployment artifacts are verified against these new runtime behaviors.

Test suggestions

  • Verify GitHub Pages site functionality, specifically checking if hidden files (e.g., .nojekyll) are missing from the published site.
  • Verify that 'require("fs")' in squad-heartbeat.yml and other workflows still functions within the github-script@v9 ESM context.
  • Validate that the 'squad:copilot' issue assignment still works given the breaking changes in the Octokit client within github-script@v9.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify GitHub Pages site functionality, specifically checking if hidden files (e.g., .nojekyll) are missing from the published site.
2. Verify that 'require("fs")' in squad-heartbeat.yml and other workflows still functions within the github-script@v9 ESM context.
3. Validate that the 'squad:copilot' issue assignment still works given the breaking changes in the Octokit client within github-script@v9.

TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM RISK

This workflow is part of a synchronized set of files. The header comment requires changes to be applied to all locations, including the source template (templates/workflows/squad-heartbeat.yml). Missing these updates will cause the version bumps to be overwritten during the next template sync.

Comment thread .github/workflows/build.yml Outdated
- name: 📤 Upload Pages artifact
if: github.ref == 'refs/heads/main'
uses: actions/upload-pages-artifact@v3
uses: actions/upload-pages-artifact@v5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM RISK

Starting with v4, this action no longer includes hidden files (dotfiles) by default. If your documentation relies on '.nojekyll' or other dotfiles for proper rendering, you must add 'include-hidden-files: true' to the inputs.

@renovate renovate Bot force-pushed the renovate/major-github-actions branch 2 times, most recently from 61961f3 to 698b789 Compare June 30, 2026 04:53
@renovate renovate Bot force-pushed the renovate/major-github-actions branch from 698b789 to e7fbaac Compare June 30, 2026 05:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

:shipit: merge Shipit! 🚚 private-dependencies Private dependency

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants