Bundle Dependabot NPM updates with ESM compatibility fixes for @actions/github v9

[Copilot]

Bundles 5 Dependabot updates for actions/setup/js/: @actions/core (3.0.0), @actions/io (3.0.2), @actions/github (9.0.0), @actions/glob (0.6.1), and vitest (4.0.18).

ESM Migration

@actions/github v9.0.0 is ESM-only ("type": "module"), breaking CommonJS require() imports. Converted to dynamic imports:

// Before: synchronous require
const { getOctokit } = require("@actions/github");
const octokit = getOctokit(token);

// After: async dynamic import
async function setupProjectGitHubClient() {
  const { getOctokit } = await import("@actions/github");
  const octokit = getOctokit(token);
  return octokit;
}

Changes

• safe_output_unified_handler_manager.cjs: Made setupProjectGitHubClient() async, uses dynamic import, updated call site with await
• frontmatter_hash_github_api.test.cjs: Moved import inside test function that conditionally uses GitHub API
• test-live-github-api.cjs: Moved import into async main function
• safe_output_unified_handler_manager.test.cjs: Updated assertions for async function (expect(...).rejects instead of expect(() => ...))

Package lock regenerated with npm install.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Dependabot Burner] Dependabot: NPM Dependencies - actions/setup/js/ directory</issue_title>
<issue_description>## 📦 Dependency Update Bundle

This issue tracks Dependabot dependency updates for the actions/setup/js/ directory (npm/yarn packages).

Pull Requests Included

• chore(deps-dev): bump @actions/io from 2.0.0 to 3.0.2 in /actions/setup/js #13452 - Bump @actions/io from 2.0.0 to 3.0.2 in /actions/setup/js
• chore(deps-dev): bump vitest from 4.0.17 to 4.0.18 in /actions/setup/js #13450 - Bump vitest from 4.0.17 to 4.0.18 in /actions/setup/js
• chore(deps-dev): bump @actions/core from 2.0.2 to 3.0.0 in /actions/setup/js #13449 - Bump @actions/core from 2.0.2 to 3.0.0 in /actions/setup/js
• chore(deps-dev): bump @actions/github from 7.0.0 to 9.0.0 in /actions/setup/js #13448 - Bump @actions/github from 7.0.0 to 9.0.0 in /actions/setup/js
• chore(deps-dev): bump @actions/glob from 0.5.0 to 0.6.1 in /actions/setup/js #13446 - Bump @actions/glob from 0.5.0 to 0.6.1 in /actions/setup/js

Summary

Runtime: npm/yarn
Manifest: /actions/setup/js
PRs: 5

⚠️ Breaking Changes: Several of these updates involve breaking changes (ESM-only packages). Careful testing required.

Next Steps

1. Review all PRs together for compatibility
2. Test the combined changes locally (especially ESM migration)
3. Merge all PRs in sequence or create a combined PR
4. Close this parent issue once complete

---

This issue was created by the Dependabot Burner workflow to bundle related dependency updates.

AI generated by Dependabot Burner

• expires on Feb 15, 2026, 12:29 PM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes github/gh-aw#14508

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

Bundles several npm dependency bumps under actions/setup/js/ and updates codepaths that use @actions/github to be compatible with @actions/github@9 (ESM-only) by switching from require() to dynamic import() and propagating async/await where needed.

Changes:

• Bumped @actions/* and vitest versions and regenerated package-lock.json.
• Migrated @actions/github usage to dynamic imports to support ESM-only @actions/github@9.
• Updated related tests/scripts to handle the now-async GitHub client setup.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
actions/setup/js/test-live-github-api.cjs	Switches @actions/github import to dynamic import() in the live API script.
actions/setup/js/safe_output_unified_handler_manager.cjs	Makes setupProjectGitHubClient() async and uses dynamic import; updates call site with await.
actions/setup/js/safe_output_unified_handler_manager.test.cjs	Updates tests to await the async GitHub client setup and assert async errors correctly.
actions/setup/js/frontmatter_hash_github_api.test.cjs	Moves @actions/github import into the token-gated live test via dynamic import.
actions/setup/js/package.json	Updates dependency versions (@actions/*, vitest).
actions/setup/js/package-lock.json	Lockfile regeneration reflecting the dependency bumps.

Files not reviewed (1)

• actions/setup/js/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

setupProjectGitHubClient() now uses await import("@actions/github"), but actions/setup/setup.sh still installs @actions/github@^7.0.0 when safe-output-projects is enabled. This creates a version mismatch with the updated package.json (^9.0.0) and means production runs may still be exercising v7 (or may behave differently than CI). Update the runtime installer to install @actions/github@^9.0.0 (or, if v7 is intentional for runtime, revert the dependency bump / adjust the migration accordingly).