Bump @actions/github from 7.0.0 to 9.0.0

[dependabot]

Bumps @actions/github from 7.0.0 to 9.0.0.

Changelog

Sourced from @​actions/github's changelog.

9.0.0

• Breaking change: Package is now ESM-only
  • CommonJS consumers must use dynamic import() instead of require()
  • Example: const { getOctokit, context } = await import('@actions/github')
• Fix TypeScript compilation by migrating to ESM, enabling proper imports from @octokit/core/types

8.0.1

• Update undici to 6.23.0
• Update @actions/http-client to 3.0.2

8.0.0

• Update @​octokit dependencies
  • @octokit/core ^7.0.6
  • @octokit/plugin-paginate-rest ^14.0.0
  • @octokit/plugin-rest-endpoint-methods ^17.0.0
  • @octokit/request ^10.0.7
  • @octokit/request-error ^7.1.0
• Breaking change: Minimum Node.js version is now 20 (previously 18)

Commits

• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dancewithheart]

Hi @tgodzik
@actions/github 9.0.0 is a breaking change, so it might be more tricky to update.
But maybe you want to reopen: #317

Currently snyck test and npm audit --omit=dev points to vulns:

# npm audit report

undici  <=6.23.0
Severity: high
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client - https://github.com/advisories/GHSA-f269-vfmq-vjvj
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq
fix available via `npm audit fix --force`
Will install @actions/github@9.1.0, which is a breaking change
node_modules/@actions/http-client/node_modules/undici
node_modules/undici
  @actions/github  6.0.1 - 8.0.0
  Depends on vulnerable versions of undici
  node_modules/@actions/github

2 vulnerabilities (1 moderate, 1 high)

and

Tested 26 dependencies for known issues, found 6 issues, 15 vulnerable paths.


Issues to fix by upgrading:

  Upgrade @actions/github@7.0.0 to @actions/github@8.0.1 to fix
  ✗ Allocation of Resources Without Limits or Throttling [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-UNDICI-14943963] in undici@5.29.0
    introduced by @actions/github@7.0.0 > undici@5.29.0
  ✗ HTTP Request Smuggling [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-UNDICI-15518061] in undici@5.29.0
    introduced by @actions/github@7.0.0 > undici@5.29.0 and 2 other path(s)
  ✗ CRLF Injection [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-UNDICI-15518072] in undici@5.29.0
    introduced by @actions/github@7.0.0 > undici@5.29.0 and 2 other path(s)
  ✗ Improper Handling of Highly Compressed Data (Data Amplification) [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNDICI-15518068] in undici@5.29.0
    introduced by @actions/github@7.0.0 > undici@5.29.0 and 2 other path(s)
  ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNDICI-15518070] in undici@5.29.0
    introduced by @actions/github@7.0.0 > undici@5.29.0 and 2 other path(s)


Issues with no direct upgrade or patch:
  ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNDICI-15518064] in undici@6.23.0
    introduced by @actions/core@2.0.3 > @actions/http-client@3.0.2 > undici@6.23.0 and 1 other path(s)
  This issue was fixed in versions: 6.24.0, 7.24.0

both dissapears with:

npm install @actions/github@^8.0.1

[dancewithheart]

Created PR for this #347 as dependabot PR has errors on CI.

[tgodzik]

thanks!