feat!: expose getOctokit in script context and upgrade to @actions/github v9#700
Open
feat!: expose getOctokit in script context and upgrade to @actions/github v9#700
Conversation
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
|
Hello from actions/github-script! (46b978f) |
There was a problem hiding this comment.
Pull request overview
This PR exposes getOctokit in the github-script runtime context so user scripts can create additional authenticated Octokit clients (e.g., for multi-token workflows) without relying on require('@actions/github').
Changes:
- Passes
getOctokitinto the script execution context insrc/main.ts. - Extends the
AsyncFunctionArgumentsTypeScript type to includegetOctokitwith an Octokit-typed signature.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/main.ts | Adds getOctokit to the object passed into callAsyncFunction so scripts can access it. |
| src/async-function.ts | Updates the script context type (AsyncFunctionArguments) to type getOctokit and imports Octokit types. |
Comments suppressed due to low confidence (2)
src/main.ts:71
getOctokitis being passed through directly from@actions/github, so any Octokit clients created inside the user script won’t automatically inherit this action’s configured defaults (e.g.,base-urlfor GHES,user-agentwith orchestration ID,retries/request options, and the installedretry/requestLogplugins). This can lead to surprising differences betweengithubandgetOctokit(...)behavior. Consider exposing a wrapper that pre-applies the same options/plugins by default (while still allowing callers to override/extend options/plugins when needed).
github,
octokit: github,
getOctokit,
context,
core,
src/async-function.ts:20
- This adds a new deep import from
@octokit/core/types, but the codebase already imports Octokit types via@octokit/core/dist-types/types(e.g.src/retry-options.ts). To stay consistent (and to reduce the risk of relying on a non-exported subpath), align the import path with the existing convention or derive the type directly from@actions/github(e.g., typegetOctokitastypeof import('@actions/github').getOctokit) so the signature can’t drift from the actual implementation.
import {GitHub} from '@actions/github/lib/utils'
import * as glob from '@actions/glob'
import * as io from '@actions/io'
import type {OctokitOptions, OctokitPlugin} from '@octokit/core/types'
const AsyncFunction = Object.getPrototypeOf(async () => null).constructor
export declare type AsyncFunctionArguments = {
context: Context
core: typeof core
github: InstanceType<typeof GitHub>
octokit: InstanceType<typeof GitHub>
getOctokit: (
token: string,
options?: OctokitOptions,
...additionalPlugins: OctokitPlugin[]
) => InstanceType<typeof GitHub>
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
pelikhan
approved these changes
Mar 9, 2026
- @actions/github: ^6.0.0 → ^9.0.0 - @octokit/core: ^5.0.1 → ^7.0.0 - @octokit/plugin-request-log: ^4.0.0 → ^6.0.0 - @octokit/plugin-retry: ^6.0.1 → ^8.0.0 - Update tsconfig.json to use moduleResolution: "bundler" for ESM exports map support - Update import paths for new package structures - Update build:types script for compatible compiler options Co-authored-by: angel-jiakou <[email protected]> Agent-Logs-Url: https://github.com/actions/github-script/sessions/17de5ca1-8bdc-41e4-a06d-ab2d8c2e6e8c
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
force-pushed
the
salmanmkc/expose-getoctokit
branch
from
c7fb361 to
2fe016f
Compare
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
Verifies the real getOctokit from @actions/github creates functional Octokit clients when invoked through callAsyncFunction, ensuring: - Secondary clients have full REST/GraphQL API surface - Secondary clients are independent from primary github client - GHES base URL option is accepted - Multiple tokens produce distinct client instances
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
force-pushed
the
salmanmkc/expose-getoctokit
branch
from
1bdc919 to
7f52c47
Compare
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
Extract createConfiguredGetOctokit factory that wraps getOctokit with: - retry and requestLog plugins (from action defaults) - retries count, proxy agent, orchestration ID user-agent - deep-merge for request options so user overrides don't clobber retries - plugin deduplication to prevent double-application This ensures secondary Octokit clients created via getOctokit() in github-script workflows inherit the same defaults as the primary github client.
salmanmkc
force-pushed
the
salmanmkc/expose-getoctokit
branch
from
7f52c47 to
95933be
Compare
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
- Rename context binding from getOctokit to createOctokit to avoid
SyntaxError when users write const { getOctokit } = require(...)
in their scripts (~10 public workflows affected)
- Strip undefined values from user options to prevent clobbering
defaults (e.g. GHES baseUrl)
- Deep-merge retry options alongside request options
- Use nullish coalescing (??) instead of logical OR (||)
- Shallow-copy opts to prevent shared reference mutation
- Add tests: undefined stripping, retry merge, falsy value preservation,
no mutation of defaults
- 32 tests passing, lint clean, dist rebuilt
salmanmkc
force-pushed
the
salmanmkc/expose-getoctokit
branch
from
47f6d8e to
7ece71c
Compare
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
changed the title
getOctokit in script context for multi-token workflowscreateOctokit to script context for multi-token workflows
Merges the @actions/github v9 upgrade branch into the createOctokit feature branch, combining ADR steps 1 and 3 into a single major release. Changes from v9 upgrade: - @actions/github 6.x → 9.0.0 (ESM-only) - @octokit/core v5→v7, plugin-request-log v4→v6, plugin-retry v6→v8 - tsconfig: moduleResolution bundler, module/target es2022 - ts-jest: module commonjs override for CJS test execution - License file updates for new dependency versions Conflict resolutions: - src/async-function.ts: v9 import style + createOctokit type - types/async-function.d.ts: aligned with .ts file - integration.yml: v9 UA checks + createOctokit test job - dist/index.js: rebuilt via ncc Additional fix: - getoctokit-integration.test.ts: use mock instead of direct @actions/github import (ESM-only v9 incompatible with Jest CJS) All 32 tests passing, TypeScript clean, lint clean.
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
…it name
Replace function-parameter injection with const destructuring + block scope
so that user scripts can shadow injected names (e.g. const { getOctokit } = ...)
without SyntaxError. This eliminates the need for the createOctokit rename and
aligns with the ADR's getOctokit naming.
Changes:
- callAsyncFunction now wraps user source in a block: const {...} = __scope__; { source }
- Renamed createOctokit binding back to getOctokit everywhere
- Added 5 new tests: const/let shadowing, await, return, syntax error, access
- Updated integration workflow and type declarations
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
changed the title
createOctokit to script context for multi-token workflows
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
…ards - Change const to var destructuring in callAsyncFunction so var redeclaration and reassignment of injected names still works (v8 compat) - Add identifier validation for argument keys (defensive for exported API) - Add __scope__ collision guard - Fix integration test hardcoded repo name to use github.repository - Add 4 new tests: var redecl, reassignment, invalid key, __scope__ guard
salmanmkc
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Exposes a pre-configured
getOctokitfactory function in the script context, enabling multi-token workflows directly insidegithub-script. Also upgrades the action to@actions/githubv9.This is a major version bump (v9) that combines ADR Steps 1 and 3 into a single release.
What's new
getOctokit(token, opts?)— create additional authenticated clientsUsers can now create additional Octokit clients with different tokens, without needing
require('@actions/github'):The returned client inherits all the same plugins and configuration as the primary
githubclient (retry, request-log, proxy support). Custom options can be passed to override specific settings:@actions/githubv9Upgraded from
@actions/githubv6 to v9, bringing latest Octokit types and the orchestration ID idempotency guard (toolkit#2364).Technical details
Factory implementation (
src/create-configured-getoctokit.ts)undefinedvalues to prevent clobbering defaults@actions/github'sgetOctokit()Script binding injection (
src/async-function.ts)Refactored how bindings (
github,context,core,getOctokit, etc.) are passed into user scripts — uses scope-based injection instead of function parameters, which is more robust and avoids edge-case issues with variable declarations.Test coverage
Demo
Full 13-job demo workflow:
bbq-beets-four-nines/salmanmkc-test
Checklist
getOctokitfactory exposed in script context@actions/githubupgraded to v9