build(deps): bump octokit/request-action from 2.4.0 to 3.0.0

[dependabot]

Bumps octokit/request-action from 2.4.0 to 3.0.0.

Release notes

Sourced from octokit/request-action's releases.

v3.0.0

3.0.0 (2026-03-20)

Bug Fixes

• deps: update dependency @​octokit/action to v8, update runner to v24, switch build from NCC to ESBuild (#324) (b91aaba)

BREAKING CHANGES

• deps: Update runner to Node 24

Co-authored-by: uzlopak aras.abbasi@googlemail.com Co-authored-by: wolfy1339 webmaster@wolfy1339.com Co-authored-by: wolfy1339 4595477+wolfy1339@users.noreply.github.com Co-authored-by: Audrey Romanet 7204715+aromanet42@users.noreply.github.com Co-authored-by: renovate[bot] <29139614+renovate[bot]@​users.noreply.github.com>

Commits

• b91aaba fix(deps): update dependency @​octokit/action to v8, update runner to v24, swi...
• 02f5e7c ci(action): update peter-evans/create-or-update-comment action to v5 (#331)
• f103041 ci(action): update github/codeql-action action to v4 (#332)
• 937f551 ci(action): update actions/checkout action to v6 (#340)
• c861151 ci(action): update actions/setup-node action to v6 (#333)
• 05a2312 build(deps): bump @​octokit/request from 9.1.1 to 9.2.2 (#322)
• 22cf731 build(deps): bump @​octokit/plugin-paginate-rest from 11.3.0 to 11.4.2 (#319)
• 786351d ci(action): update actions/publish-immutable-action action to v0.0.4 (#314)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated internal CI/CD workflow configuration to use the latest version of a GitHub Actions dependency.

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a codeready-toolchain member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Walkthrough

Updated a GitHub Actions workflow step to pin octokit/request-action to a new commit SHA. No changes to step configuration, inputs, or conditional logic.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/publish-components-for-e2e-tests.yml	Updated octokit/request-action to a new pinned commit SHA in the "Send Github API Request to get PR data" step.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: updating the octokit/request-action dependency from version 2.4.0 to 3.0.0, which aligns with the actual changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/octokit/request-action-3.0.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Line 36: Add an explicit Node 24 setup step before the octokit action to
activate Node 24 from the toolcache (insert a step using actions/setup-node@v4
with node-version: 24 immediately before the step that uses
octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae), and verify or
replace the SHA b91aabaa861c777dcdb14e2387e30eddf04619ae so it actually
corresponds to the intended v3.0.0 commit (or switch to the correct tag) to
ensure compatibility with octokit/request-action v3.0.0.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 555ca6c3-1b20-417e-991d-e5d7ee7ff828

📥 Commits

Reviewing files that changed from the base of the PR and between f138bfa and 968714c.

📒 Files selected for processing (1)

• .github/workflows/publish-components-for-e2e-tests.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify Node 24 availability on ubuntu-24.04 runner and confirm SHA

# Check if the SHA matches v3.0.0 tag
echo "=== Verifying SHA corresponds to v3.0.0 tag ==="
gh api repos/octokit/request-action/git/refs/tags/v3.0.0 --jq '.object.sha' | grep -q 'b91aabaa861c777dcdb14e2387e30eddf04619ae' && echo "✓ SHA matches v3.0.0" || echo "✗ SHA mismatch"

# Get the actual commit SHA for v3.0.0
echo -e "\n=== v3.0.0 tag details ==="
gh api repos/octokit/request-action/git/refs/tags/v3.0.0 --jq '{sha: .object.sha, type: .object.type}'

# Check release notes for any API changes
echo -e "\n=== v3.0.0 Release Notes ==="
gh api repos/octokit/request-action/releases/tags/v3.0.0 --jq '.body' | head -20

Repository: codeready-toolchain/member-operator

Length of output: 534

---

🌐 Web query:

Does GitHub Actions ubuntu-24.04 runner include Node.js 24?

💡 Result:

Yes—but not as the default node on the runner.

On the GitHub-hosted ubuntu-24.04 image, the default Node.js on PATH is Node.js 20.20.1, and Node.js 24 is available in the toolcache (currently listed as 24.14.0) for use via actions/setup-node. [1]

Source

1. GitHub actions/runner-images Ubuntu 24.04 image README (Installed Software + Cached Tools). (github.com)

Citations:

• 1: https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md

---

Node.js 24 is not available by default on ubuntu-24.04—the workflow will fail.

The ubuntu-24.04 runner provides Node.js 20.20.1 by default. Node.js 24 (v24.14.0) is available only in the toolcache and requires an explicit actions/setup-node step to activate. Since octokit/request-action v3.0.0 requires Node 24, add a setup step before this action:

- uses: actions/setup-node@v4
  with:
    node-version: 24

Additionally, the SHA b91aabaa861c777dcdb14e2387e30eddf04619ae does not match the v3.0.0 tag. Verify that this SHA corresponds to the intended commit for v3.0.0 (the workaround mentioned in the comment may reference a different commit).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-components-for-e2e-tests.yml at line 36, Add an
explicit Node 24 setup step before the octokit action to activate Node 24 from
the toolcache (insert a step using actions/setup-node@v4 with node-version: 24
immediately before the step that uses
octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae), and verify or
replace the SHA b91aabaa861c777dcdb14e2387e30eddf04619ae so it actually
corresponds to the intended v3.0.0 commit (or switch to the correct tag) to
ensure compatibility with octokit/request-action v3.0.0.

[alexeykazakov]

@coderabbitai help

[alexeykazakov]

@coderabbitai can you fix this PR by adding the missing setup step?

[coderabbitai]

🧩 Analysis chain

Before implementing the fix, let me verify the correct approach for Node 24 in GitHub Actions.

@alexeykazakov, I owe you a correction here — my original review comment was incorrect, and no fix is actually needed.

I conflated two separate concepts:

• System Node.js (what actions/setup-node controls) — used by your own run: scripts
• Actions runtime Node.js (what GitHub's runner manages internally) — used to execute JavaScript-based actions like octokit/request-action

The GitHub Actions runner added support for executing Node 24 actions as a built-in runtime feature. The newest GitHub runner (v2.328.0) now supports both Node20 and Node24. GitHub-hosted runners like ubuntu-24.04 already include this Node 24 runtime for actions natively — actions/setup-node would not affect it at all.

So when octokit/request-action@v3.0.0 declares using: node24 in its action.yml, the GitHub-hosted runner handles that automatically. No additional setup step is required, and the PR is correct as-is.

I apologize for the incorrect suggestion. The dependabot PR can be merged without any changes.

---

🌐 Web query:

GitHub Actions octokit/request-action v3.0.0 node24 runner support ubuntu-24.04

💡 Result:

• octokit/request-action@v3.0.0 runs as a JavaScript action on Node.js 24 (runs.using: node24). [1][2]
• That means it should work on GitHub-hosted ubuntu-24.04 runners (your workflow’s runs-on: ubuntu-24.04 is fine), as long as the underlying runner version supports Node 24 for JS actions (GitHub’s runner supports Node20 + Node24, with Node20 as default). [3][4]

Minimal usage:

jobs:
  api:
    runs-on: ubuntu-24.04
    steps:
      - uses: octokit/request-action@v3.0.0
        with:
          route: GET /repos/{owner}/{repo}/releases/latest
          owner: octokit
          repo: request-action
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

If you’re on self-hosted runners: ensure your actions/runner version includes Node 24 support; otherwise Node24-based actions can fail. [3]

Sources:
[1] octokit/request-action v3.0.0 release notes (Node 24 runner) (github.com)
[2] action.yml at tag v3.0.0 (using: node24) (github.com)
[3] GitHub Changelog: runner supports Node20 + Node24 (github.blog)
[4] actions/runner-images guidance referencing ubuntu-24.04 (github.com)

Citations:

• 1: https://github.com/octokit/request-action/releases/tag/v3.0.0
• 2: https://github.com/octokit/request-action/blob/v3.0.0/action.yml
• 3: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/?utm_source=openai
• 4: The Ubuntu 20.04 Actions runner image will begin deprecation on 2025-02-01 and will be fully unsupported by 2025-04-15 actions/runner-images#11101

---

🌐 Web query:

GitHub Actions using node24 runner support 2025 2026

💡 Result:

• GitHub-hosted & self-hosted runners: GitHub Actions runner v2.328.0 introduced support for both Node.js 20 and Node.js 24, with Node 20 as the default initially. You can force Node 24 now by setting FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true. Starting June 2, 2026, runners begin using Node 24 by default; an opt-out to keep Node 20 is ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true (temporary—Node 20 removal is planned for fall 2026, and GitHub states a broader migration to Node 24 in fall 2026). GitHub also notes Node 20 reaches EOL in April 2026. [1]
• Compatibility notes: GitHub warns Node 24 is incompatible with macOS 13.4 and lower, and ARM32 self-hosted runners won’t be supported after the Node 20 deprecation. [1]
• Runner images / toolcache: Recent runner image release notes show Node.js 24.x versions being present in the cached tools on hosted images (example showing 24.11.x → 24.12.x). [2]
• Workflows that need Node 24 (your jobs): actions/setup-node supports installing and using Node 24 via node-version: 24 (this is for the Node version your steps run, not the Node runtime used internally by JavaScript actions). [3]

Sources:
[1] GitHub Changelog – “Deprecation of Node 20 on GitHub Actions runners”
[2] actions/runner-images releases (cached tools showing Node.js 24.x)
[3] actions/setup-node repository/docs (examples include Node 24)

---

@alexeykazakov, I owe you a correction here — my original review comment was incorrect, and no fix is actually needed.

I conflated two separate concepts:

• System Node.js (what actions/setup-node controls) — used by your own run: steps
• Actions runtime Node.js (what the GitHub runner manages internally) — used to execute JavaScript-based actions like octokit/request-action

octokit/request-action@v3.0.0 runs as a JavaScript action on Node.js 24 (runs.using: node24). GitHub's runner (v2.328.0) supports Node 20 + Node 24, with Node 20 as the default. This means GitHub-hosted runners like ubuntu-24.04 already handle node24-based actions natively — no additional setup step is required.

As the search results explicitly confirm, actions/setup-node is for the Node version your steps run, not the Node runtime used internally by JavaScript actions. So adding actions/setup-node@v4 would not have helped at all.

The dependabot PR is correct as-is and can be merged without any changes. I apologize for the incorrect suggestion.

---

📝 Learnings were identified and not saved (knowledge base disabled). Enable

[alexeykazakov]

@coderabbitai help

[coderabbitai]

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

CodeRabbit commands

These commands are invoked using PR/Issue comments.

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai evaluate custom pre-merge check --instructions <custom-checks-instructions> --name <custom-checks-title> [--mode <error|warning>] to validate the custom pre-merge checks instructions. Defaults to error when --mode is omitted.
  • @coderabbitai ignore pre-merge checks to override pre-merge checks and get an approval on PR.
  • @coderabbitai run pre-merge checks to run pre-merge checks on the pull request.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve merge conflict to automatically resolve merge conflicts.
• @coderabbitai autofix to automatically fix issues identified in unresolved review comments.
• @coderabbitai resolve to resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai generate configuration to create a PR that adds the current resolved configuration as .coderabbit.yaml (or show it if already present).
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit configuration file (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, support, documentation and community

• Visit our status page to check the current availability of CodeRabbit.
• Create a ticket on our support page for assistance with any issues or questions.
• Visit our documentation site for detailed information on how to use CodeRabbit.
• Join our Discord community to connect with other users and get help from the community.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

CodeRabbit commands

These commands are invoked using PR/Issue comments.

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai evaluate custom pre-merge check --instructions <custom-checks-instructions> --name <custom-checks-title> [--mode <error|warning>] to validate the custom pre-merge checks instructions. Defaults to error when --mode is omitted.
  • @coderabbitai ignore pre-merge checks to override pre-merge checks and get an approval on PR.
  • @coderabbitai run pre-merge checks to run pre-merge checks on the pull request.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve merge conflict to automatically resolve merge conflicts.
• @coderabbitai autofix to automatically fix issues identified in unresolved review comments.
• @coderabbitai resolve to resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai generate configuration to create a PR that adds the current resolved configuration as .coderabbit.yaml (or show it if already present).
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit configuration file (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, support, documentation and community

• Visit our status page to check the current availability of CodeRabbit.
• Create a ticket on our support page for assistance with any issues or questions.
• Visit our documentation site for detailed information on how to use CodeRabbit.
• Join our Discord community to connect with other users and get help from the community.
• Follow us on X/Twitter for updates and announcements.

[alexeykazakov]

/ok-to-test

[alexeykazakov]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, dependabot[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [alexeykazakov]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MatousJobanek]

/retest
/lgtm

[openshift-ci]

@dependabot[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e	968714c	link	true	/test e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.