Bump actions/github-script from 8 to 9

[dependabot]

Bumps actions/github-script from 8 to 9.

Release notes

Sourced from actions/github-script's releases.

v9.0.0

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in actions/github-script#695
• ci: use deployment: false for integration test environments by @​salmanmkc in actions/github-script#712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in actions/github-script#700

New Contributors

• @​Copilot made their first contribution in actions/github-script#695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

Commits

• 3a2844b Merge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...
• ca10bbd fix: use @​octokit/core/types import for v7 compatibility
• 86e48e2 merge: incorporate main branch changes
• c108472 chore: rebuild dist for v9 upgrade and getOctokit factory
• afff112 Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...
• ff8117e ci: fix user-agent test to handle orchestration ID
• 81c6b78 ci: use deployment: false to suppress deployment noise from integration tests
• 3953caf docs: update README examples from @​v8 to @​v9, add getOctokit docs and v9 brea...
• c17d55b ci: add getOctokit integration test job
• a047196 test: add getOctokit integration tests via callAsyncFunction
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Label error. Requires exactly 1 of: automation, breaking, bug, changelog:skip, chore, ci, dependencies, documentation, enhancement, feature, fix, redesign. Found: ci, dependencies

[github-actions]

Label error. Requires exactly 1 of: automation, breaking, bug, changelog:skip, chore, ci, dependencies, documentation, enhancement, feature, fix, redesign. Found: ci, dependencies

[coderabbitai]

📝 Walkthrough

Walkthrough

Eight GitHub workflow files were updated to use actions/github-script@v9 instead of actions/github-script@v8. The updates affect workflow steps that interact with GitHub's REST API for operations such as retrieving PR details, creating deployments, creating tags, adding labels, and posting comments. No script logic, inputs, conditions, or control flow were modified.

Suggested labels

dependencies, ci

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: a dependency version bump from v8 to v9 for actions/github-script.
Description check	✅ Passed	The description is directly relevant, providing release notes, breaking changes, and compatibility information for the actions/github-script v9 upgrade.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch dependabot/github_actions/actions/github-script-9

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/auto-add-needs-triage-label.yml:
- Line 18: Replace the floating tag "actions/github-script@v9" with an immutable
commit SHA to avoid version drift; update the uses entry (the line containing
actions/github-script@v9) to use a full commit SHA (for example,
3a2844b7e9c422d3c10d287c895573f7108da1b3) so the workflow references an exact
revision.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 43e25231-1153-4847-8b87-a648676c1614

📥 Commits

Reviewing files that changed from the base of the PR and between e82f624 and 0676f5c.

📒 Files selected for processing (8)

• .github/workflows/assembler-preview-cleanup.yml
• .github/workflows/assembler-preview.yml
• .github/workflows/auto-add-needs-triage-label.yml
• .github/workflows/comment-on-asciidoc-changes.yml
• .github/workflows/detect-duplicate-issues.yml
• .github/workflows/preview-build.yml
• .github/workflows/preview-cleanup.yml
• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all github-script uses are pinned to full SHAs (40 hex chars).
rg -nP --type=yaml 'uses:\s*actions/github-script@(?![0-9a-f]{40}\b)'

Repository: elastic/docs-builder

Length of output: 46

---

🏁 Script executed:

# First, find and examine the specific workflow file
find . -name "auto-add-needs-triage-label.yml" -type f 2>/dev/null | head -5

Repository: elastic/docs-builder

Length of output: 115

---

🏁 Script executed:

# Search for all github-script uses in workflow files
rg -n "actions/github-script" --type=yaml

Repository: elastic/docs-builder

Length of output: 46

---

🏁 Script executed:

# Read the workflow file to check actual contents
cat -n ./.github/workflows/auto-add-needs-triage-label.yml

Repository: elastic/docs-builder

Length of output: 767

---

Pin actions/github-script to an immutable SHA instead of @v9.

Line 18 uses a floating tag, which risks version drift if the tag is moved. Pin to a full commit SHA (e.g., 3a2844b7e9c422d3c10d287c895573f7108da1b3) for CI stability and security.

Suggested change

-        uses: actions/github-script@v9
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/github-script@v9
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/auto-add-needs-triage-label.yml at line 18, Replace the
floating tag "actions/github-script@v9" with an immutable commit SHA to avoid
version drift; update the uses entry (the line containing
actions/github-script@v9) to use a full commit SHA (for example,
3a2844b7e9c422d3c10d287c895573f7108da1b3) so the workflow references an exact
revision.