step-security · amanstep · Feb 16, 2026 · Feb 17, 2026 · Copilot · Feb 17, 2026
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -25,3 +25,5 @@ jobs:
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
+        with:
+          allow-ghsas: GHSA-g9mf-h72j-4rw9
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/dist/licenses.txt b/dist/licenses.txt
diff --git a/jest.config.js b/jest.config.js
@@ -3,7 +3,6 @@ module.exports = {
   moduleFileExtensions: ['js', 'ts'],
   testEnvironment: 'node',
   testMatch: ['**/*.test.ts'],
-  testRunner: 'jest-circus/runner',
   transform: {
     '^.+\\.ts$': 'ts-jest'
   },

diff --git a/osv-scanner.toml b/osv-scanner.toml
@@ -0,0 +1,3 @@
+[[IgnoredVulns]]
+id = "GHSA-g9mf-h72j-4rw9"
+reason = "undici is a transitive dependency of @actions/github v6; and interacts with trusted servers. Resource exhaustion attack is very less likely in this context."
-reason = "undici is a transitive dependency of @actions/github v6; and interacts with trusted servers. Resource exhaustion attack is very less likely in this context."
+reason = "undici is a transitive dependency of @actions/github v6; and interacts with trusted servers. Resource exhaustion attack is very unlikely in this context."
-reason = "undici is a transitive dependency of @actions/github v6; and interacts with trusted servers. Resource exhaustion attack is very less likely in this context."
+reason = "undici is a transitive dependency of @actions/github v6; and interacts with trusted servers. Resource exhaustion attack is very unlikely in this context."
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -25,24 +25,23 @@
   "license": "MIT",
   "dependencies": {
     "@actions/core": "^1.10.0",
-    "@actions/github": "^4.0.0",
+    "@actions/github": "^6.0.1",
     "@semantic-release/commit-analyzer": "^8.0.1",
     "@semantic-release/release-notes-generator": "^9.0.1",
     "axios": "^1.13.5",
     "conventional-changelog-conventionalcommits": "^4.6.1",
     "semver": "^7.3.5"
   },
   "devDependencies": {
-    "@types/jest": "^27.0.2",
+    "@types/jest": "^29.5.14",
     "@types/js-yaml": "^4.0.4",
     "@types/node": "^20.11.16",
     "@types/semver": "^7.3.9",
     "@vercel/ncc": "^0.38.4",
-    "jest": "^27.3.1",
-    "jest-circus": "^27.3.1",
+    "jest": "^29.7.0",
     "js-yaml": "^4.1.0",
     "prettier": "2.4.1",
-    "ts-jest": "^27.0.7",
-    "typescript": "^4.4.4"
+    "ts-jest": "^29.4.6",
+    "typescript": "~4.9"
-    "typescript": "~4.9"
+    "typescript": "^4.9"
-    "typescript": "~4.9"
+    "typescript": "^4.9"
   }
 }
diff --git a/src/github.ts b/src/github.ts
@@ -34,7 +34,7 @@ export async function listTags(
 ): Promise<Tag[]> {
   const octokit = getOctokitSingleton();
 
-  const tags = await octokit.repos.listTags({
+  const tags = await octokit.rest.repos.listTags({
     ...context.repo,
     per_page: 100,
     page,
@@ -56,7 +56,7 @@ export async function compareCommits(baseRef: string, headRef: string) {
   const octokit = getOctokitSingleton();
   core.debug(`Comparing commits (${baseRef}...${headRef})`);
 
-  const commits = await octokit.repos.compareCommits({
+  const commits = await octokit.rest.repos.compareCommits({
     ...context.repo,
     base: baseRef,
     head: headRef,
@@ -72,11 +72,11 @@ export async function createTag(
 ) {
   const octokit = getOctokitSingleton();
   let annotatedTag:
-    | Await<ReturnType<typeof octokit.git.createTag>>
+    | Await<ReturnType<typeof octokit.rest.git.createTag>>
     | undefined = undefined;
   if (createAnnotatedTag) {
     core.debug(`Creating annotated tag.`);
-    annotatedTag = await octokit.git.createTag({
+    annotatedTag = await octokit.rest.git.createTag({
       ...context.repo,
       tag: newTag,
       message: newTag,
@@ -86,7 +86,7 @@ export async function createTag(
   }
 
   core.debug(`Pushing new tag to the repo.`);
-  await octokit.git.createRef({
+  await octokit.rest.git.createRef({
     ...context.repo,
     ref: `refs/tags/${newTag}`,
     sha: annotatedTag ? annotatedTag.data.sha : GITHUB_SHA,

diff --git a/tests/github.test.ts b/tests/github.test.ts
@@ -5,22 +5,26 @@ jest.mock(
   jest.fn().mockImplementation(() => ({
     context: { repo: { owner: 'mock-owner', repo: 'mock-repo' } },
     getOctokit: jest.fn().mockReturnValue({
-      repos: {
-        listTags: jest.fn().mockImplementation(({ page }: { page: number }) => {
-          if (page === 6) {
-            return { data: [] };
-          }
+      rest: {
+        repos: {
+          listTags: jest
+            .fn()
+            .mockImplementation(({ page }: { page: number }) => {
+              if (page === 6) {
+                return { data: [] };
+              }
 
-          const res = [...new Array(100).keys()].map((_) => ({
-            name: `v0.0.${_ + (page - 1) * 100}`,
-            commit: { sha: 'string', url: 'string' },
-            zipball_url: 'string',
-            tarball_url: 'string',
-            node_id: 'string',
-          }));
+              const res = [...new Array(100).keys()].map((_) => ({
+                name: `v0.0.${_ + (page - 1) * 100}`,
+                commit: { sha: 'string', url: 'string' },
+                zipball_url: 'string',
+                tarball_url: 'string',
+                node_id: 'string',
+              }));
 
-          return { data: res };
-        }),
+              return { data: res };
+            }),
+        },
       },
     }),
   }))

diff --git a/tsconfig.json b/tsconfig.json
@@ -5,7 +5,8 @@
     "outDir": "./lib",                        /* Redirect output structure to the directory. */
     "rootDir": "./src",
     "strict": true,
-    "esModuleInterop": true
+    "esModuleInterop": true,
+    "skipLibCheck": true
   },
   "exclude": ["node_modules", "**/*.test.ts"]
 }