Skip to content

Pin @actions/tool-cache@3 in workflows to avoid failures with github-script #3446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mbg merged 1 commit into from
Feb 2, 2026
Merged

Pin @actions/tool-cache@3 in workflows to avoid failures with github-script #3446

mbg merged 1 commit into from
Feb 2, 2026
+4 −4

Conversation

@mbg
Copy link
Member

@mbg mbg commented Feb 2, 2026
edited
Loading

It seems that v4 of @actions/tool-cache now uses ESM modules (similarly to v9 of @actions/github) which leads to failures like this in some of our CI checks, where we install @actions/tool-cache for use with github-script, but don't pin a particular version.

This PR pins v3 in those workflows to unblock these workflows.

Alternatively, we could switch to using import in the scripts, which is supported by github-script.

Risk assessment

For internal use only. Please select the risk level of this change:

  • Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

  • Testing/None - This change does not impact any CodeQL workflows in production.

How did/will you validate this change?

  • End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

CI failures.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@mbg mbg self-assigned this Feb 2, 2026
@mbg mbg requested a review from a team as a code owner February 2, 2026 08:22
Copilot AI review requested due to automatic review settings February 2, 2026 08:22
@github-actions github-actions bot added the size/XS Should be very easy to review label Feb 2, 2026
Copilot AI reviewed Feb 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR pins @actions/tool-cache to version 3 in workflow files to prevent failures caused by v4's migration to ESM modules, which is incompatible with the CommonJS require() calls used in github-script actions. This follows the same pattern as the previous fix for @actions/github v9 (PR #3441).

Changes:

  • Updated two workflow template files to pin @actions/tool-cache to version 3
  • The corresponding generated workflow files are automatically updated to reflect these template changes

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
pr-checks/checks/bundle-toolcache.yml Template file updated to pin @actions/tool-cache@3 in the npm install command
pr-checks/checks/bundle-from-toolcache.yml Template file updated to pin @actions/tool-cache@3 in the npm install command

@mbg mbg merged commit c5aaca4 into main Feb 2, 2026
257 checks passed
@mbg mbg deleted the mbg/ci/pin-node-packages branch February 2, 2026 10:51
This was referenced Feb 2, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@henrymercer henrymercer henrymercer approved these changes

Assignees

@mbg mbg

Labels

size/XS Should be very easy to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mbg @henrymercer @Claude @Codex