Bump octokit/request-action from 2.4.0 to 3.0.0

[dependabot]

Bumps octokit/request-action from 2.4.0 to 3.0.0.

Release notes

Sourced from octokit/request-action's releases.

v3.0.0

3.0.0 (2026-03-20)

Bug Fixes

• deps: update dependency @​octokit/action to v8, update runner to v24, switch build from NCC to ESBuild (#324) (b91aaba)

BREAKING CHANGES

• deps: Update runner to Node 24

Co-authored-by: uzlopak aras.abbasi@googlemail.com Co-authored-by: wolfy1339 webmaster@wolfy1339.com Co-authored-by: wolfy1339 4595477+wolfy1339@users.noreply.github.com Co-authored-by: Audrey Romanet 7204715+aromanet42@users.noreply.github.com Co-authored-by: renovate[bot] <29139614+renovate[bot]@​users.noreply.github.com>

Commits

• b91aaba fix(deps): update dependency @​octokit/action to v8, update runner to v24, swi...
• 02f5e7c ci(action): update peter-evans/create-or-update-comment action to v5 (#331)
• f103041 ci(action): update github/codeql-action action to v4 (#332)
• 937f551 ci(action): update actions/checkout action to v6 (#340)
• c861151 ci(action): update actions/setup-node action to v6 (#333)
• 05a2312 build(deps): bump @​octokit/request from 9.1.1 to 9.2.2 (#322)
• 22cf731 build(deps): bump @​octokit/plugin-paginate-rest from 11.3.0 to 11.4.2 (#319)
• 786351d ci(action): update actions/publish-immutable-action action to v0.0.4 (#314)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[matterai-app]

Important

PR Analysis Skipped

PR analysis skipped for dependabot PRs as per the configuration setting. Run a manually review by commenting /matter review

💡Tips to use MatterAI

Command List

• /matter summary: Generate AI Summary for the PR
• /matter review: Generate AI Reviews for the latest commit in the PR
• /matter review-full: Generate AI Reviews for the complete PR
• /matter release-notes: Generate AI release-notes for the PR
• /matter : Chat with your PR with MatterAI Agent
• /matter remember : Generate AI memories for the PR
• /matter explain: Get an explanation of the PR
• /matter help: Show the list of available commands and documentation
• Need help? Join our Discord server: https://discord.gg/fJU5DvanU3

[matterai-app]

Summary By MatterAI

🔄 What Changed

Updated the octokit/request-action dependency from version 2.4.0 to 3.0.0 across multiple GitHub Action workflows. The action is now pinned to a specific commit SHA (b91aabaa861c777dcdb14e2387e30eddf04619ae) for enhanced security.

🔍 Impact of the Change

Ensures CI workflows use the latest version of the Octokit request action, benefiting from potential performance improvements and bug fixes. Pinning to a SHA mitigates risks associated with tag-shifting in third-party actions.

📁 Total Files Changed

Click to Expand

File	ChangeLog
Workflow Update .github/workflows/no-engineering-system-changes.yml	Bumped octokit/request-action to v3.0.0 via SHA.
Workflow Update .github/workflows/no-package-lock-changes.yml	Bumped octokit/request-action to v3.0.0 via SHA.

🧪 Test Added/Recommended

Recommended

• Trigger the no-engineering-system-changes and no-package-lock-changes workflows manually or via a test PR to verify the get_permissions step still functions correctly with the v3.0.0 API.

🔒 Security Vulnerabilities

N/A. The change actually improves security by pinning the action to a specific commit SHA.

Total Score: 3/4

[matterai-app]

✅ Reviewed the changes: The PR safely updates the octokit/request-action dependency to v3.0.0 using a pinned SHA, which follows security best practices for GitHub Actions.