chore: migrate from ncc (CJS) to rollup (ESM)

[jdx]

Summary

• Switch bundler from @vercel/ncc to rollup with @rollup/plugin-commonjs, @rollup/plugin-node-resolve, @rollup/plugin-json, and @rollup/plugin-typescript
• Add "type": "module" to package.json for ESM support
• Upgrade all @actions/* dependencies to their latest major versions (@actions/core v3, @actions/exec v3, @actions/cache v6, @actions/glob v0.6, @actions/io v3)
• Remove old ncc artifacts (dist/licenses.txt, dist/sourcemap-register.js)

Why

The @actions/toolkit packages v3+ are ESM-only and can't be bundled by ncc (which uses webpack with CJS require()). This is what's blocking #435 (renovate @actions/exec v3 upgrade). The official actions/typescript-action template has already migrated to rollup.

Test plan

• CI passes (npm run all — format, lint, package)
• check-dist workflow passes (dist/index.js matches build output)
• Integration tests pass on all platforms (ubuntu, macos, windows, alpine)

🤖 Generated with Claude Code

---

Note

Medium Risk
Moderate risk because it changes the action’s build/bundling pipeline and module format (CJS→ESM), which can break runtime execution or dependency resolution if the generated dist/ output differs across environments.

Overview
Migrates the GitHub Action build from @vercel/ncc (CommonJS) to a Rollup-based ESM bundle, adding rollup.config.ts and updating TypeScript settings to NodeNext to support ESM output.

Updates package.json to "type": "module", switches the packaging script to Rollup, and upgrades @actions/* dependencies to their latest major (ESM-only) versions. The checked-in dist/ artifacts are regenerated accordingly (including license output) and legacy ncc-specific artifacts are removed.

^{Reviewed by Cursor Bugbot for commit 59e728e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​rollup/​plugin-json@​6.1.0
	rimraf@​6.1.3
	@​actions/​exec@​2.0.0 ⏵ 3.0.0
	@​rollup/​plugin-node-resolve@​16.0.3
	@​actions/​io@​2.0.0 ⏵ 3.0.2
	@​rollup/​plugin-typescript@​12.3.0
	@​actions/​core@​2.0.3 ⏵ 3.0.0				-2
	rollup@​4.60.1
	rollup-plugin-license@​3.7.1
	@​rollup/​plugin-commonjs@​29.0.2
	@​actions/​glob@​0.5.1 ⏵ 0.6.1				+4

View full report

[greptile-apps]

Greptile Summary

Migrates the build toolchain from @vercel/ncc (CommonJS/webpack) to Rollup with \"type\": \"module\" in package.json, enabling ESM-only @actions/* v3 packages (core, exec, io) to be bundled correctly. The dist/index.js is regenerated as a self-contained ESM bundle; Node.js picks up \"type\": \"module\" from the root package.json when the action runner loads dist/index.js, so the module format is correctly resolved.

• The PR description says @actions/cache is upgraded to v6, but package.json specifies ^4.0.0 (v4.1.0 installed) — either the description has a typo or the v6 bump was accidentally omitted."

Confidence Score: 5/5

Safe to merge — the ESM migration is technically correct and all remaining findings are P2.

All changed files look correct: the rollup config, tsconfig NodeNext settings, and the generated ESM bundle are consistent with the official actions/typescript-action template pattern. The only finding is a P2 discrepancy between the PR description (@actions/cache v6) and package.json (^4.0.0), which does not affect runtime behavior.

No files require special attention.

Important Files Changed

Filename	Overview
rollup.config.ts	New rollup config replaces ncc; ESM format output with commonjs/nodeResolve/json/typescript/license plugins. esModule: true is a no-op (already flagged in prior thread) but otherwise correct.
tsconfig.json	Switched module/moduleResolution to NodeNext for ESM; allowSyntheticDefaultImports redundancy was flagged in prior thread. All source imports are package-level, so NodeNext's .js-extension requirement for relative imports is not currently a problem.
package.json	Added "type": "module" and exports field; switched package script to rollup; upgraded @actions/* to ESM-compatible versions. @actions/cache is at ^4.0.0 while the PR description claims v6.
dist/index.js	Regenerated 121k-line ESM bundle; starts with bare import statements for Node built-ins and includes rollup CJS interop helpers. Correctly treated as ESM by Node.js via the root package.json "type":"module".
dist/licenses.txt	Regenerated by rollup-plugin-license; replaces the old ncc-generated version.
dist/sourcemap-register.js	Deleted — ncc-specific artifact that registered source maps at startup; no longer needed with rollup's native sourcemap support.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["src/index.ts"] -->|"rollup + plugin-typescript"| B["TypeScript transpilation"]
    B -->|"plugin-commonjs ignoreTryCatch:false"| C["CJS dependency interop"]
    C -->|"plugin-node-resolve preferBuiltins:true"| D["Node built-in resolution"]
    D -->|"plugin-json"| E["JSON imports resolved"]
    E -->|"plugin-license"| F["dist/licenses.txt"]
    E --> G["dist/index.js ESM bundle"]
    G --> H{"Root package.json type:module"}
    H -->|"Yes"| I["Node.js ESM mode"]
    I --> J["Action executes via node24"]

Loading

_{Reviews (8): Last reviewed commit: "[autofix.ci] apply automated fixes" | Re-trigger Greptile}

[gemini-code-assist]

Code Review

This pull request migrates the project's build system from @vercel/ncc to rollup to improve build configuration and dependency management. The changes include updating package.json dependencies, adding a rollup.config.ts file, and adjusting tsconfig.json settings. I have provided feedback regarding the redundancy of npx in npm scripts, the recommendation to explicitly mark Node.js built-ins as external in the Rollup configuration, and the need to restore license attribution previously handled by ncc.

[gemini-code-assist]

The use of npx inside npm scripts is redundant because npm run automatically adds ./node_modules/.bin to the PATH during execution. Removing it simplifies the command and slightly improves performance.

Suggested change

	"package": "npx rimraf ./dist && npx rollup --config rollup.config.ts --configPlugin @rollup/plugin-typescript",
	"package": "rimraf dist && rollup --config rollup.config.ts --configPlugin @rollup/plugin-typescript",

[gemini-code-assist]

For a Node.js bundle, it is recommended to explicitly mark Node.js built-in modules (like node:crypto, node:fs, etc.) as external. This prevents Rollup from attempting to resolve them or producing warnings about unresolved dependencies during the build process.

const config = {
  external: [/node:/],
  input: 'src/index.ts',

[gemini-code-assist]

The migration from @vercel/ncc to rollup removes the automatic generation of a licenses.txt file (which was previously included via the --license flag). For GitHub Actions that bundle third-party dependencies, it is a best practice (and often a legal requirement for MIT/Apache licenses) to include attribution for those dependencies. Consider adding a plugin like rollup-plugin-license to regenerate this artifact.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f2de96e. Configure here.}