chore: update to modules (required for new @actions libraries)

[dependabot]

Bumps @actions/core from 2.0.3 to 3.0.0.

Changelog

Sourced from @​actions/core's changelog.

3.0.0

• Breaking change: Package is now ESM-only
  • CommonJS consumers must use dynamic import() instead of require()

Commits

• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[kzantow]

Test run of this branch on node 20: https://github.com/kzantow-anchore/scan-action-test/actions/runs/23052606364/job/66957379444

Make sure to read the comment below before reviewing 👇

[kzantow]

This is probably going to be a bit hard to review, it seems -- I moved the majority of the index.js to action.js because this hack was switching between "am I running in an actions context and should execute" or "am I just providing lib exports to tests". I moved the lib part to actions.js and left the actions entry point in index.js. It's probably easiest to look at a diff of the original index.js and the action.js in this branch, its below 👇

[kzantow]

This is the entire diff between those files:

diff --git a/index.js b/action.js
index 8682735..4258b27 100644
--- a/index.js
+++ b/action.js
@@ -1,20 +1,13 @@
-const tools = require("@actions/tool-cache");
-const core = require("@actions/core");
-const exec = require("@actions/exec");
-// lazy-require @actions/cache: it is ESM-only and cannot be resolved by
-// require() outside of the esbuild bundle. Deferring the require keeps
-// unbundled entry-points (helper scripts, tests) working.
-let _cache;
-function cache() {
-  if (!_cache) _cache = require("@actions/cache");
-  return _cache;
-}
-const fs = require("fs");
-const os = require("os");
-const path = require("path");
-const process = require("process");
-const stream = require("stream");
-const { GRYPE_VERSION } = require("./GrypeVersion");
+import * as tools from "@actions/tool-cache";
+import * as core from "@actions/core";
+import * as exec from "@actions/exec";
+import * as cache from "@actions/cache";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import process from "node:process";
+import stream from "node:stream";
+import { GRYPE_VERSION } from "./GrypeVersion.js";
 
 const grypeVersion = core.getInput("grype-version") || GRYPE_VERSION;
 const grypeExecutableName = isWindows() ? "grype.exe" : "grype";
@@ -219,7 +212,7 @@ async function updateDb(grypeCommand) {
 // attempts to get an up-to-date database and from cache or update it,
 // throws an exception if unable to get a database or use the cache
 async function updateDbWithCache(grypeCommand) {
-  if (!cache().isFeatureAvailable()) {
+  if (!cache.isFeatureAvailable()) {
     throw new Error("cache not available");
   }
 
@@ -230,7 +223,7 @@ async function updateDbWithCache(grypeCommand) {
   // available as expected
   // see: https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#matching-a-cache-key
   const cacheKey = `grype-db-${grypeVersion}`;
-  await cache().restoreCache([cacheDir], cacheKey, [], {}, true);
+  await cache.restoreCache([cacheDir], cacheKey, [], {}, true);
 
   const cachedDbBuildTime = await getDbBuildTime(grypeCommand);
   if (cachedDbBuildTime) {
@@ -255,7 +248,7 @@ async function updateDbWithCache(grypeCommand) {
   core.debug(`Caching grype db with key ${cacheKey}`);
 
   // this needs to be able to be found by restoreCache, above
-  await cache().saveCache([cacheDir], cacheKey, {}, true);
+  await cache.saveCache([cacheDir], cacheKey, {}, true);
 }
 
 async function runCommand(cmd, cmdArgs, env) {
@@ -347,7 +340,7 @@ async function runScan({
   onlyFixed = onlyFixed.toLowerCase() === "true";
   addCpesIfNone = addCpesIfNone.toLowerCase() === "true";
   byCve = byCve.toLowerCase() === "true";
-  cacheDb = cacheDb.toLowerCase() === "true" && cache().isFeatureAvailable();
+  cacheDb = cacheDb.toLowerCase() === "true" && cache.isFeatureAvailable();
 
   cmdArgs.push("-o", outputFormat);
 
@@ -460,32 +453,4 @@ async function runScan({
   return out;
 }
 
-module.exports = {
-  run,
-  runScan,
-  installGrype,
-};
-
-if (require.main === module) {
-  const entrypoint = core.getInput("run");
-  switch (entrypoint) {
-    case "download-grype": {
-      installGrype(grypeVersion).then(async (path) => {
-        core.info(`Downloaded Grype to: ${path}`);
-        core.setOutput("cmd", path);
-
-        // optionally restore, update and cache the db
-        if (
-          cache().isFeatureAvailable() &&
-          (core.getInput("cache-db") || "").toLowerCase() === "true"
-        ) {
-          await updateDbWithCache(path);
-        }
-      });
-      break;
-    }
-    default: {
-      run().then();
-    }
-  }
-}
+export { run, runScan, installGrype, grypeVersion, updateDbWithCache };