action-pinner 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Jon Galloway and contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,406 @@
+# action-pinner
+
+Pin GitHub Actions refs like `@v4` or `@main` to immutable commit SHAs so your workflows are safer to review, harder to tamper with, and easier to reproduce. `action-pinner` scans workflow files, rewrites refs in place, enforces policy in CI, and can open a pull request with the changes.
+
+> **Node:** 20+    **License:** MIT
+
+## Why pin actions?
+
+- **Tags can move.** `@v4` and `@main` are mutable; a SHA is not.
+- **Supply chain risk goes down.** Pinning limits surprise changes from compromised or retagged releases.
+- **Builds become reproducible.** The same workflow definition resolves to the same code every time.
+- **Audits get easier.** SHA-based refs and exception metadata leave a clearer review trail.
+
+## Quick Start
+
+Install dependencies and build the CLI:
+
+```bash
+npm install
+npm run build
+```
+
+## Install
+
+Run directly without installing:
+
+```bash
+npx action-pinner scan
+npx action-pinner fix
+```
+
+Or install globally:
+
+```bash
+npm install -g action-pinner
+```
+
+Examples below use `action-pinner` on your PATH. From a local clone, you can also run `node dist/index.js <command>`.
+
+Scan for unpinned actions:
+
+```bash
+action-pinner scan
+```
+
+Rewrite workflow files in place:
+
+```bash
+action-pinner fix
+```
+
+Fail CI when unpinned refs are found:
+
+```bash
+action-pinner enforce
+```
+
+## CLI Commands
+
+### `scan`
+
+Find unpinned `uses:` refs without modifying files.
+
+```bash
+action-pinner scan
+action-pinner scan --path ".github/workflows"
+action-pinner scan --exclude-path ".github/workflows/legacy/**"
+action-pinner scan --include-action "actions/*" --exclude-action "actions/cache"
+action-pinner scan --github-org octo-org --include-repo "platform-*" --exclude-repo "*-archive"
+action-pinner scan --repo octo-org/service-a octo-org/service-b --json
+```
+
+Flags:
+
+- `--config <path>`: config file path (default: `.action-pinner.json`)
+- `--path <path...>`: workflow file, directory, or glob to scan
+- `--exclude-path <path...>`: workflow file, directory, or glob to skip
+- `--include-action <pattern...>`: only scan matching actions
+- `--exclude-action <pattern...>`: skip matching actions
+- `--repo <owner/repo...>`: explicit multi-repo targets
+- `--github-org <org>`: enumerate repositories from an organization
+- `--include-repo <pattern...>` / `--exclude-repo <pattern...>`: repo filters for org or explicit targets
+- `--json`: emit machine-readable JSON
+- `--token <token>`: GitHub token override
+- `--github-api-url <url>`: GitHub API base URL, including GHES
+- `--use-netrc`: read credentials from `.netrc` / `_netrc`
+
+### `fix`
+
+Resolve mutable refs to SHAs and update workflow files in place.
+
+```bash
+action-pinner fix
+action-pinner fix --dry-run
+action-pinner fix --path ".github/workflows/release.yml"
+action-pinner fix --continue-on-error --fail-on-ambiguous
+action-pinner fix --comment-format "pin@{ref}"
+```
+
+Flags:
+
+- `--dry-run`: preview changes without writing files
+- All `scan` flags except `--json`
+- `--continue-on-error`: skip unresolved refs instead of failing the run
+- `--fail-on-ambiguous`: fail if a ref resolves ambiguously
+- `--comment-format <template>`: customize pinned version comments with `{ref}`, `{action}`, and `{sha_short}` tokens
+
+### `enforce`
+
+Use policy mode for CI. `enforce` reports allowed refs, violations, invalid exceptions, and exits non-zero when policy fails.
+
+```bash
+action-pinner enforce
+action-pinner enforce --allow-action "actions/*"
+action-pinner enforce --exception "actions/upload-artifact@v3::**/legacy.yml"
+action-pinner enforce --json
+```
+
+Flags:
+
+- All `scan` flags
+- `--allow-action <pattern...>`: allowlist unpinned actions by pattern
+- `--exception <rule...>`: allow a specific exception using `<action>[@ref][::workflow-glob]`
+- `--continue-on-error`: continue when a ref cannot be resolved
+- `--fail-on-ambiguous`: fail if a ref resolves ambiguously
+
+### `pr`
+
+Pin refs, create a branch, and publish a pull request using the `pr` config block.
+
+```bash
+action-pinner pr
+action-pinner pr --path ".github/workflows"
+action-pinner pr --continue-on-error --fail-on-ambiguous
+action-pinner pr --comment-format "{ref}"
+```
+
+Flags:
+
+- All `scan` flags except `--json`
+- `--continue-on-error`: skip unresolved refs instead of failing the run
+- `--fail-on-ambiguous`: fail if a ref resolves ambiguously
+- `--comment-format <template>`: override the configured version comment template for this run
+
+### `dependabot-snippet`
+
+Generate a `github-actions` Dependabot snippet for pinned workflows.
+
+```bash
+action-pinner dependabot-snippet
+```
+
+## GitHub Action Usage
+
+Run `action-pinner` as a GitHub Action:
+
+```yaml
+- uses: jongalloway/action-pinner@v1
+  with:
+    mode: scan
+    config: .action-pinner.json
+```
+
+Use `enforce` to gate workflow changes in CI:
+
+```yaml
+name: enforce-pinned-actions
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  action-pinner:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: jongalloway/action-pinner@v1
+        with:
+          mode: enforce
+          config: .action-pinner.json
+```
+
+Action inputs:
+
+- `mode`: `scan`, `fix`, `enforce`, or `pr`
+- `config`: config file path
+- `path`, `exclude_path`, `include_action`, `exclude_action`
+- `allow_actions`, `exception_rules`
+- `json`
+
+## Pre-commit
+
+Use `action-pinner` as a [pre-commit](https://pre-commit.com/) hook to scan workflow changes before they land:
+
+```yaml
+# .pre-commit-config.yaml
+repos:
+  - repo: https://github.com/jongalloway/action-pinner
+    rev: v0.1.0
+    hooks:
+      - id: action-pinner-scan
+```
+
+Available hooks:
+
+- `action-pinner-scan`: runs `action-pinner scan` against `.github/workflows` and fails if unpinned refs are found.
+- `action-pinner-fix`: runs `action-pinner fix` against `.github/workflows` to auto-pin refs before commit.
+
+## Configuration
+
+Example `.action-pinner.json`:
+
+```json
+{
+  "$schema": "./schemas/action-pinner.schema.json",
+  "mode": "scan",
+  "include": [
+    ".github/workflows/**/*.yml",
+    ".github/workflows/**/*.yaml"
+  ],
+  "exclude": [
+    ".github/workflows/legacy/**"
+  ],
+  "repos": [
+    "octo-org/service-a",
+    "octo-org/service-b"
+  ],
+  "includeRepos": [
+    "platform-*"
+  ],
+  "excludeRepos": [
+    "*-archive"
+  ],
+  "excludeActions": [
+    "actions/cache"
+  ],
+  "org": {
+    "name": "octo-org",
+    "includePrivate": true,
+    "includeArchived": false
+  },
+  "enforcement": {
+    "enabled": true,
+    "failOnUnpinned": true,
+    "allowActions": [
+      "actions/*",
+      "github/codeql-action"
+    ],
+    "exceptions": [
+      {
+        "action": "actions/upload-artifact",
+        "ref": "v3",
+        "workflow": "**/legacy.yml",
+        "reason": "Temporary migration exception",
+        "expiresAt": "2026-12-31"
+      }
+    ]
+  },
+  "pr": {
+    "create": true,
+    "branchPrefix": "chore/action-pinner",
+    "title": "Pin GitHub Actions to commit SHAs",
+    "labels": [
+      "security",
+      "dependencies"
+    ],
+    "reviewers": [
+      "octocat"
+    ],
+    "assignees": [
+      "hubot"
+    ]
+  },
+  "dependabot": {
+    "addVersionComments": true,
+    "commentFormat": "{ref}",
+    "generateConfigSnippet": false
+  },
+  "githubApiUrl": "https://enterprise.example.com/api/v3",
+  "useNetrc": false
+}
+```
+
+Notes:
+
+- CLI flags override config values.
+- `reason` and `expiresAt` make exceptions easier to review and clean up.
+- `pr.create: false` creates the branch and commit without publishing a PR.
+- `dependabot.commentFormat` supports `{ref}`, `{action}`, and `{sha_short}` tokens. Use `""` for no version comment, or set `dependabot.addVersionComments: false` to suppress comments entirely.
+
+## Authentication
+
+Authentication precedence:
+
+| Priority | Source |
+| --- | --- |
+| 1 | `--token <token>` |
+| 2 | `PIN_ACTIONS_TOKEN` |
+| 3 | `.netrc` / `_netrc` when `--use-netrc` is enabled |
+| 4 | `GITHUB_TOKEN` |
+| 5 | Anonymous GitHub API access |
+
+Examples:
+
+```bash
+action-pinner scan --token ghp_xxx
+action-pinner scan --use-netrc
+action-pinner scan --github-api-url https://enterprise.example.com/api/v3
+```
+
+For GitHub Enterprise Server, set `--github-api-url` or `githubApiUrl` in config. See [docs/ENTERPRISE.md](./docs/ENTERPRISE.md).
+
+## Multi-Repo and Org Scanning
+
+Scan explicit repositories:
+
+```bash
+action-pinner scan --repo octo-org/service-a octo-org/service-b
+```
+
+Discover repositories from an organization, then narrow the set:
+
+```bash
+action-pinner scan --github-org octo-org --include-repo "platform-*" --exclude-repo "*-archive"
+```
+
+Target a subset of workflow files across selected repos:
+
+```bash
+action-pinner scan --github-org octo-org --path ".github/workflows/**" --exclude-path "**/legacy/**"
+```
+
+For user-owned repositories, pass explicit `--repo owner/repo` values.
+
+## Enforcement Allowlists and Exceptions
+
+Allowlist broad cases:
+
+```bash
+action-pinner enforce --allow-action "actions/*"
+```
+
+Add a narrow CLI exception:
+
+```bash
+action-pinner enforce --exception "actions/upload-artifact@v3::**/legacy.yml"
+```
+
+Config-driven exceptions are better for review history:
+
+```json
+{
+  "enforcement": {
+    "failOnUnpinned": true,
+    "allowActions": ["actions/*"],
+    "exceptions": [
+      {
+        "action": "actions/upload-artifact",
+        "ref": "v3",
+        "workflow": "**/legacy.yml",
+        "reason": "Legacy workflow still migrating",
+        "expiresAt": "2026-12-31"
+      }
+    ]
+  }
+}
+```
+
+Rules:
+
+- `allowActions` is pattern-based and broad.
+- `exceptions` are specific and auditable.
+- Expired or malformed exceptions fail closed.
+
+## Security
+
+- **Fail closed:** unresolved refs, invalid exceptions, and policy violations fail enforcement by default.
+- **Token safe:** tokens are redacted from logs; use the smallest possible scopes.
+- **Deterministic output:** scans, rewrites, and fingerprints are stable on the same input.
+
+See [SECURITY.md](./SECURITY.md) for the security policy and [docs/ENTERPRISE.md](./docs/ENTERPRISE.md) for GHES guidance.
+
+## Acknowledgments
+
+This project was inspired by [mheap/pin-github-action](https://github.com/mheap/pin-github-action), which pioneered the idea of pinning GitHub Actions to commit SHAs. `action-pinner` is a completely new implementation built from scratch using modern Node.js and the GitHub REST API, designed to address long-standing community requests including:
+
+- [Enterprise GitHub support](https://github.com/mheap/pin-github-action/issues/169)
+- [Support netrc auth](https://github.com/mheap/pin-github-action/issues/168)
+- [Published as a GitHub Action](https://github.com/mheap/pin-github-action/issues/141)
+- [Default to `.github/workflows/`](https://github.com/mheap/pin-github-action/issues/201)
+
+Thank you to [@mheap](https://github.com/mheap) and the contributors to that project for the inspiration.
+
+## Contributing
+
+Clone the repo, install dependencies, and run:
+
+```bash
+npm test
+npm run lint
+npm run build
+```
+
+Open an issue or PR at [github.com/jongalloway/action-pinner/issues](https://github.com/jongalloway/action-pinner/issues).

package/action.yml

@@ -0,0 +1,53 @@
+name: "action-pinner"
+description: "Scan and pin unpinned GitHub Actions references to commit SHAs."
+author: "action-pinner contributors"
+inputs:
+  mode:
+    description: "Mode to run (scan|fix|enforce|pr)"
+    required: false
+    default: "scan"
+  config:
+    description: "Path to .action-pinner.json"
+    required: false
+    default: ".action-pinner.json"
+  path:
+    description: "Workflow file, directory, or glob to scan"
+    required: false
+  exclude_path:
+    description: "Workflow file, directory, or glob to exclude"
+    required: false
+  include_action:
+    description: "Comma-separated or newline-delimited action patterns to include"
+    required: false
+  exclude_action:
+    description: "Comma-separated or newline-delimited action patterns to exclude"
+    required: false
+  allow_actions:
+    description: "Comma-separated or newline-delimited enforcement allowlist patterns"
+    required: false
+  exception_rules:
+    description: "Comma-separated or newline-delimited enforcement exception rules (<action>[@ref][::workflow-glob])"
+    required: false
+  json:
+    description: "Emit JSON output"
+    required: false
+    default: "false"
+outputs:
+  compliant:
+    description: "Whether enforcement completed without violations or invalid exceptions"
+  allowed_count:
+    description: "Number of unpinned refs allowed by allowlists or exceptions"
+  violation_count:
+    description: "Number of violating unpinned refs"
+  invalid_exception_count:
+    description: "Number of malformed or expired exceptions"
+  fingerprint:
+    description: "Deterministic run fingerprint"
+  config_hash:
+    description: "Deterministic config hash"
+branding:
+  icon: "lock"
+  color: "blue"
+runs:
+  using: "node20"
+  main: "dist/index.js"

package/dist/index.d.ts

@@ -0,0 +1 @@
+import "./src/index.js";

package/dist/index.js

@@ -0,0 +1,2 @@
+import "./src/index.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,OAAO,gBAAgB,CAAC"}

package/dist/src/action-mode.d.ts

@@ -0,0 +1 @@
+export declare function runActionMode(): Promise<void>;

package/dist/src/action-mode.js

@@ -0,0 +1,109 @@
+import { appendFile } from "node:fs/promises";
+import { loadConfig } from "./config.js";
+import { evaluateEnforcement } from "./enforcement.js";
+import { buildRunFingerprint } from "./report.js";
+import { scanWorkflows } from "./scanner.js";
+import { getToolVersion } from "./version.js";
+import { resolveWorkflowPatterns } from "./workflow-paths.js";
+import { runCli } from "./cli.js";
+export async function runActionMode() {
+    const mode = process.env.INPUT_MODE ?? "scan";
+    const configPath = process.env.INPUT_CONFIG ?? ".action-pinner.json";
+    const args = buildCliArgs(mode, configPath);
+    await runCli(args);
+    if (mode === "enforce") {
+        await writeEnforcementOutputs(configPath);
+    }
+}
+function buildCliArgs(mode, configPath) {
+    const args = [mode, "--config", configPath];
+    appendListFlag(args, "--path", parseListInput(process.env.INPUT_PATH));
+    appendListFlag(args, "--exclude-path", parseListInput(process.env.INPUT_EXCLUDE_PATH));
+    appendListFlag(args, "--include-action", parseListInput(process.env.INPUT_INCLUDE_ACTION));
+    appendListFlag(args, "--exclude-action", parseListInput(process.env.INPUT_EXCLUDE_ACTION));
+    if (mode === "enforce") {
+        appendListFlag(args, "--allow-action", parseListInput(process.env.INPUT_ALLOW_ACTIONS));
+        appendListFlag(args, "--exception", parseListInput(process.env.INPUT_EXCEPTION_RULES));
+    }
+    if (parseBooleanInput(process.env.INPUT_JSON)) {
+        args.push("--json");
+    }
+    return args;
+}
+async function writeEnforcementOutputs(configPath) {
+    const outputPath = process.env.GITHUB_OUTPUT;
+    if (!outputPath) {
+        return;
+    }
+    const config = await loadConfig(configPath);
+    const include = resolveWorkflowPatterns(parseListInput(process.env.INPUT_PATH) || config.include);
+    const excludeInput = parseListInput(process.env.INPUT_EXCLUDE_PATH) ?? config.exclude;
+    const exclude = excludeInput.length > 0 ? resolveWorkflowPatterns(excludeInput) : [];
+    const includeActions = parseListInput(process.env.INPUT_INCLUDE_ACTION) ?? [];
+    const excludeActions = parseListInput(process.env.INPUT_EXCLUDE_ACTION) ?? config.excludeActions;
+    const allowActions = parseListInput(process.env.INPUT_ALLOW_ACTIONS) ?? config.enforcement.allowActions;
+    const exceptions = [
+        ...config.enforcement.exceptions,
+        ...parseExceptionRules(parseListInput(process.env.INPUT_EXCEPTION_RULES))
+    ];
+    const result = evaluateEnforcement(await scanWorkflows(include, process.cwd(), {
+        excludePatterns: exclude,
+        includeActions,
+        excludeActions
+    }), {
+        allowActions,
+        exceptions
+    });
+    const fingerprint = buildRunFingerprint(config, await getToolVersion());
+    const lines = [
+        `compliant=${result.compliant}`,
+        `allowed_count=${result.summary.allowedCount}`,
+        `violation_count=${result.summary.violationCount}`,
+        `invalid_exception_count=${result.summary.invalidExceptionCount}`,
+        `fingerprint=${fingerprint.fingerprint}`,
+        `config_hash=${fingerprint.configHash}`
+    ];
+    await appendFile(outputPath, `${lines.join("\n")}\n`, "utf8");
+}
+function appendListFlag(args, flag, values) {
+    if (!values || values.length === 0) {
+        return;
+    }
+    args.push(flag, ...values);
+}
+function parseListInput(value) {
+    if (!value) {
+        return undefined;
+    }
+    const normalized = value.replace(/\r/g, "\n").trim();
+    if (!normalized) {
+        return undefined;
+    }
+    const separator = normalized.includes("\n") ? /\n+/ : /,/;
+    const values = normalized
+        .split(separator)
+        .map((entry) => entry.trim())
+        .filter(Boolean);
+    return values.length > 0 ? values : undefined;
+}
+function parseBooleanInput(value) {
+    return value?.trim().toLowerCase() === "true";
+}
+function parseExceptionRules(values) {
+    if (!values || values.length === 0) {
+        return [];
+    }
+    return values.map((rawRule) => {
+        const [actionAndRef, workflow] = rawRule.split("::", 2);
+        const [action, ref] = actionAndRef.split("@", 2);
+        if (!action) {
+            throw new Error(`Invalid enforcement exception rule '${rawRule}'. Expected <action>[@ref][::workflow-glob].`);
+        }
+        return {
+            action,
+            ref: ref || undefined,
+            workflow: workflow || undefined
+        };
+    });
+}
+//# sourceMappingURL=action-mode.js.map

package/dist/src/action-mode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-mode.js","sourceRoot":"","sources":["../../src/action-mode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAElC,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,MAAM,CAAC;IAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,qBAAqB,CAAC;IACrE,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAE5C,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAEnB,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,uBAAuB,CAAC,UAAU,CAAC,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,IAAY,EAAE,UAAkB;IACpD,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;IAE5C,cAAc,CAAC,IAAI,EAAE,QAAQ,EAAE,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;IACvE,cAAc,CAAC,IAAI,EAAE,gBAAgB,EAAE,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACvF,cAAc,CAAC,IAAI,EAAE,kBAAkB,EAAE,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAC3F,cAAc,CAAC,IAAI,EAAE,kBAAkB,EAAE,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAE3F,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,cAAc,CAAC,IAAI,EAAE,gBAAgB,EAAE,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC;QACxF,cAAc,CAAC,IAAI,EAAE,aAAa,EAAE,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;IACzF,CAAC;IAED,IAAI,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,uBAAuB,CAAC,UAAkB;IACvD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,UAAU,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,uBAAuB,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;IAClG,MAAM,YAAY,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC;IACtF,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACrF,MAAM,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,EAAE,CAAC;IAC9E,MAAM,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,MAAM,CAAC,cAAc,CAAC;IACjG,MAAM,YAAY,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC;IACxG,MAAM,UAAU,GAAG;QACjB,GAAG,MAAM,CAAC,WAAW,CAAC,UAAU;QAChC,GAAG,mBAAmB,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;KAC1E,CAAC;IAEF,MAAM,MAAM,GAAG,mBAAmB,CAChC,MAAM,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE;QAC1C,eAAe,EAAE,OAAO;QACxB,cAAc;QACd,cAAc;KACf,CAAC,EACF;QACE,YAAY;QACZ,UAAU;KACX,CACF,CAAC;IACF,MAAM,WAAW,GAAG,mBAAmB,CAAC,MAAM,EAAE,MAAM,cAAc,EAAE,CAAC,CAAC;IAExE,MAAM,KAAK,GAAG;QACZ,aAAa,MAAM,CAAC,SAAS,EAAE;QAC/B,iBAAiB,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE;QAC9C,mBAAmB,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE;QAClD,2BAA2B,MAAM,CAAC,OAAO,CAAC,qBAAqB,EAAE;QACjE,eAAe,WAAW,CAAC,WAAW,EAAE;QACxC,eAAe,WAAW,CAAC,UAAU,EAAE;KACxC,CAAC;IAEF,MAAM,UAAU,CAAC,UAAU,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,cAAc,CAAC,IAAc,EAAE,IAAY,EAAE,MAAiB;IACrE,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO;IACT,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,MAAM,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;IACrD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC;IAC1D,MAAM,MAAM,GAAG,UAAU;SACtB,KAAK,CAAC,SAAS,CAAC;SAChB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,OAAO,CAAC,CAAC;IAEnB,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;AAChD,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,OAAO,KAAK,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC;AAChD,CAAC;AAED,SAAS,mBAAmB,CAAC,MAA4B;IACvD,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QAC5B,MAAM,CAAC,YAAY,EAAE,QAAQ,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QACxD,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,uCAAuC,OAAO,8CAA8C,CAAC,CAAC;QAChH,CAAC;QAED,OAAO;YACL,MAAM;YACN,GAAG,EAAE,GAAG,IAAI,SAAS;YACrB,QAAQ,EAAE,QAAQ,IAAI,SAAS;SAChC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/src/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export declare function runCli(argv?: string[]): Promise<void>;