action-pinner 0.1.0

package/dist/src/pr.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pr.js","sourceRoot":"","sources":["../../src/pr.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,SAAS,EAAkB,MAAM,YAAY,CAAC;AAEvD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAgE9C,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,EAC5C,MAAM,EACN,OAAO,EACP,UAAU,EACV,GAAG,GAAG,SAAS,EAAE,EACD;IAChB,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,MAAM,EAAE,CAAC;IACtC,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC;IACtC,MAAM,MAAM,GAAG,UAAU,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,YAAY,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IACvE,MAAM,aAAa,GAAG,0CAA0C,CAAC;IAEjE,MAAM,GAAG,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;IACtD,MAAM,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAEhC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,EACvC,MAAM,EACN,OAAO,EACP,MAAM,EACN,UAAU,EACV,aAAa,GAAG,0CAA0C,EAC1D,KAAK,EACL,GAAG,GAAG,SAAS,EAAE,EACjB,MAAM,EACN,UAAU,EACO;IACjB,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,sDAAsD;YACtD,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,UAAU,IAAI,CAAC,MAAM,qBAAqB,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9D,MAAM,OAAO,GAAG,MAAM,IAAI,uBAAuB,CAAC,KAAK,CAAC,CAAC;IACzD,MAAM,WAAW,GAAG,MAAM,cAAc,EAAE,CAAC;IAC3C,MAAM,cAAc,GAAG,mBAAmB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAChE,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE;QACxD,MAAM;QACN,UAAU;QACV,aAAa;QACb,QAAQ,EAAE,cAAc,CAAC,OAAO,CAAC;QACjC,WAAW,EAAE,cAAc,CAAC,WAAW;QACvC,UAAU,EAAE,cAAc,CAAC,UAAU;QACrC,cAAc,EAAE,cAAc,CAAC,WAAW;KAC3C,CAAC,CAAC;IAEH,MAAM,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;IAEhD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC;QAC7C,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,KAAK,EAAE,MAAM,CAAC,EAAE,CAAC,KAAK;QACtB,IAAI;QACJ,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,UAAU;KACjB,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC;IAC5C,IAAI,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;YAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,YAAY,EAAE,WAAW;YACzB,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,MAAM;SACzB,CAAC,CAAC;IACL,CAAC;IAED,IAAI,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC;YAChC,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,YAAY,EAAE,WAAW;YACzB,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC,SAAS;SAC/B,CAAC,CAAC;IACL,CAAC;IAED,IAAI,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC;YACnC,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,WAAW,EAAE,WAAW;YACxB,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC,SAAS;SAC/B,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,MAAM,EAAE,WAAW;QACnB,OAAO,EAAE,WAAW,CAAC,IAAI,CAAC,QAAQ;KACnC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,OAAoB,EACpB,QAAQ,GAAG,wBAAwB,EACnC,mBAA+C,EAAE;IAEjD,MAAM,OAAO,GAAG,sBAAsB,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;IAClE,OAAO,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;AAClD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,GAAkC;IAElC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IAClE,MAAM,SAAS,GAAG,MAAM,EAAE,IAAI,CAAC,KAAK,IAAI,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC;IAE1D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IAED,OAAO,kBAAkB,CAAC,SAAS,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAAoB,EACpB,gBAA4C;IAE5C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtF,MAAM,UAAU,GAAG,OAAO;SACvB,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE,CACjB,KAAK,CAAC,iBAAiB,CAAC,GAAG,CACzB,CAAC,SAAS,EAAE,EAAE,CAAC,KAAK,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,GAAG,EAAE,CAC3F,CACF;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,MAAM,OAAO,GAAsB;QACjC,OAAO,EAAE,UAAU,sBAAsB,CAAC,OAAO,CAAC,+BAA+B,OAAO,CAAC,MAAM,WAAW;QAC1G,SAAS,EAAE,OAAO,CAAC,MAAM;QACzB,cAAc,EAAE,sBAAsB,CAAC,OAAO,CAAC;QAC/C,KAAK,EAAE,KAAK,IAAI,UAAU;QAC1B,UAAU,EAAE,UAAU,IAAI,UAAU;QACpC,QAAQ,EAAE,cAAc,CAAC,OAAO,CAAC;QACjC,MAAM,EAAE,EAAE;QACV,UAAU,EAAE,EAAE;QACd,aAAa,EAAE,EAAE;QACjB,WAAW,EAAE,EAAE;QACf,UAAU,EAAE,EAAE;QACd,cAAc,EAAE,EAAE;QAClB,GAAG,gBAAgB;KACpB,CAAC;IAEF,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB,EAAE,OAA0B;IAClE,OAAO,QAAQ,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACvD,MAAM,KAAK,GAAG,OAAO,CAAC,GAA8B,CAAC,CAAC;QACtD,OAAO,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAoB;IAClD,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,GAAG,KAAK,CAAC,iBAAiB,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AACrF,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAa;IAC5C,OAAO,IAAI,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAA8B,CAAC;AACnE,CAAC;AAED,SAAS,kBAAkB,CAAC,SAAiB;IAC3C,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC1E,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;IACnD,CAAC;IAED,MAAM,WAAW,GAAG,SAAS,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACtF,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;IACzD,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACpF,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;IACvD,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,kCAAkC,SAAS,EAAE,CAAC,CAAC;AACjE,CAAC;AAiBD,MAAM,wBAAwB,GAAG;IAC/B,YAAY;IACZ,EAAE;IACF,aAAa;IACb,EAAE;IACF,sBAAsB;IACtB,EAAE;IACF,WAAW;IACX,EAAE;IACF,uBAAuB;IACvB,EAAE;IACF,gBAAgB;IAChB,EAAE;IACF,aAAa;IACb,EAAE;IACF,cAAc;IACd,EAAE;IACF,oBAAoB;IACpB,EAAE;IACF,mCAAmC;IACnC,iCAAiC;IACjC,yCAAyC;IACzC,EAAE;IACF,WAAW;IACX,EAAE;IACF,gBAAgB;CACjB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC"}

package/dist/src/report.d.ts

@@ -0,0 +1,10 @@
+import type { FilePatch, PinEvidence, PinActionsConfig } from "./types.js";
+export interface RunFingerprint {
+    toolVersion: string;
+    configHash: string;
+    fingerprint: string;
+}
+export declare function buildRunFingerprint(config: PinActionsConfig, toolVersion: string): RunFingerprint;
+export declare function collectEvidence(patches: FilePatch[]): PinEvidence[];
+export declare function formatEvidence(patches: FilePatch[]): string;
+export declare function formatFingerprint(fingerprint: RunFingerprint): string;

package/dist/src/report.js

@@ -0,0 +1,54 @@
+import { createHash } from "node:crypto";
+import { toDisplayPath } from "./workflow-paths.js";
+export function buildRunFingerprint(config, toolVersion) {
+    const configHash = sha256(stableStringify(config));
+    const fingerprint = sha256(`${toolVersion}\n${configHash}`);
+    return {
+        toolVersion,
+        configHash,
+        fingerprint
+    };
+}
+export function collectEvidence(patches) {
+    const evidence = patches.flatMap((patch) => patch.evidence);
+    // Sort evidence by workflow path, line number, and ref for deterministic output
+    return evidence.sort((a, b) => {
+        const pathCmp = a.filePath.localeCompare(b.filePath);
+        if (pathCmp !== 0)
+            return pathCmp;
+        return a.line - b.line;
+    });
+}
+export function formatEvidence(patches) {
+    const evidence = collectEvidence(patches);
+    if (evidence.length === 0) {
+        return "- (none)";
+    }
+    return evidence.map(formatEvidenceEntry).join("\n");
+}
+export function formatFingerprint(fingerprint) {
+    return [
+        `- Tool version: \`${fingerprint.toolVersion}\``,
+        `- Config hash: \`${fingerprint.configHash}\``,
+        `- Run fingerprint: \`${fingerprint.fingerprint}\``
+    ].join("\n");
+}
+function formatEvidenceEntry(entry) {
+    return `- ${toDisplayPath(entry.filePath)}:${entry.line} ${entry.originalRef} -> ${entry.resolvedSha} (source=${entry.sourceRepo}, method=${entry.resolutionMethod}, resolvedAt=${entry.resolvedAt})`;
+}
+function stableStringify(value) {
+    if (Array.isArray(value)) {
+        return `[${value.map((item) => stableStringify(item)).join(",")}]`;
+    }
+    if (value && typeof value === "object") {
+        const entries = Object.entries(value)
+            .sort(([left], [right]) => left.localeCompare(right))
+            .map(([key, item]) => `${JSON.stringify(key)}:${stableStringify(item)}`);
+        return `{${entries.join(",")}}`;
+    }
+    return JSON.stringify(value);
+}
+function sha256(value) {
+    return createHash("sha256").update(value).digest("hex");
+}
+//# sourceMappingURL=report.js.map

package/dist/src/report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.js","sourceRoot":"","sources":["../../src/report.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAQpD,MAAM,UAAU,mBAAmB,CACjC,MAAwB,EACxB,WAAmB;IAEnB,MAAM,UAAU,GAAG,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC;IACnD,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,WAAW,KAAK,UAAU,EAAE,CAAC,CAAC;IAC5D,OAAO;QACL,WAAW;QACX,UAAU;QACV,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAoB;IAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC5D,gFAAgF;IAChF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC5B,MAAM,OAAO,GAAG,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACrD,IAAI,OAAO,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAClC,OAAO,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;IACzB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAoB;IACjD,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO,QAAQ,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,WAA2B;IAC3D,OAAO;QACL,qBAAqB,WAAW,CAAC,WAAW,IAAI;QAChD,oBAAoB,WAAW,CAAC,UAAU,IAAI;QAC9C,wBAAwB,WAAW,CAAC,WAAW,IAAI;KACpD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAkB;IAC7C,OAAO,KAAK,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,WAAW,OAAO,KAAK,CAAC,WAAW,YAAY,KAAK,CAAC,UAAU,YAAY,KAAK,CAAC,gBAAgB,gBAAgB,KAAK,CAAC,UAAU,GAAG,CAAC;AACxM,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IACrE,CAAC;IAED,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC;aAC7D,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;aACpD,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3E,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IAClC,CAAC;IAED,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,MAAM,CAAC,KAAa;IAC3B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC"}

package/dist/src/resolver.d.ts

@@ -0,0 +1,44 @@
+import type { ActionReference, ResolutionResult } from "./types.js";
+export interface CommitLookupClient {
+    repos: {
+        getCommit: (args: {
+            owner: string;
+            repo: string;
+            ref: string;
+        }) => Promise<{
+            data: {
+                sha: string;
+            };
+        }>;
+    };
+}
+export interface ResolverOptions {
+    token?: string;
+    apiBaseUrl?: string;
+    useNetrc?: boolean;
+    verbose?: boolean;
+}
+export declare function normalizeGithubApiUrl(url?: string): string;
+export declare function buildResolutionKey(reference: Pick<ActionReference, "action" | "ref">): string;
+export declare class ActionResolver {
+    private octokit;
+    private readonly cache;
+    private readonly inFlight;
+    private readonly verbose;
+    private authMethod;
+    private readonly initPromise;
+    constructor(token?: string, client?: CommitLookupClient, options?: ResolverOptions);
+    private initNetrcAuth;
+    private getBaseUrl;
+    resolve(reference: ActionReference): Promise<ResolutionResult>;
+    private lookupCommit;
+    private isRetryable;
+    private getDelayMs;
+    private delay;
+    private getStatus;
+    private getCode;
+    private getHeader;
+    private isSecondaryRateLimit;
+}
+export { AmbiguousRefError, UnresolvedRefError } from "./types.js";
+export { applyNetrcAuth, redactNetrcAuth } from "./netrc-auth.js";

package/dist/src/resolver.js

@@ -0,0 +1,227 @@
+import { Octokit } from "@octokit/rest";
+import { UnresolvedRefError } from "./types.js";
+import { getNetrcCredentials } from "./netrc-auth.js";
+const MAX_ATTEMPTS = 4;
+const BASE_DELAY_MS = 1000;
+const MAX_DELAY_MS = 30_000;
+const SHA_PATTERN = /^[0-9a-f]{40}$/i;
+const RESOLUTION_METHOD = "repos.getCommit";
+export function normalizeGithubApiUrl(url) {
+    if (!url) {
+        return "https://api.github.com";
+    }
+    let normalized = url.trim().toLowerCase();
+    // Remove trailing slashes
+    normalized = normalized.replace(/\/+$/, "");
+    // Handle github.com special case
+    if (normalized === "https://github.com" || normalized === "github.com") {
+        return "https://api.github.com";
+    }
+    // If it's an enterprise URL without /api/v3, add it
+    // Extract the hostname to check precisely (avoid substring false matches like evil.api.github.com)
+    const hostname = normalized.replace(/^https?:\/\//, "").split("/")[0];
+    if (!normalized.includes("/api/v3") && hostname !== "api.github.com") {
+        normalized = `${normalized}/api/v3`;
+    }
+    // Ensure https://
+    if (!normalized.startsWith("https://")) {
+        normalized = `https://${normalized}`;
+    }
+    return normalized;
+}
+export function buildResolutionKey(reference) {
+    return `${reference.action}@${reference.ref}`;
+}
+export class ActionResolver {
+    octokit;
+    cache = new Map();
+    inFlight = new Map();
+    verbose;
+    authMethod;
+    initPromise;
+    constructor(token, client, options) {
+        this.verbose = options?.verbose ?? false;
+        this.authMethod = "anonymous";
+        if (client) {
+            this.octokit = client;
+            this.initPromise = Promise.resolve();
+        }
+        else {
+            const apiBaseUrl = normalizeGithubApiUrl(options?.apiBaseUrl);
+            if (token) {
+                this.octokit = new Octokit({ auth: token, baseUrl: apiBaseUrl });
+                this.authMethod = "token";
+                this.initPromise = Promise.resolve();
+            }
+            else if (options?.useNetrc) {
+                this.authMethod = "netrc";
+                // Placeholder until init resolves; initNetrcAuth will replace this with an authenticated client
+                this.octokit = new Octokit({ baseUrl: apiBaseUrl });
+                this.initPromise = this.initNetrcAuth(apiBaseUrl);
+            }
+            else {
+                this.octokit = new Octokit({ baseUrl: apiBaseUrl });
+                this.authMethod = "anonymous (rate-limited)";
+                this.initPromise = Promise.resolve();
+            }
+        }
+        if (this.verbose) {
+            console.log(`GitHub API base URL: ${this.getBaseUrl()}`);
+            console.log(`Authentication method: ${this.authMethod}`);
+        }
+    }
+    async initNetrcAuth(apiBaseUrl) {
+        const host = new URL(apiBaseUrl).hostname;
+        const creds = await getNetrcCredentials(host);
+        if (creds) {
+            this.octokit = new Octokit({
+                auth: `${creds.login}:${creds.password}`,
+                baseUrl: apiBaseUrl
+            });
+        }
+        else {
+            this.authMethod = "anonymous (rate-limited)";
+        }
+    }
+    getBaseUrl() {
+        const octokit = this.octokit;
+        return octokit.request?.endpoint?.baseUrl ?? "https://api.github.com";
+    }
+    async resolve(reference) {
+        await this.initPromise;
+        if (!reference.ref) {
+            throw new Error(`Cannot resolve missing ref for ${reference.raw}`);
+        }
+        if (reference.kind !== "tag-or-branch" || SHA_PATTERN.test(reference.ref)) {
+            throw new Error(`Cannot resolve non-resolvable ref for ${reference.raw}`);
+        }
+        const cacheKey = buildResolutionKey(reference);
+        const existing = this.cache.get(cacheKey);
+        if (existing) {
+            return existing;
+        }
+        const pending = this.inFlight.get(cacheKey);
+        if (pending) {
+            return pending;
+        }
+        const [owner, repo] = reference.action.split("/");
+        if (!owner || !repo) {
+            throw new Error(`Invalid action slug: ${reference.action}`);
+        }
+        const lookup = this.lookupCommit(owner, repo, reference.ref, cacheKey);
+        this.inFlight.set(cacheKey, lookup);
+        return lookup.finally(() => {
+            this.inFlight.delete(cacheKey);
+        });
+    }
+    async lookupCommit(owner, repo, ref, cacheKey) {
+        let lastError;
+        for (let attempt = 0; attempt < MAX_ATTEMPTS; attempt += 1) {
+            try {
+                const commit = await this.octokit.repos.getCommit({
+                    owner,
+                    repo,
+                    ref
+                });
+                const result = {
+                    original: `${owner}/${repo}@${ref}`,
+                    sha: commit.data.sha,
+                    comment: ref,
+                    sourceRepo: `${owner}/${repo}`,
+                    resolutionMethod: RESOLUTION_METHOD,
+                    resolvedAt: new Date().toISOString()
+                };
+                this.cache.set(cacheKey, result);
+                return result;
+            }
+            catch (error) {
+                lastError = error;
+                const status = this.getStatus(error);
+                // Handle authentication errors
+                if (status === 401) {
+                    const message = this.authMethod === "netrc"
+                        ? "Authentication failed with netrc credentials. Check machine entry in ~/.netrc"
+                        : "Invalid or expired token. Check PIN_ACTIONS_TOKEN or CLI --token";
+                    throw new Error(message);
+                }
+                if (attempt >= MAX_ATTEMPTS - 1 || !this.isRetryable(error)) {
+                    break;
+                }
+                await this.delay(this.getDelayMs(error, attempt));
+            }
+        }
+        throw new UnresolvedRefError(`${owner}/${repo}@${ref}`, MAX_ATTEMPTS, MAX_ATTEMPTS, lastError instanceof Error ? lastError.message : String(lastError));
+    }
+    isRetryable(error) {
+        const status = this.getStatus(error);
+        if (status === 429 || status === 502 || status === 503 || status === 504) {
+            return true;
+        }
+        if (status === 403 && this.isSecondaryRateLimit(error)) {
+            return true;
+        }
+        if (typeof status === "number" && status >= 500 && status <= 599) {
+            return true;
+        }
+        const code = this.getCode(error);
+        return code === "ECONNRESET" || code === "ETIMEDOUT" || code === "EAI_AGAIN";
+    }
+    getDelayMs(error, attempt) {
+        const retryAfter = this.getHeader(error, "retry-after");
+        if (retryAfter) {
+            const seconds = Number(retryAfter);
+            if (Number.isFinite(seconds) && seconds > 0) {
+                return Math.min(seconds * 1000, MAX_DELAY_MS);
+            }
+        }
+        const reset = this.getHeader(error, "x-ratelimit-reset");
+        if (reset) {
+            const resetAt = Number(reset) * 1000;
+            if (Number.isFinite(resetAt) && resetAt > Date.now()) {
+                return Math.min(resetAt - Date.now() + 250, MAX_DELAY_MS);
+            }
+        }
+        return Math.min(BASE_DELAY_MS * 2 ** attempt, MAX_DELAY_MS);
+    }
+    async delay(ms) {
+        await new Promise((resolve) => setTimeout(resolve, ms));
+    }
+    getStatus(error) {
+        if (!error || typeof error !== "object") {
+            return undefined;
+        }
+        const status = error.status;
+        return typeof status === "number" ? status : undefined;
+    }
+    getCode(error) {
+        if (!error || typeof error !== "object") {
+            return undefined;
+        }
+        const code = error.code;
+        return typeof code === "string" ? code : undefined;
+    }
+    getHeader(error, name) {
+        if (!error || typeof error !== "object") {
+            return undefined;
+        }
+        const headers = error.response
+            ?.headers;
+        const value = headers?.[name.toLowerCase()];
+        if (typeof value === "string") {
+            return value;
+        }
+        if (Array.isArray(value) && value.length > 0 && typeof value[0] === "string") {
+            return value[0];
+        }
+        return undefined;
+    }
+    isSecondaryRateLimit(error) {
+        if (!(error instanceof Error)) {
+            return false;
+        }
+        return /secondary rate limit/i.test(error.message);
+    }
+}
+export { AmbiguousRefError, UnresolvedRefError } from "./types.js";
+export { applyNetrcAuth, redactNetrcAuth } from "./netrc-auth.js";
+//# sourceMappingURL=resolver.js.map

package/dist/src/resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.js","sourceRoot":"","sources":["../../src/resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAExC,OAAO,EAAqB,kBAAkB,EAAE,MAAM,YAAY,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAmB,MAAM,iBAAiB,CAAC;AAmBvE,MAAM,YAAY,GAAG,CAAC,CAAC;AACvB,MAAM,aAAa,GAAG,IAAI,CAAC;AAC3B,MAAM,YAAY,GAAG,MAAM,CAAC;AAC5B,MAAM,WAAW,GAAG,iBAAiB,CAAC;AACtC,MAAM,iBAAiB,GAAG,iBAAiB,CAAC;AAE5C,MAAM,UAAU,qBAAqB,CAAC,GAAY;IAChD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,wBAAwB,CAAC;IAClC,CAAC;IAED,IAAI,UAAU,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAE1C,0BAA0B;IAC1B,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAE5C,iCAAiC;IACjC,IAAI,UAAU,KAAK,oBAAoB,IAAI,UAAU,KAAK,YAAY,EAAE,CAAC;QACvE,OAAO,wBAAwB,CAAC;IAClC,CAAC;IAED,oDAAoD;IACpD,mGAAmG;IACnG,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACtE,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,QAAQ,KAAK,gBAAgB,EAAE,CAAC;QACrE,UAAU,GAAG,GAAG,UAAU,SAAS,CAAC;IACtC,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACvC,UAAU,GAAG,WAAW,UAAU,EAAE,CAAC;IACvC,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,SAAkD;IACnF,OAAO,GAAG,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC,GAAG,EAAE,CAAC;AAChD,CAAC;AAED,MAAM,OAAO,cAAc;IACjB,OAAO,CAAqB;IACnB,KAAK,GAAG,IAAI,GAAG,EAA4B,CAAC;IAC5C,QAAQ,GAAG,IAAI,GAAG,EAAqC,CAAC;IACxD,OAAO,CAAU;IAC1B,UAAU,CAAS;IACV,WAAW,CAAgB;IAE5C,YAAmB,KAAc,EAAE,MAA2B,EAAE,OAAyB;QACvF,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,KAAK,CAAC;QACzC,IAAI,CAAC,UAAU,GAAG,WAAW,CAAC;QAE9B,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;YACtB,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,UAAU,GAAG,qBAAqB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YAE9D,IAAI,KAAK,EAAE,CAAC;gBACV,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,CAAuB,CAAC;gBACvF,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC;gBAC1B,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;YACvC,CAAC;iBAAM,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;gBAC7B,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC;gBAC1B,gGAAgG;gBAChG,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,CAAuB,CAAC;gBAC1E,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,CAAuB,CAAC;gBAC1E,IAAI,CAAC,UAAU,GAAG,0BAA0B,CAAC;gBAC7C,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;YACvC,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YACzD,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,UAAkB;QAC5C,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC;gBACzB,IAAI,EAAE,GAAG,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,QAAQ,EAAE;gBACxC,OAAO,EAAE,UAAU;aACpB,CAAuB,CAAC;QAC3B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,UAAU,GAAG,0BAA0B,CAAC;QAC/C,CAAC;IACH,CAAC;IAEO,UAAU;QAChB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAuE,CAAC;QAC7F,OAAO,OAAO,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,IAAI,wBAAwB,CAAC;IACxE,CAAC;IAEM,KAAK,CAAC,OAAO,CAAC,SAA0B;QAC7C,MAAM,IAAI,CAAC,WAAW,CAAC;QACvB,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,kCAAkC,SAAS,CAAC,GAAG,EAAE,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,SAAS,CAAC,IAAI,KAAK,eAAe,IAAI,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1E,MAAM,IAAI,KAAK,CAAC,yCAAyC,SAAS,CAAC,GAAG,EAAE,CAAC,CAAC;QAC5E,CAAC;QAED,MAAM,QAAQ,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClD,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,wBAAwB,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,SAAS,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACvE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAEpC,OAAO,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE;YACzB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,KAAa,EACb,IAAY,EACZ,GAAW,EACX,QAAgB;QAEhB,IAAI,SAAkB,CAAC;QAEvB,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,YAAY,EAAE,OAAO,IAAI,CAAC,EAAE,CAAC;YAC3D,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC;oBAChD,KAAK;oBACL,IAAI;oBACJ,GAAG;iBACJ,CAAC,CAAC;gBAEH,MAAM,MAAM,GAAqB;oBAC/B,QAAQ,EAAE,GAAG,KAAK,IAAI,IAAI,IAAI,GAAG,EAAE;oBACnC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG;oBACpB,OAAO,EAAE,GAAG;oBACZ,UAAU,EAAE,GAAG,KAAK,IAAI,IAAI,EAAE;oBAC9B,gBAAgB,EAAE,iBAAiB;oBACnC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACrC,CAAC;gBACF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBACjC,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,SAAS,GAAG,KAAK,CAAC;gBAClB,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;gBAErC,+BAA+B;gBAC/B,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;oBACnB,MAAM,OAAO,GACX,IAAI,CAAC,UAAU,KAAK,OAAO;wBACzB,CAAC,CAAC,+EAA+E;wBACjF,CAAC,CAAC,kEAAkE,CAAC;oBACzE,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC;gBAC3B,CAAC;gBAED,IAAI,OAAO,IAAI,YAAY,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC5D,MAAM;gBACR,CAAC;gBAED,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAED,MAAM,IAAI,kBAAkB,CAC1B,GAAG,KAAK,IAAI,IAAI,IAAI,GAAG,EAAE,EACzB,YAAY,EACZ,YAAY,EACZ,SAAS,YAAY,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CACnE,CAAC;IACJ,CAAC;IAEO,WAAW,CAAC,KAAc;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACrC,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;YACzE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,EAAE,CAAC;YACvD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,GAAG,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACjC,OAAO,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,CAAC;IAC/E,CAAC;IAEO,UAAU,CAAC,KAAc,EAAE,OAAe;QAChD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;QACxD,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC;YACnC,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;gBAC5C,OAAO,IAAI,CAAC,GAAG,CAAC,OAAO,GAAG,IAAI,EAAE,YAAY,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACzD,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;YACrC,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACrD,OAAO,IAAI,CAAC,GAAG,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,EAAE,YAAY,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,GAAG,CAAC,aAAa,GAAG,CAAC,IAAI,OAAO,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC;IAEO,KAAK,CAAC,KAAK,CAAC,EAAU;QAC5B,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IAC1D,CAAC;IAEO,SAAS,CAAC,KAAc;QAC9B,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,MAAM,GAAI,KAA8B,CAAC,MAAM,CAAC;QACtD,OAAO,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;IACzD,CAAC;IAEO,OAAO,CAAC,KAAc;QAC5B,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,IAAI,GAAI,KAA4B,CAAC,IAAI,CAAC;QAChD,OAAO,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;IACrD,CAAC;IAEO,SAAS,CAAC,KAAc,EAAE,IAAY;QAC5C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,OAAO,GAAI,KAA8D,CAAC,QAAQ;YACtF,EAAE,OAAO,CAAC;QACZ,MAAM,KAAK,GAAG,OAAO,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC7E,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,oBAAoB,CAAC,KAAc;QACzC,IAAI,CAAC,CAAC,KAAK,YAAY,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;CACF;AAED,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/src/scanner.d.ts

@@ -0,0 +1,8 @@
+import type { ActionReference, ScanResult } from "./types.js";
+export declare function scanWorkflows(includePatterns?: string[], cwd?: string, options?: {
+    excludePatterns?: string[];
+    includeActions?: string[];
+    excludeActions?: string[];
+}): Promise<ScanResult>;
+export declare function buildScanResult(references: ActionReference[], filesScanned: number): ScanResult;
+export declare function extractActionReferences(filePath: string, content: string): ActionReference[];

package/dist/src/scanner.js

@@ -0,0 +1,128 @@
+import { readFile } from "node:fs/promises";
+import fg from "fast-glob";
+import { matchesAnyPattern } from "./pattern-match.js";
+import { resolveWorkflowPatterns } from "./workflow-paths.js";
+const SHA_PATTERN = /^[0-9a-f]{40}$/i;
+export async function scanWorkflows(includePatterns = [], cwd = process.cwd(), options = {}) {
+    const files = await fg(resolveWorkflowPatterns(includePatterns), {
+        cwd,
+        absolute: true,
+        onlyFiles: true,
+        dot: true,
+        ignore: options.excludePatterns ?? []
+    });
+    const references = [];
+    // Sort files for deterministic traversal
+    const sortedFiles = files.sort();
+    for (const filePath of sortedFiles) {
+        const content = await readFile(filePath, "utf8");
+        references.push(...extractActionReferences(filePath, content));
+    }
+    const filteredReferences = references
+        .filter((reference) => {
+        if (options.includeActions &&
+            options.includeActions.length > 0 &&
+            !matchesActionPattern(reference.action, options.includeActions)) {
+            return false;
+        }
+        if (options.excludeActions &&
+            options.excludeActions.length > 0 &&
+            matchesActionPattern(reference.action, options.excludeActions)) {
+            return false;
+        }
+        return true;
+    });
+    return buildScanResult(filteredReferences, sortedFiles.length);
+}
+export function buildScanResult(references, filesScanned) {
+    // Sort references by file path and then by line number for deterministic output
+    const sortedReferences = references.sort((a, b) => {
+        const pathCmp = a.filePath.localeCompare(b.filePath);
+        if (pathCmp !== 0)
+            return pathCmp;
+        return a.line - b.line;
+    });
+    const unpinned = sortedReferences
+        .filter((r) => r.kind === "tag-or-branch")
+        .sort((a, b) => {
+        const pathCmp = a.filePath.localeCompare(b.filePath);
+        if (pathCmp !== 0)
+            return pathCmp;
+        return a.line - b.line;
+    });
+    return {
+        summary: {
+            filesScanned,
+            referencesFound: sortedReferences.length,
+            unpinnedFound: unpinned.length
+        },
+        references: sortedReferences,
+        unpinned
+    };
+}
+export function extractActionReferences(filePath, content) {
+    const lines = content.split(/\r?\n/);
+    const references = [];
+    for (let index = 0; index < lines.length; index += 1) {
+        const line = lines[index];
+        const match = line.match(/^\s*-?\s*uses:\s*(['"]?)([^'"#\s]+)\1/);
+        if (!match) {
+            continue;
+        }
+        const raw = match[2];
+        const parsed = parseActionRef(raw);
+        references.push({
+            filePath,
+            line: index + 1,
+            column: match[0].indexOf("uses:") + 1,
+            raw,
+            action: parsed.action,
+            ref: parsed.ref,
+            kind: classifyActionRef(raw, parsed.ref)
+        });
+    }
+    return references;
+}
+function matchesActionPattern(action, patterns) {
+    return patterns.some((pattern) => {
+        const normalizedPattern = pattern.trim();
+        if (!normalizedPattern) {
+            return false;
+        }
+        // If only a repository name is provided (e.g. "cache"), match against the repo segment.
+        const target = normalizedPattern.includes("/") ? action : action.split("/")[1] ?? action;
+        return matchesAnyPattern(target, [normalizedPattern], { caseInsensitive: true });
+    });
+}
+function parseActionRef(raw) {
+    if (raw.startsWith("docker://")) {
+        return { action: raw };
+    }
+    if (raw.startsWith("./")) {
+        return { action: raw };
+    }
+    const separator = raw.lastIndexOf("@");
+    if (separator === -1) {
+        return { action: raw };
+    }
+    return {
+        action: raw.slice(0, separator),
+        ref: raw.slice(separator + 1)
+    };
+}
+function classifyActionRef(raw, ref) {
+    if (raw.startsWith("docker://")) {
+        return "docker";
+    }
+    if (raw.startsWith("./")) {
+        return "local";
+    }
+    if (!raw.includes("@") || !ref) {
+        return "invalid";
+    }
+    if (SHA_PATTERN.test(ref)) {
+        return "pinned-sha";
+    }
+    return "tag-or-branch";
+}
+//# sourceMappingURL=scanner.js.map

package/dist/src/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../src/scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,MAAM,WAAW,CAAC;AAE3B,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAE9D,MAAM,WAAW,GAAG,iBAAiB,CAAC;AAEtC,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,kBAA4B,EAAE,EAC9B,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,EACnB,UAII,EAAE;IAEN,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,uBAAuB,CAAC,eAAe,CAAC,EAAE;QAC/D,GAAG;QACH,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,IAAI;QACf,GAAG,EAAE,IAAI;QACT,MAAM,EAAE,OAAO,CAAC,eAAe,IAAI,EAAE;KACtC,CAAC,CAAC;IACH,MAAM,UAAU,GAAsB,EAAE,CAAC;IAEzC,yCAAyC;IACzC,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAEjC,KAAK,MAAM,QAAQ,IAAI,WAAW,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjD,UAAU,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,kBAAkB,GAAG,UAAU;SACpC,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE;QACpB,IACE,OAAO,CAAC,cAAc;YACtB,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;YACjC,CAAC,oBAAoB,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,cAAc,CAAC,EAC/D,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IACE,OAAO,CAAC,cAAc;YACtB,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;YACjC,oBAAoB,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,cAAc,CAAC,EAC9D,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC,kBAAkB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,UAA6B,EAC7B,YAAoB;IAEpB,gFAAgF;IAChF,MAAM,gBAAgB,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAChD,MAAM,OAAO,GAAG,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACrD,IAAI,OAAO,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAClC,OAAO,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,gBAAgB;SAC9B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC;SACzC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACb,MAAM,OAAO,GAAG,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACrD,IAAI,OAAO,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAClC,OAAO,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;IACzB,CAAC,CAAC,CAAC;IAEL,OAAO;QACL,OAAO,EAAE;YACP,YAAY;YACZ,eAAe,EAAE,gBAAgB,CAAC,MAAM;YACxC,aAAa,EAAE,QAAQ,CAAC,MAAM;SAC/B;QACD,UAAU,EAAE,gBAAgB;QAC5B,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,QAAgB,EAChB,OAAe;IAEf,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACrC,MAAM,UAAU,GAAsB,EAAE,CAAC;IAEzC,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAClE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,SAAS;QACX,CAAC;QAED,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACrB,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;QACnC,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ;YACR,IAAI,EAAE,KAAK,GAAG,CAAC;YACf,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;YACrC,GAAG;YACH,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,IAAI,EAAE,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC;SACzC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAc,EAAE,QAAkB;IAC9D,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QAC/B,MAAM,iBAAiB,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,wFAAwF;QACxF,MAAM,MAAM,GAAG,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;QACzF,OAAO,iBAAiB,CAAC,MAAM,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACzB,CAAC;IAED,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACzB,CAAC;IAED,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,SAAS,KAAK,CAAC,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACzB,CAAC;IAED,OAAO;QACL,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC;QAC/B,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;KAC9B,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW,EAAE,GAAY;IAClD,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;QAC/B,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC"}