actions-up 0.0.1 → 1.0.0

package/bin/actions-up.js

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+
+import { run } from '../dist/cli/index.js'
+
+run()

package/dist/cli/index.d.ts

@@ -0,0 +1,2 @@
+/** Run the CLI. */
+export declare function run(): void;

package/dist/cli/index.js

@@ -0,0 +1,67 @@
+import { promptUpdateSelection } from "../core/interactive/prompt-update-selection.js";
+import { applyUpdates } from "../core/ast/update/apply-updates.js";
+import { checkUpdates } from "../core/api/check-updates.js";
+import { scanGitHubActions } from "../core/scan-github-actions.js";
+import "../core/index.js";
+import { version } from "../package.js";
+import { createSpinner } from "nanospinner";
+import "node:worker_threads";
+import pc from "picocolors";
+import cac from "cac";
+function run() {
+	let cli = cac("actions-up");
+	cli.help().version(version).option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (options) => {
+		console.info(pc.cyan("\n🚀 Actions Up!\n"));
+		let spinner = createSpinner("Scanning GitHub Actions...").start();
+		try {
+			let scanResult = await scanGitHubActions(process.cwd());
+			let totalActions = scanResult.actions.length;
+			let totalWorkflows = scanResult.workflows.size;
+			let totalCompositeActions = scanResult.compositeActions.size;
+			spinner.success(`Found ${pc.yellow(totalActions)} actions in ${pc.yellow(totalWorkflows)} workflows and ${pc.yellow(totalCompositeActions)} composite actions`);
+			if (totalActions === 0) {
+				console.info(pc.green("\n✨ No GitHub Actions found in this repository"));
+				return;
+			}
+			spinner = createSpinner("Checking for updates...").start();
+			let updates = await checkUpdates(scanResult.actions, process.env["GITHUB_TOKEN"]);
+			let outdated = updates.filter((update) => update.hasUpdate);
+			let breaking = outdated.filter((update) => update.isBreaking);
+			if (outdated.length === 0) {
+				spinner.success("All actions are up to date!");
+				console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
+				return;
+			}
+			spinner.success(`Found ${pc.yellow(outdated.length)} updates available${breaking.length > 0 ? ` (${pc.red(breaking.length)} breaking)` : ""}`);
+			if (options.yes) {
+				let toUpdate = outdated.filter((update) => update.latestSha);
+				if (toUpdate.length === 0) {
+					console.info(pc.yellow("\n⚠️ No actions with SHA available for update\n"));
+					return;
+				}
+				console.info(pc.yellow(`\n🔄 Updating ${toUpdate.length} actions...\n`));
+				await applyUpdates(toUpdate);
+				console.info(pc.green("\n✓ Updates applied successfully!"));
+			} else {
+				let selected = await promptUpdateSelection(updates);
+				if (!selected || selected.length === 0) {
+					console.info(pc.gray("\nNo updates applied"));
+					return;
+				}
+				console.info(pc.yellow(`\n🔄 Updating ${selected.length} selected actions...\n`));
+				await applyUpdates(selected);
+				console.info(pc.green("\n✓ Updates applied successfully!"));
+			}
+		} catch (error) {
+			spinner.error("Failed");
+			if (error instanceof Error && error.name === "GitHubRateLimitError") {
+				console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n"));
+				console.error(error.message);
+				console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"));
+			} else console.error(pc.red("\nError:"), error instanceof Error ? error.message : String(error));
+			process.exit(1);
+		}
+	});
+	cli.parse();
+}
+export { run };

package/dist/core/api/check-updates.d.ts

@@ -0,0 +1,10 @@
+import { GitHubAction } from '../../types/github-action';
+import { ActionUpdate } from '../../types/action-update';
+/**
+ * Check for updates for GitHub Actions.
+ *
+ * @param actions - Array of GitHub Actions to check.
+ * @param token - Optional GitHub token for authentication.
+ * @returns Array of update information.
+ */
+export declare function checkUpdates(actions: GitHubAction[], token?: string): Promise<ActionUpdate[]>;

package/dist/core/api/check-updates.js

@@ -0,0 +1,139 @@
+import { Client } from "./client.js";
+import semver from "semver";
+async function checkUpdates(actions, token) {
+	let client = new Client(token);
+	let externalActions = actions.filter((action) => action.type === "external");
+	if (externalActions.length === 0) return [];
+	let uniqueActions = /* @__PURE__ */ new Map();
+	for (let action of externalActions) {
+		let group = uniqueActions.get(action.name) ?? [];
+		group.push(action);
+		uniqueActions.set(action.name, group);
+	}
+	let sharedState = {
+		rateLimitError: null,
+		rateLimitHit: false
+	};
+	let releaseResults = await [...uniqueActions.keys()].reduce((promise, actionName) => promise.then(async (results) => {
+		if (sharedState.rateLimitHit) return [...results, {
+			version: null,
+			actionName,
+			sha: null
+		}];
+		let [owner, repo] = actionName.split("/");
+		if (!owner || !repo) return [...results, {
+			version: null,
+			actionName,
+			sha: null
+		}];
+		try {
+			let release = await client.getLatestRelease(owner, repo);
+			if (!release) {
+				let allReleases = await client.getAllReleases(owner, repo, 10);
+				let stableRelease = allReleases.find((currentRelease) => !currentRelease.isPrerelease);
+				release = stableRelease ?? allReleases[0] ?? null;
+			}
+			if (release) {
+				let { version, sha } = release;
+				if (!sha) try {
+					let tagInfo = await client.getTagInfo(owner, repo, version);
+					sha = tagInfo?.sha ?? null;
+				} catch {}
+				return [...results, {
+					actionName,
+					version,
+					sha
+				}];
+			}
+			return [...results, {
+				version: null,
+				actionName,
+				sha: null
+			}];
+		} catch (error) {
+			if (error instanceof Error && error.name === "GitHubRateLimitError") {
+				sharedState.rateLimitHit = true;
+				sharedState.rateLimitError = error;
+				return [...results, {
+					version: null,
+					actionName,
+					sha: null
+				}];
+			}
+			console.warn(`Failed to check ${actionName}:`, error);
+			return [...results, {
+				version: null,
+				actionName,
+				sha: null
+			}];
+		}
+	}), Promise.resolve([]));
+	if (sharedState.rateLimitError) {
+		let error = /* @__PURE__ */ new Error("GitHub API rate limit exceeded. Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#with-github-token");
+		error.name = "GitHubRateLimitError";
+		throw error;
+	}
+	let cache = /* @__PURE__ */ new Map();
+	for (let result of releaseResults) cache.set(result.actionName, {
+		version: result.version,
+		sha: result.sha
+	});
+	let updates = [];
+	for (let action of externalActions) {
+		let cached = cache.get(action.name);
+		if (cached) updates.push(createUpdate(action, cached.version, cached.sha));
+		else updates.push(createUpdate(action, null, null));
+	}
+	return updates;
+}
+function createUpdate(action, latestVersion, latestSha) {
+	let currentVersion = normalizeVersion(action.version ?? "");
+	let normalized = latestVersion ? normalizeVersion(latestVersion) : null;
+	let hasUpdate = false;
+	let isBreaking = false;
+	if (currentVersion && isSha(currentVersion)) {
+		if (latestSha) hasUpdate = !compareSha(currentVersion, latestSha);
+		else if (normalized) hasUpdate = true;
+	} else if (currentVersion && normalized) {
+		let current = semver.valid(currentVersion);
+		let latest = semver.valid(normalized);
+		if (current && latest) {
+			hasUpdate = semver.lt(current, latest);
+			if (hasUpdate) {
+				let currentMajor = semver.major(current);
+				let latestMajor = semver.major(latest);
+				isBreaking = latestMajor > currentMajor;
+			}
+		} else if (currentVersion !== normalized) hasUpdate = true;
+	}
+	return {
+		currentVersion: action.version ?? "unknown",
+		latestVersion,
+		isBreaking,
+		latestSha,
+		hasUpdate,
+		action
+	};
+}
+function compareSha(sha1, sha2) {
+	if (!sha1 || !sha2) return false;
+	let normalized1 = sha1.replace(/^v/u, "");
+	let normalized2 = sha2.replace(/^v/u, "");
+	let minLength = Math.min(normalized1.length, normalized2.length);
+	if (minLength < 7) return false;
+	return normalized1.slice(0, Math.max(0, minLength)).toLowerCase() === normalized2.slice(0, Math.max(0, minLength)).toLowerCase();
+}
+function normalizeVersion(version) {
+	if (!version) return null;
+	let normalized = version.replace(/^v/u, "");
+	if (/^[0-9a-f]{7,40}$/iu.test(normalized)) return version;
+	let coerced = semver.coerce(normalized);
+	if (coerced) return coerced.version;
+	return version;
+}
+function isSha(value) {
+	if (!value) return false;
+	let normalized = value.replace(/^v/u, "");
+	return /^[0-9a-f]{7,40}$/iu.test(normalized);
+}
+export { checkUpdates };

package/dist/core/api/client.d.ts

@@ -0,0 +1,79 @@
+/** Processed release information with normalized types. */
+interface ReleaseInfo {
+    /** Release description or null if not provided. */
+    description: string | null;
+    /** Whether this release is marked as a pre-release. */
+    isPrerelease: boolean;
+    /** Git commit SHA for this release. */
+    sha: string | null;
+    /** Date when the release was published. */
+    publishedAt: Date;
+    /** Version tag name (e.g., 'v1.2.3'). */
+    version: string;
+    /** Release name or tag name if name not provided. */
+    name: string;
+    /** GitHub URL for this release. */
+    url: string;
+}
+/** Processed tag information with normalized types. */
+interface TagInfo {
+    /** Tag or commit message, null if not provided. */
+    message: string | null;
+    /** Date when the tag was created or committed. */
+    date: Date | null;
+    /** Tag name (e.g., 'v1.2.3'). */
+    tag: string;
+    /** Git commit SHA that this tag points to. */
+    sha: string;
+}
+/** GitHub GraphQL client with optional authentication. */
+export declare class Client {
+    private readonly graphqlWithAuth;
+    private rateLimitRemaining;
+    private rateLimitReset;
+    /**
+     * Creates a new GitHub API client.
+     *
+     * @param token - Optional GitHub token for authentication.
+     */
+    constructor(token?: string);
+    private static isRateLimitError;
+    /**
+     * Get specific tag/version information.
+     *
+     * @param owner - The repository owner.
+     * @param repo - The repository name.
+     * @param tag - The tag name to fetch.
+     * @returns Tag information or null if not found.
+     */
+    getTagInfo(owner: string, repo: string, tag: string): Promise<TagInfo | null>;
+    /**
+     * Get all releases for a repository.
+     *
+     * @param owner - The repository owner.
+     * @param repo - The repository name.
+     * @param limit - Maximum number of releases to fetch.
+     * @returns Array of release information.
+     */
+    getAllReleases(owner: string, repo: string, limit?: number): Promise<ReleaseInfo[]>;
+    /**
+     * Get the latest release for a GitHub repository.
+     *
+     * @param owner - The repository owner.
+     * @param repo - The repository name.
+     * @returns Latest release information or null if not found.
+     */
+    getLatestRelease(owner: string, repo: string): Promise<ReleaseInfo | null>;
+    getRateLimitStatus(): {
+        remaining: number;
+        resetAt: Date;
+    };
+    /**
+     * Check if we should wait before making more requests.
+     *
+     * @param threshold - Minimum remaining requests before waiting.
+     * @returns True if rate limit is below threshold.
+     */
+    shouldWaitForRateLimit(threshold?: number): boolean;
+}
+export {};

package/dist/core/api/client.js

@@ -0,0 +1,187 @@
+import { GraphqlResponseError, graphql } from "@octokit/graphql";
+var GitHubRateLimitError = class extends Error {
+	constructor(resetAt) {
+		let resetTime = resetAt.toLocaleTimeString();
+		super(`GitHub API rate limit exceeded. Resets at ${resetTime}`);
+		this.name = "GitHubRateLimitError";
+	}
+};
+var Client = class Client {
+	graphqlWithAuth;
+	rateLimitRemaining = 5e3;
+	rateLimitReset = /* @__PURE__ */ new Date();
+	constructor(token) {
+		let authToken = token ?? process.env["GITHUB_TOKEN"];
+		this.graphqlWithAuth = graphql.defaults({ headers: authToken ? { authorization: `token ${authToken}` } : {} });
+		if (!authToken) console.warn("No GitHub token found. API rate limits will be restricted.");
+	}
+	static isRateLimitError(error) {
+		if (error instanceof GraphqlResponseError) return error.errors.some((graphQLError) => graphQLError.type === "RATE_LIMITED" || typeof graphQLError.message === "string" && /rate limit/iu.test(graphQLError.message));
+		if (error instanceof Error) return /rate limit/iu.test(error.message);
+		return false;
+	}
+	async getTagInfo(owner, repo, tag) {
+		try {
+			let qualifiedTag = tag.startsWith("refs/tags/") ? tag : `refs/tags/${tag}`;
+			let displayTag = tag.replace(/^refs\/tags\//u, "");
+			let query = `
+        query getTagInfo($owner: String!, $repo: String!, $tag: String!) {
+          repository(owner: $owner, name: $repo) {
+            ref(qualifiedName: $tag) {
+              target {
+                oid
+                ... on Commit {
+                  committedDate
+                  message
+                }
+                ... on Tag {
+                  tagger {
+                    date
+                  }
+                  message
+                  target {
+                    oid
+                  }
+                }
+              }
+            }
+          }
+          rateLimit {
+            remaining
+            resetAt
+          }
+        }
+      `;
+			let response = await this.graphqlWithAuth(query, {
+				tag: qualifiedTag,
+				owner,
+				repo
+			});
+			this.rateLimitRemaining = response.rateLimit.remaining;
+			this.rateLimitReset = new Date(response.rateLimit.resetAt);
+			if (!response.repository?.ref?.target) return null;
+			let { target } = response.repository.ref;
+			if ("committedDate" in target) return {
+				date: target.committedDate ? new Date(target.committedDate) : null,
+				message: target.message || null,
+				sha: target.oid,
+				tag: displayTag
+			};
+			let tagObject = target.target;
+			return {
+				date: target.tagger?.date ? new Date(target.tagger.date) : null,
+				sha: tagObject?.oid ?? target.oid,
+				message: target.message ?? null,
+				tag: displayTag
+			};
+		} catch (error) {
+			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
+			throw error;
+		}
+	}
+	async getAllReleases(owner, repo, limit = 10) {
+		try {
+			let query = `
+        query getAllReleases($owner: String!, $repo: String!, $limit: Int!) {
+          repository(owner: $owner, name: $repo) {
+            releases(
+              first: $limit
+              orderBy: { field: CREATED_AT, direction: DESC }
+            ) {
+              nodes {
+                tagName
+                tagCommit {
+                  oid
+                }
+                name
+                description
+                isPrerelease
+                publishedAt
+                url
+              }
+            }
+          }
+          rateLimit {
+            remaining
+            resetAt
+          }
+        }
+      `;
+			let response = await this.graphqlWithAuth(query, {
+				owner,
+				limit,
+				repo
+			});
+			this.rateLimitRemaining = response.rateLimit.remaining;
+			this.rateLimitReset = new Date(response.rateLimit.resetAt);
+			if (!response.repository?.releases?.nodes) return [];
+			return response.repository.releases.nodes.map((release) => ({
+				sha: release.tagCommit?.oid ?? null,
+				publishedAt: new Date(release.publishedAt),
+				description: release.description ?? null,
+				name: release.name ?? release.tagName,
+				isPrerelease: release.isPrerelease,
+				url: release.url,
+				version: release.tagName
+			}));
+		} catch (error) {
+			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
+			throw error;
+		}
+	}
+	async getLatestRelease(owner, repo) {
+		try {
+			let query = `
+        query getLatestRelease($owner: String!, $repo: String!) {
+          repository(owner: $owner, name: $repo) {
+            latestRelease {
+              tagName
+              tagCommit {
+                oid
+              }
+              name
+              description
+              isPrerelease
+              publishedAt
+              url
+            }
+          }
+          rateLimit {
+            remaining
+            resetAt
+          }
+        }
+      `;
+			let response = await this.graphqlWithAuth(query, {
+				owner,
+				repo
+			});
+			this.rateLimitRemaining = response.rateLimit.remaining;
+			this.rateLimitReset = new Date(response.rateLimit.resetAt);
+			if (!response.repository?.latestRelease) return null;
+			let release = response.repository.latestRelease;
+			return {
+				sha: release.tagCommit?.oid ?? null,
+				publishedAt: new Date(release.publishedAt),
+				description: release.description ?? null,
+				name: release.name ?? release.tagName,
+				isPrerelease: release.isPrerelease,
+				url: release.url,
+				version: release.tagName
+			};
+		} catch (error) {
+			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
+			throw error;
+		}
+	}
+	getRateLimitStatus() {
+		return {
+			remaining: this.rateLimitRemaining,
+			resetAt: this.rateLimitReset
+		};
+	}
+	shouldWaitForRateLimit(threshold = 100) {
+		return this.rateLimitRemaining < threshold;
+	}
+};
+export { Client };

package/dist/core/ast/guards/has-range.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Type guard to check if a node has a range property for line number
+ * calculation.
+ *
+ * @param node - The node to check.
+ * @returns True if the node has a range property.
+ */
+export declare function hasRange(node: unknown): node is {
+    range?: [number, number, number];
+};

package/dist/core/ast/guards/has-range.js

@@ -0,0 +1,4 @@
+function hasRange(node) {
+	return node !== null && typeof node === "object" && "range" in node;
+}
+export { hasRange };

package/dist/core/ast/guards/is-node.d.ts

@@ -0,0 +1,8 @@
+import { Node } from 'yaml';
+/**
+ * Type guard to check if a node is a YAML Node with toJSON method.
+ *
+ * @param node - The node to check.
+ * @returns True if the node has a toJSON method.
+ */
+export declare function isNode(node: unknown): node is Node;

package/dist/core/ast/guards/is-node.js

@@ -0,0 +1,4 @@
+function isNode(node) {
+	return node !== null && typeof node === "object" && "toJSON" in node && typeof node.toJSON === "function";
+}
+export { isNode };

package/dist/core/ast/guards/is-pair.d.ts

@@ -0,0 +1,8 @@
+import { Pair } from 'yaml';
+/**
+ * Type guard to check if a node is a YAML key-value pair.
+ *
+ * @param node - The node to check.
+ * @returns True if the node is a Pair.
+ */
+export declare function isPair(node: unknown): node is Pair;

package/dist/core/ast/guards/is-pair.js

@@ -0,0 +1,4 @@
+function isPair(node) {
+	return node !== null && typeof node === "object" && "key" in node && "value" in node;
+}
+export { isPair };

package/dist/core/ast/guards/is-scalar.d.ts

@@ -0,0 +1,8 @@
+import { Scalar } from 'yaml';
+/**
+ * Type guard to check if a node is a YAML scalar value.
+ *
+ * @param node - The node to check.
+ * @returns True if the node is a Scalar.
+ */
+export declare function isScalar(node: unknown): node is Scalar;

package/dist/core/ast/guards/is-scalar.js

@@ -0,0 +1,4 @@
+function isScalar(node) {
+	return node !== null && typeof node === "object" && "value" in node;
+}
+export { isScalar };

package/dist/core/ast/guards/is-yaml-map.d.ts

@@ -0,0 +1,8 @@
+import { YAMLMap } from 'yaml';
+/**
+ * Type guard to check if a node is a YAML map (object).
+ *
+ * @param node - The node to check.
+ * @returns True if the node is a YAMLMap.
+ */
+export declare function isYAMLMap(node: unknown): node is YAMLMap;

package/dist/core/ast/guards/is-yaml-map.js

@@ -0,0 +1,4 @@
+function isYAMLMap(node) {
+	return node !== null && typeof node === "object" && "items" in node && Array.isArray(node.items);
+}
+export { isYAMLMap };

package/dist/core/ast/guards/is-yaml-sequence.d.ts

@@ -0,0 +1,8 @@
+import { YAMLSeq } from 'yaml';
+/**
+ * Type guard to check if a node is a YAML sequence (array).
+ *
+ * @param node - The node to check.
+ * @returns True if the node is a YAMLSeq.
+ */
+export declare function isYAMLSequence(node: unknown): node is YAMLSeq;

package/dist/core/ast/guards/is-yaml-sequence.js

@@ -0,0 +1,4 @@
+function isYAMLSequence(node) {
+	return node !== null && typeof node === "object" && "items" in node && Array.isArray(node.items);
+}
+export { isYAMLSequence };

package/dist/core/ast/scanners/scan-composite-action-ast.d.ts

@@ -0,0 +1,14 @@
+import { Document } from 'yaml';
+import { GitHubAction } from '../../../types/github-action';
+/**
+ * Scans a parsed composite action YAML document for action references.
+ *
+ * Navigates AST structure `runs -> steps` and extracts `uses` entries with
+ * corresponding line numbers when the action defines `using: composite`.
+ *
+ * @param document - Parsed YAML document of a composite action file.
+ * @param content - Original file content.
+ * @param filePath - Path of the action file.
+ * @returns List of discovered actions.
+ */
+export declare function scanCompositeActionAst(document: Document, content: string, filePath: string): GitHubAction[];

package/dist/core/ast/scanners/scan-composite-action-ast.js

@@ -0,0 +1,18 @@
+import { isYAMLMap } from "../guards/is-yaml-map.js";
+import { extractUsesFromSteps } from "../utils/extract-uses-from-steps.js";
+import { findMapPair } from "../utils/find-map-pair.js";
+import { isCompositeActionStructure } from "../../schema/composite/is-composite-action-structure.js";
+import { isCompositeActionRuns } from "../../schema/composite/is-composite-action-runs.js";
+function scanCompositeActionAst(document, content, filePath) {
+	let action = document.toJSON();
+	if (!isCompositeActionStructure(action)) return [];
+	if (!document.contents || !isYAMLMap(document.contents)) return [];
+	let runsPair = findMapPair(document.contents, "runs");
+	if (!runsPair?.value || !isYAMLMap(runsPair.value)) return [];
+	let runsJson = action["runs"];
+	if (!runsJson || !isCompositeActionRuns(runsJson) || !runsJson["steps"] || !Array.isArray(runsJson["steps"])) return [];
+	let stepsPair = findMapPair(runsPair.value, "steps");
+	if (!stepsPair?.value) return [];
+	return extractUsesFromSteps(stepsPair.value, filePath, content);
+}
+export { scanCompositeActionAst };

package/dist/core/ast/scanners/scan-workflow-ast.d.ts

@@ -0,0 +1,14 @@
+import { Document } from 'yaml';
+import { GitHubAction } from '../../../types/github-action';
+/**
+ * Scans a parsed workflow YAML document for action references.
+ *
+ * Navigates AST structure `jobs -> <job> -> steps` and extracts `uses` entries
+ * with corresponding line numbers.
+ *
+ * @param document - Parsed YAML document of a workflow file.
+ * @param content - Original file content.
+ * @param filePath - Path of the workflow file to scan.
+ * @returns List of discovered actions.
+ */
+export declare function scanWorkflowAst(document: Document, content: string, filePath: string): GitHubAction[];

package/dist/core/ast/scanners/scan-workflow-ast.js

@@ -0,0 +1,23 @@
+import { isWorkflowStructure } from "../../schema/workflow/is-workflow-structure.js";
+import { isYAMLMap } from "../guards/is-yaml-map.js";
+import { isNode } from "../guards/is-node.js";
+import { isPair } from "../guards/is-pair.js";
+import { extractUsesFromSteps } from "../utils/extract-uses-from-steps.js";
+import { findMapPair } from "../utils/find-map-pair.js";
+function scanWorkflowAst(document, content, filePath) {
+	let workflow = document.toJSON();
+	if (!isWorkflowStructure(workflow)) return [];
+	if (!document.contents || !isYAMLMap(document.contents)) return [];
+	let jobsPair = findMapPair(document.contents, "jobs");
+	if (!jobsPair?.value || !isYAMLMap(jobsPair.value)) return [];
+	let actions = [];
+	for (let jobNode of jobsPair.value.items) {
+		if (!isPair(jobNode) || !jobNode.value || !isNode(jobNode.value)) continue;
+		if (!isYAMLMap(jobNode.value)) continue;
+		let stepsPair = findMapPair(jobNode.value, "steps");
+		if (!stepsPair?.value) continue;
+		actions.push(...extractUsesFromSteps(stepsPair.value, filePath, content));
+	}
+	return actions;
+}
+export { scanWorkflowAst };

package/dist/core/ast/update/apply-updates.d.ts

@@ -0,0 +1,7 @@
+import { ActionUpdate } from '../../../types/action-update';
+/**
+ * Apply updates using SHA with version in comment for readability.
+ *
+ * @param updates - Array of updates to apply.
+ */
+export declare function applyUpdates(updates: ActionUpdate[]): Promise<void>;