actions-up 0.0.1 → 1.0.0

package/dist/core/ast/update/apply-updates.js

@@ -0,0 +1,40 @@
+import { readFile, writeFile } from "node:fs/promises";
+async function applyUpdates(updates) {
+	let updatesByFile = /* @__PURE__ */ new Map();
+	for (let update of updates) {
+		let { file } = update.action;
+		if (!file) continue;
+		let fileUpdates = updatesByFile.get(file) ?? [];
+		fileUpdates.push(update);
+		updatesByFile.set(file, fileUpdates);
+	}
+	let filePromises = [...updatesByFile.entries()].map(async ([filePath, fileUpdates]) => {
+		let content = await readFile(filePath, "utf8");
+		for (let update of fileUpdates) {
+			if (!update.latestSha) continue;
+			function escapeRegExp(string_) {
+				return string_.replaceAll(/[$()*+\-./?[\\\]^{|}]/gu, String.raw`\$&`);
+			}
+			let escapedName = escapeRegExp(update.action.name);
+			let escapedVersion = update.currentVersion ? escapeRegExp(update.currentVersion) : "";
+			if (escapedName.includes("\n") || escapedName.includes("\r")) {
+				console.error(`Invalid action name: ${update.action.name}`);
+				continue;
+			}
+			if (escapedVersion && (escapedVersion.includes("\n") || escapedVersion.includes("\r"))) {
+				console.error(`Invalid version: ${update.currentVersion}`);
+				continue;
+			}
+			if (!/^[\da-f]{40}$/iu.test(update.latestSha)) {
+				console.error(`Invalid SHA format: ${update.latestSha}`);
+				continue;
+			}
+			let pattern = new RegExp(`(^\\s*-?\\s*uses:\\s*)(['"]?)(${escapedName})@${escapedVersion}\\2(\\s*#[^\\n]*)?`, "gm");
+			let replacement = `$1$2$3@${update.latestSha}$2 # ${update.latestVersion}`;
+			content = content.replace(pattern, replacement);
+		}
+		await writeFile(filePath, content, "utf8");
+	});
+	await Promise.all(filePromises);
+}
+export { applyUpdates };

package/dist/core/ast/utils/extract-uses-from-steps.d.ts

@@ -0,0 +1,13 @@
+import { GitHubAction } from '../../../types/github-action';
+/**
+ * Extracts GitHub Action references from a steps YAML sequence.
+ *
+ * Uses the AST to locate the 'uses' key for precise line numbers and the JSON
+ * representation to validate the presence and type of the 'uses' field.
+ *
+ * @param stepsNode - YAML sequence node containing workflow/action steps.
+ * @param filePath - Path of the file being scanned (for metadata).
+ * @param content - Original YAML file content (for line number calculation).
+ * @returns List of discovered GitHub actions.
+ */
+export declare function extractUsesFromSteps(stepsNode: unknown, filePath: string, content: string): GitHubAction[];

package/dist/core/ast/utils/extract-uses-from-steps.js

@@ -0,0 +1,24 @@
+import { parseActionReference } from "../../parsing/parse-action-reference.js";
+import { isYAMLSequence } from "../guards/is-yaml-sequence.js";
+import { getLineNumberForKey } from "./get-line-number.js";
+import { isYAMLMap } from "../guards/is-yaml-map.js";
+import { isScalar } from "../guards/is-scalar.js";
+import { isNode } from "../guards/is-node.js";
+import { isPair } from "../guards/is-pair.js";
+function extractUsesFromSteps(stepsNode, filePath, content) {
+	if (!isYAMLSequence(stepsNode)) return [];
+	let actions = [];
+	for (let stepNode of stepsNode.items) {
+		if (!isYAMLMap(stepNode) || !isNode(stepNode)) continue;
+		let step = stepNode.toJSON();
+		if (step === null || typeof step !== "object" || Array.isArray(step)) continue;
+		let stepObject = step;
+		if (typeof stepObject["uses"] !== "string") continue;
+		let usesPair = stepNode.items.find((item) => isPair(item) && isScalar(item.key) && item.key.value === "uses");
+		let lineNumber = usesPair?.key ? getLineNumberForKey(content, usesPair.key) : 0;
+		let action = parseActionReference(stepObject["uses"], filePath, lineNumber);
+		if (action) actions.push(action);
+	}
+	return actions;
+}
+export { extractUsesFromSteps };

package/dist/core/ast/utils/find-map-pair.d.ts

@@ -0,0 +1,12 @@
+import { Pair } from 'yaml';
+/**
+ * Finds a key-value Pair by its key within a YAML map node.
+ *
+ * Returns null when the provided node is not a YAML map or when no entry with
+ * the given key exists.
+ *
+ * @param map - Candidate YAML node expected to be a map.
+ * @param key - Key name to locate.
+ * @returns Matching Pair when found, otherwise null.
+ */
+export declare function findMapPair(map: unknown, key: string): Pair | null;

package/dist/core/ast/utils/find-map-pair.js

@@ -0,0 +1,10 @@
+import { isYAMLMap } from "../guards/is-yaml-map.js";
+import { isScalar } from "../guards/is-scalar.js";
+import { isPair } from "../guards/is-pair.js";
+function findMapPair(map, key) {
+	if (!isYAMLMap(map) || !Array.isArray(map.items)) return null;
+	let yamlMap = map;
+	let pair = yamlMap.items.find((item) => isPair(item) && isScalar(item.key) && item.key.value === key);
+	return pair ?? null;
+}
+export { findMapPair };

package/dist/core/ast/utils/get-line-number.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Calculates a 1-based line number for a YAML key node using its range.
+ *
+ * Returns 0 when the range is missing or malformed.
+ *
+ * @param content - Original file content used to compute line breaks.
+ * @param keyNode - YAML key node that may include a `range` tuple.
+ * @returns 1-based line number, or 0 when unknown.
+ */
+export declare function getLineNumberForKey(content: string, keyNode: unknown): number;

package/dist/core/ast/utils/get-line-number.js

@@ -0,0 +1,9 @@
+import { hasRange } from "../guards/has-range.js";
+function getLineNumberForKey(content, keyNode) {
+	if (hasRange(keyNode) && keyNode.range) {
+		let [offset] = keyNode.range;
+		if (typeof offset === "number" && Number.isFinite(offset)) return content.slice(0, Math.max(0, offset)).split("\n").length;
+	}
+	return 0;
+}
+export { getLineNumberForKey };

package/dist/core/constants.d.ts

@@ -0,0 +1,4 @@
+/** Constants for directory names used in the project. */
+export declare const GITHUB_DIRECTORY: ".github";
+export declare const WORKFLOWS_DIRECTORY: "workflows";
+export declare const ACTIONS_DIRECTORY: "actions";

package/dist/core/constants.js

@@ -0,0 +1,4 @@
+const GITHUB_DIRECTORY = ".github";
+const WORKFLOWS_DIRECTORY = "workflows";
+const ACTIONS_DIRECTORY = "actions";
+export { ACTIONS_DIRECTORY, GITHUB_DIRECTORY, WORKFLOWS_DIRECTORY };

package/dist/core/fs/is-yaml-file.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Checks if a file is a YAML file.
+ *
+ * @param filePath - The path to the file.
+ * @returns True if the file is a YAML file, false otherwise.
+ */
+export declare function isYamlFile(filePath: string): boolean;

package/dist/core/fs/is-yaml-file.js

@@ -0,0 +1,4 @@
+function isYamlFile(filePath) {
+	return filePath.endsWith(".yml") || filePath.endsWith(".yaml");
+}
+export { isYamlFile };

package/dist/core/fs/read-yaml-document.d.ts

@@ -0,0 +1,11 @@
+import { Document } from 'yaml';
+/**
+ * Reads a YAML file and returns both its raw content and parsed Document.
+ *
+ * @param filePath - Path to the YAML file.
+ * @returns Parsed YAML document along with original content.
+ */
+export declare function readYamlDocument(filePath: string): Promise<{
+    document: Document;
+    content: string;
+}>;

package/dist/core/fs/read-yaml-document.js

@@ -0,0 +1,11 @@
+import { readFile } from "node:fs/promises";
+import { parseDocument } from "yaml";
+async function readYamlDocument(filePath) {
+	let content = await readFile(filePath, "utf8");
+	let document = parseDocument(content);
+	return {
+		document,
+		content
+	};
+}
+export { readYamlDocument };

package/dist/core/index.d.ts

@@ -0,0 +1,3 @@
+export { scanGitHubActions } from './scan-github-actions';
+export { applyUpdates } from './ast/update/apply-updates';
+export { checkUpdates } from './api/check-updates';

package/dist/core/index.js

@@ -0,0 +1,4 @@
+import { applyUpdates } from "./ast/update/apply-updates.js";
+import { checkUpdates } from "./api/check-updates.js";
+import { scanGitHubActions } from "./scan-github-actions.js";
+export { applyUpdates, checkUpdates, scanGitHubActions };

package/dist/core/interactive/format-version.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Formats a version string for display, handling null/undefined values.
+ *
+ * @param version - Version string or null/undefined.
+ * @returns Formatted version string or 'unknown' placeholder.
+ */
+export declare function formatVersion(version: undefined | string | null): string;

package/dist/core/interactive/format-version.js

@@ -0,0 +1,5 @@
+import pc from "picocolors";
+function formatVersion(version) {
+	return version ?? pc.gray("unknown");
+}
+export { formatVersion };

package/dist/core/interactive/pad-string.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Pad a string to a specific length.
+ *
+ * @param string - String to pad.
+ * @param length - Target length.
+ * @returns Padded string.
+ */
+export declare function padString(string: string, length: number): string;

package/dist/core/interactive/pad-string.js

@@ -0,0 +1,9 @@
+import { stripAnsi } from "./strip-ansi.js";
+function padString(string, length) {
+	let stripped = stripAnsi(string);
+	let diff = length - stripped.length;
+	if (diff <= 0) return string;
+	let padding = " ".repeat(diff);
+	return string + padding;
+}
+export { padString };

package/dist/core/interactive/prompt-update-selection.d.ts

@@ -0,0 +1,2 @@
+import { ActionUpdate } from '../../types/action-update';
+export declare function promptUpdateSelection(updates: ActionUpdate[]): Promise<ActionUpdate[] | null>;

package/dist/core/interactive/prompt-update-selection.js

@@ -0,0 +1,203 @@
+import { formatVersion } from "./format-version.js";
+import { GITHUB_DIRECTORY } from "../constants.js";
+import { stripAnsi } from "./strip-ansi.js";
+import { padString } from "./pad-string.js";
+import "node:worker_threads";
+import pc from "picocolors";
+import enquirer from "enquirer";
+import path from "node:path";
+const MIN_ACTION_WIDTH = 56;
+const MIN_CURRENT_WIDTH = 10;
+async function promptUpdateSelection(updates) {
+	if (updates.length === 0) return null;
+	let outdated = updates.filter((update) => update.hasUpdate);
+	if (outdated.length === 0) {
+		console.info(pc.green("✓ All actions are up to date!"));
+		return null;
+	}
+	let groups = /* @__PURE__ */ new Map();
+	for (let [index, update] of outdated.entries()) {
+		let originalFile = update.action.file ?? "unknown file";
+		let file = path.relative(path.join(process.cwd(), GITHUB_DIRECTORY), originalFile);
+		if (file === "") file = originalFile;
+		let group = groups.get(file) ?? [];
+		group.push({
+			update,
+			index
+		});
+		groups.set(file, group);
+	}
+	let choices = [];
+	let maxActionLength = stripAnsi("Action").length;
+	let maxCurrentLength = stripAnsi("Current").length;
+	for (let update of outdated) {
+		let actionNameRaw = update.action.name;
+		let currentRaw = formatVersionOrSha(update.currentVersion);
+		maxActionLength = Math.max(maxActionLength, actionNameRaw.length);
+		maxCurrentLength = Math.max(maxCurrentLength, currentRaw.length);
+	}
+	let globalActionWidth = Math.max(maxActionLength, MIN_ACTION_WIDTH);
+	let globalCurrentWidth = Math.max(maxCurrentLength, MIN_CURRENT_WIDTH);
+	let sortedFiles = [...groups.keys()].toSorted();
+	for (let [fileIndex, file] of sortedFiles.entries()) {
+		let fileGroup = groups.get(file);
+		if (!fileGroup) {
+			console.warn(`Unexpected missing group for file: ${file}`);
+			continue;
+		}
+		let tableRows = [];
+		let groupOrder = fileGroup;
+		tableRows.push({
+			current: "Current",
+			action: "Action",
+			target: "Target",
+			arrow: "❯"
+		});
+		for (let { update } of groupOrder) {
+			let hasSha = Boolean(update.latestSha);
+			let current = formatVersionOrSha(update.currentVersion);
+			let latest = formatVersion(update.latestVersion);
+			let actionName = update.action.name;
+			if (update.latestSha) {
+				let shortSha = update.latestSha.slice(0, 7);
+				latest = `${latest} ${pc.gray(`(${shortSha})`)}`;
+			}
+			if (!hasSha) {
+				latest = pc.gray(latest);
+				current = pc.gray(current);
+				actionName = pc.gray(actionName);
+			}
+			tableRows.push({
+				action: actionName,
+				target: latest,
+				arrow: "❯",
+				current
+			});
+		}
+		let maxActionWidth = Math.max(globalActionWidth, MIN_ACTION_WIDTH);
+		let maxCurrentWidth = Math.max(globalCurrentWidth, MIN_CURRENT_WIDTH);
+		let groupChildren = [];
+		for (let [i, row] of tableRows.entries()) {
+			let isHeader = i === 0;
+			let formattedRow = formatTableRow(row, maxActionWidth, maxCurrentWidth);
+			if (isHeader) groupChildren.push({
+				message: pc.gray(` ○ ${formattedRow}`),
+				role: "separator",
+				indent: "",
+				name: ""
+			});
+			else {
+				let entry = groupOrder[i - 1];
+				if (!entry) continue;
+				let { update, index } = entry;
+				let hasSha = Boolean(update.latestSha);
+				let enabled = hasSha && !update.isBreaking;
+				groupChildren.push({
+					message: formattedRow,
+					value: String(index),
+					name: String(index),
+					disabled: !hasSha,
+					indent: "",
+					enabled
+				});
+			}
+		}
+		choices.push({
+			message: pc.gray(file),
+			value: `label|${file}`,
+			choices: groupChildren,
+			name: `label|${file}`,
+			isGroupLabel: true,
+			enabled: false
+		});
+		if (fileIndex < sortedFiles.length - 1) choices.push({
+			role: "separator",
+			message: " ",
+			name: ""
+		});
+	}
+	try {
+		let promptOptions = {
+			indicator(_state, choice) {
+				let isLabel = Boolean(choice.isGroupLabel);
+				if (isLabel) {
+					let allChildren = choice.choices ?? [];
+					let rows = allChildren.filter((child) => !("role" in child));
+					let total = rows.length;
+					let selectedCount = rows.filter((row) => Boolean(row.enabled)).length;
+					let mark = selectedCount === total ? "●" : "○";
+					return ` ${pc.gray(mark)}`;
+				}
+				return `   ${choice.enabled ? "●" : "○"}`;
+			},
+			message: `Choose which actions to update (Press ${pc.cyan("<space>")} to select, ${pc.cyan("<a>")} to toggle all, ${pc.cyan("<i>")} to invert selection)`,
+			cancel() {
+				console.info(pc.yellow("\nSelection cancelled"));
+				return null;
+			},
+			styles: {
+				success: pc.reset,
+				em: pc.bgBlack,
+				dark: pc.reset
+			},
+			j() {
+				return this.down?.() ?? Promise.resolve([]);
+			},
+			k() {
+				return this.up?.() ?? Promise.resolve([]);
+			},
+			footer: "\nEnter to start updating. Ctrl-c to cancel.",
+			type: "multiselect",
+			name: "selected",
+			pointer: "❯",
+			choices
+		};
+		let { selected } = await enquirer.prompt(promptOptions);
+		let selectedIndexes = /* @__PURE__ */ new Set();
+		for (let valueString of selected) {
+			if (valueString.startsWith("label|")) {
+				let fileKey = valueString.slice(6);
+				let groupItems = groups.get(fileKey) ?? [];
+				for (let { update: upd, index: index$1 } of groupItems) if (upd.latestSha) selectedIndexes.add(index$1);
+				continue;
+			}
+			let index = Number.parseInt(valueString, 10);
+			if (Number.isFinite(index)) selectedIndexes.add(index);
+		}
+		let result = [];
+		for (let [index, outdatedUpdate] of outdated.entries()) if (selectedIndexes.has(index) && outdatedUpdate.latestSha) result.push(outdatedUpdate);
+		if (result.length === 0) {
+			console.info(pc.yellow("\nNo actions selected"));
+			return null;
+		}
+		return result;
+	} catch (error) {
+		if (error instanceof Error && (error.message.includes("cancelled") || error.message.includes("ESC") || error.name === "ExitPromptError")) {
+			console.info(pc.yellow("\nSelection cancelled"));
+			return null;
+		}
+		console.error(pc.red("Unexpected error during selection:"), error);
+		throw error;
+	}
+}
+function formatTableRow(row, actionWidth, currentWidth) {
+	let parts = [
+		padString(row.action, actionWidth),
+		padString(row.current, currentWidth),
+		row.arrow,
+		row.target
+	];
+	let line = parts.join("  ");
+	return line.replace(/\s+$/u, "");
+}
+function isSha(value) {
+	if (!value) return false;
+	let normalized = value.replace(/^v/u, "");
+	return /^[0-9a-f]{7,40}$/iu.test(normalized);
+}
+function formatVersionOrSha(version) {
+	if (!version) return pc.gray("unknown");
+	if (isSha(version)) return version.slice(0, 7);
+	return version;
+}
+export { promptUpdateSelection };

package/dist/core/interactive/strip-ansi.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Remove ANSI escape codes from a string.
+ *
+ * @param string - String with potential ANSI codes.
+ * @returns String without ANSI codes.
+ */
+export declare function stripAnsi(string: string): string;

package/dist/core/interactive/strip-ansi.js

@@ -0,0 +1,21 @@
+function stripAnsi(string) {
+	let result = "";
+	let i = 0;
+	while (i < string.length) if (string.charCodeAt(i) === 27 && i + 1 < string.length && string[i + 1] === "[") {
+		i += 2;
+		while (i < string.length) {
+			let char = string[i];
+			i++;
+			if (char === "m") break;
+			if (!/[\d;]/u.test(char)) {
+				result += `${String.fromCharCode(27)}[${string.slice(i - 1, i)}`;
+				break;
+			}
+		}
+	} else {
+		result += string[i];
+		i++;
+	}
+	return result;
+}
+export { stripAnsi };

package/dist/core/parsing/parse-action-reference.d.ts

@@ -0,0 +1,30 @@
+import { GitHubAction } from '../../types/github-action';
+/**
+ * Parses a GitHub Action reference string and returns a structured GitHubAction
+ * object.
+ *
+ * @example
+ *   const action = parseActionReference(
+ *     'actions/checkout@v3',
+ *     'workflow.yml',
+ *     10,
+ *   )
+ *   // Returns: {
+ *   //   type: 'external',
+ *   //   name: 'actions/checkout',
+ *   //   version: 'v3',
+ *   //   file: 'workflow.yml',
+ *   //   line: 10,
+ *   // }
+ *
+ * @param reference - The action reference string to parse. Can be:
+ *
+ *   - External action: "owner/repo@version" (e.g., "actions/checkout@v3")
+ *   - Local action: "./path/to/action" or "../path/to/action"
+ *   - Docker action: "docker://image:tag".
+ *
+ * @param file - The file path where this action reference was found.
+ * @param line - The line number where this action reference was found.
+ * @returns A GitHubAction object if parsing succeeds, null otherwise.
+ */
+export declare function parseActionReference(reference: string, file: string, line: number): GitHubAction | null;

package/dist/core/parsing/parse-action-reference.js

@@ -0,0 +1,34 @@
+function parseActionReference(reference, file, line) {
+	if (!reference || reference.trim() === "") return null;
+	if (reference.startsWith("docker://")) return {
+		version: void 0,
+		name: reference,
+		type: "docker",
+		file,
+		line
+	};
+	if (reference.startsWith("./") || reference.startsWith("../")) return {
+		version: void 0,
+		name: reference,
+		type: "local",
+		file,
+		line
+	};
+	let parts = reference.split("@");
+	if (parts.length !== 2) return null;
+	let [namePart, version] = parts;
+	if (!namePart || !version) return null;
+	let segs = namePart.split("/");
+	if (segs.length < 2) return null;
+	let [owner, repo] = segs;
+	if (!owner || !repo) return null;
+	for (let seg of segs.slice(2)) if (!seg) return null;
+	return {
+		type: "external",
+		name: namePart,
+		version,
+		file,
+		line
+	};
+}
+export { parseActionReference };

package/dist/core/scan-action-file.d.ts

@@ -0,0 +1,10 @@
+import { GitHubAction } from '../types/github-action';
+/**
+ * Scans a composite GitHub Action file (action.yml or action.yaml) for all
+ * action references.
+ *
+ * @param filePath - The path to the action YAML file to scan.
+ * @returns A promise that resolves to an array of GitHubAction objects found in
+ *   the action file.
+ */
+export declare function scanActionFile(filePath: string): Promise<GitHubAction[]>;

package/dist/core/scan-action-file.js

@@ -0,0 +1,7 @@
+import { readYamlDocument } from "./fs/read-yaml-document.js";
+import { scanCompositeActionAst } from "./ast/scanners/scan-composite-action-ast.js";
+async function scanActionFile(filePath) {
+	let { document, content } = await readYamlDocument(filePath);
+	return scanCompositeActionAst(document, content, filePath);
+}
+export { scanActionFile };

package/dist/core/scan-github-actions.d.ts

@@ -0,0 +1,17 @@
+import { ScanResult } from '../types/scan-result';
+/**
+ * Scans a repository for all GitHub Actions usage in workflows and composite
+ * actions.
+ *
+ * @example
+ *   const result = await scanGitHubActions('/path/to/repo')
+ *
+ * @param rootPath - The root path of the repository to scan. Defaults to
+ *   current working directory.
+ * @returns A promise that resolves to a ScanResult containing:
+ *
+ *   - Workflows: Map of workflow file paths to their referenced actions
+ *   - CompositeActions: Map of composite action names to their directory paths
+ *   - Actions: Flat array of all discovered GitHub Actions.
+ */
+export declare function scanGitHubActions(rootPath?: string): Promise<ScanResult>;