actions-up 0.1.0 → 1.0.0

package/dist/core/ast/update/apply-updates.js

@@ -12,9 +12,24 @@ async function applyUpdates(updates) {
 		let content = await readFile(filePath, "utf8");
 		for (let update of fileUpdates) {
 			if (!update.latestSha) continue;
-			let escapedName = update.action.name.replaceAll(/[$()*+.?[\\\]^{|}]/gu, String.raw`\$&`);
-			let escapedVersion = update.currentVersion?.replaceAll(/[$()*+.?[\\\]^{|}]/gu, String.raw`\$&`);
-			let pattern = new RegExp(String.raw`(^\s*-?\s*uses:\s*)(['"]?)(${escapedName})@${escapedVersion}\2(\s*#[^\n]*)?`, "gm");
+			function escapeRegExp(string_) {
+				return string_.replaceAll(/[$()*+\-./?[\\\]^{|}]/gu, String.raw`\$&`);
+			}
+			let escapedName = escapeRegExp(update.action.name);
+			let escapedVersion = update.currentVersion ? escapeRegExp(update.currentVersion) : "";
+			if (escapedName.includes("\n") || escapedName.includes("\r")) {
+				console.error(`Invalid action name: ${update.action.name}`);
+				continue;
+			}
+			if (escapedVersion && (escapedVersion.includes("\n") || escapedVersion.includes("\r"))) {
+				console.error(`Invalid version: ${update.currentVersion}`);
+				continue;
+			}
+			if (!/^[\da-f]{40}$/iu.test(update.latestSha)) {
+				console.error(`Invalid SHA format: ${update.latestSha}`);
+				continue;
+			}
+			let pattern = new RegExp(`(^\\s*-?\\s*uses:\\s*)(['"]?)(${escapedName})@${escapedVersion}\\2(\\s*#[^\\n]*)?`, "gm");
 			let replacement = `$1$2$3@${update.latestSha}$2 # ${update.latestVersion}`;
 			content = content.replace(pattern, replacement);
 		}

package/dist/core/scan-github-actions.js

@@ -2,7 +2,7 @@ import { ACTIONS_DIRECTORY, GITHUB_DIRECTORY, WORKFLOWS_DIRECTORY } from "./cons
 import { scanWorkflowFile } from "./scan-workflow-file.js";
 import { scanActionFile } from "./scan-action-file.js";
 import { isYamlFile } from "./fs/is-yaml-file.js";
-import { join } from "node:path";
+import { isAbsolute, join, relative, resolve } from "node:path";
 import { readdir, stat } from "node:fs/promises";
 async function scanGitHubActions(rootPath = process.cwd()) {
 	let result = {
@@ -10,19 +10,39 @@ async function scanGitHubActions(rootPath = process.cwd()) {
 		workflows: /* @__PURE__ */ new Map(),
 		actions: []
 	};
-	let githubPath = join(rootPath, GITHUB_DIRECTORY);
-	try {
-		await stat(githubPath);
-	} catch {
-		return result;
+	let normalizedRoot = resolve(rootPath);
+	function isWithin(root, candidate) {
+		let relativePath = relative(root, candidate);
+		return relativePath !== "" && !relativePath.startsWith("..") && !isAbsolute(relativePath);
+	}
+	let githubPath = join(normalizedRoot, GITHUB_DIRECTORY);
+	if (!isWithin(normalizedRoot, githubPath)) throw new Error("Invalid path: detected path traversal attempt");
+	function isValidName(name) {
+		if (name.includes("..") || name.includes("/") || name.includes("\\")) {
+			console.warn(`Skipping invalid name: ${name}`);
+			return false;
+		}
+		return true;
 	}
 	let workflowsPath = join(githubPath, WORKFLOWS_DIRECTORY);
+	if (!isWithin(normalizedRoot, workflowsPath)) return result;
 	try {
 		let workflowsStat = await stat(workflowsPath);
 		if (workflowsStat.isDirectory()) {
 			let files = await readdir(workflowsPath);
-			let workflowPromises = files.filter((file) => isYamlFile(file)).map(async (file) => {
+			let workflowPromises = files.filter((file) => {
+				if (!isValidName(file)) return false;
+				return isYamlFile(file);
+			}).map(async (file) => {
 				let filePath = join(workflowsPath, file);
+				if (!isWithin(workflowsPath, filePath)) {
+					console.warn(`Skipping file outside workflows directory: ${file}`);
+					return {
+						success: false,
+						actions: [],
+						path: ""
+					};
+				}
 				try {
 					let actions = await scanWorkflowFile(filePath);
 					return {
@@ -39,29 +59,37 @@ async function scanGitHubActions(rootPath = process.cwd()) {
 				}
 			});
 			let workflowResults = await Promise.all(workflowPromises);
-			for (let workflow of workflowResults) if (workflow.success) if (workflow.actions.length > 0) {
+			for (let workflow of workflowResults) if (workflow.success && workflow.path) if (workflow.actions.length > 0) {
 				result.workflows.set(workflow.path, workflow.actions);
 				result.actions.push(...workflow.actions);
 			} else result.workflows.set(workflow.path, []);
 		}
 	} catch {}
-	let actionsPath = join(githubPath, "actions");
+	let actionsPath = join(githubPath, ACTIONS_DIRECTORY);
+	if (!isWithin(normalizedRoot, actionsPath)) return result;
 	try {
 		let actionsStat = await stat(actionsPath);
 		if (actionsStat.isDirectory()) {
 			let subdirectories = await readdir(actionsPath);
 			let actionPromises = subdirectories.map(async (subdir) => {
+				if (!isValidName(subdir)) return null;
 				let subdirPath = join(actionsPath, subdir);
+				if (!isWithin(actionsPath, subdirPath)) {
+					console.warn(`Skipping subdirectory outside actions path: ${subdir}`);
+					return null;
+				}
 				try {
 					let subdirectoryStat = await stat(subdirPath);
 					if (!subdirectoryStat.isDirectory()) return null;
 					let actionFilePath = join(subdirPath, "action.yml");
+					if (!isWithin(subdirPath, actionFilePath)) return null;
 					let actions = [];
 					try {
 						actions = await scanActionFile(actionFilePath);
 					} catch {
 						try {
 							actionFilePath = join(subdirPath, "action.yaml");
+							if (!isWithin(subdirPath, actionFilePath)) return null;
 							actions = await scanActionFile(actionFilePath);
 						} catch {
 							return null;

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "0.1.0";
+const version = "1.0.0";
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",

package/readme.md

@@ -18,12 +18,12 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
 
 ## Features
 
-- **Auto-discovery** - Scans all workflows (`.github/workflows/*.yml`) and composite actions (`.github/actions/*/action.yml`)
-- **SHA Pinning** - Updates actions to use commit SHA instead of tags for better security
-- **Batch Updates** - Update multiple actions at once
-- **Interactive Selection** - Choose which actions to update
-- **Breaking Changes Detection** - Warns about major version updates
-- **Fast & Efficient** - Parallel processing with optimized API calls
+- **Auto-discovery**: Scans all workflows (`.github/workflows/*.yml`) and composite actions (`.github/actions/*/action.yml`)
+- **SHA Pinning**: Updates actions to use commit SHA instead of tags for better security
+- **Batch Updates**: Update multiple actions at once
+- **Interactive Selection**: Choose which actions to update
+- **Breaking Changes Detection**: Warns about major version updates
+- **Fast & Efficient**: Parallel processing with optimized API calls
 
 ###
 
@@ -40,31 +40,72 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
   />
   <img
     src="https://raw.githubusercontent.com/azat-io/actions-up/main/assets/example-light.webp"
-    alt="Token Limit CLI Example"
-    width="600"
+    alt="Actions Up interactive example"
+    width="820"
   />
 </picture>
 
+## Why
+
+### The Problem
+
+Keeping GitHub Actions updated is a critical but tedious task:
+
+- **Security Risk**: Using outdated actions with known vulnerabilities
+- **Manual Hell**: Checking dozens of actions across multiple workflows by hand
+- **Version Tags Are Mutable**: v1 or v2 tags can change without notice, breaking reproducibility
+- **Time Sink**: Hours spent on maintenance that could be used for actual development
+
+### The Solution
+
+Actions Up transforms a painful manual process into a delightful experience:
+
+| Without Actions Up             | With Actions Up                  |
+| :----------------------------- | :------------------------------- |
+| Check each action manually     | Scan all workflows in seconds    |
+| Risk using vulnerable versions | SHA pinning for maximum security |
+| 30+ minutes per repository     | Under 1 minute total             |
+
+## GitHub Token Required
+
+> **Important**: GitHub API has strict rate limits (60 requests/hour without token vs 5000 with token).
+> A GitHub token is **practically required** for using Actions Up.
+
+### Quick Token Setup
+
+[Create a GitHub Personal Access Token](https://github.com/settings/tokens/new?scopes=public_repo&description=actions-up).
+
+- For public repositories: Select `public_repo` scope
+- For private repositories: Select `repo` scope
+
 ## Installation
 
+Quick use (no installation)
+
+```bash
+npx actions-up
+```
+
+Global installation
+
 ```bash
 npm install -g actions-up
 ```
 
-Or use directly with npx:
+Per-project
 
 ```bash
-npx actions-up
+npm install --save-dev actions-up
 ```
 
 ## Usage
 
 ### Interactive Mode (Default)
 
-Run in your repository root:
+Run in your repository root with GitHub token:
 
 ```bash
-actions-up
+GITHUB_TOKEN=ghp_xxxx npx actions-up
 ```
 
 This will:
@@ -79,17 +120,30 @@ This will:
 Skip all prompts and update everything:
 
 ```bash
-actions-up --yes
+GITHUB_TOKEN=ghp_xxxx npx actions-up --yes
 # or
-actions-up -y
+GITHUB_TOKEN=ghp_xxxx npx actions-up -y
 ```
 
-### With GitHub Token
+## Pro Tips
+
+### Shell Aliases
 
-To avoid rate limits [create a GitHub personal access token](https://github.com/settings/tokens/new?scopes=public_repo&description=actions-up) and set it as an environment variable:
+Add to your `.zshrc`, `.bashrc` or `.config/fish/config.fish`:
 
 ```bash
-GITHUB_TOKEN=ghp_xxxx actions-up
+# Basic alias with token from environment
+export GITHUB_TOKEN=ghp_xxxx  # Add this once to your shell config
+alias actions-up='GITHUB_TOKEN=$GITHUB_TOKEN npx actions-up'
+
+# With token from file
+alias actions-up='GITHUB_TOKEN=$(cat ~/.github-token) npx actions-up'
+
+# With 1Password CLI
+alias actions-up='GITHUB_TOKEN=$(op read "op://Personal/GitHub/token") npx actions-up'
+
+# With macOS Keychain
+alias actions-up='GITHUB_TOKEN=$(security find-generic-password -w -s "github-token") npx actions-up'
 ```
 
 ## Example
@@ -104,12 +158,6 @@ GITHUB_TOKEN=ghp_xxxx actions-up
 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
 ```
 
-## Configuration
-
-### Environment Variables
-
-- `GITHUB_TOKEN` - GitHub personal access token for API requests (optional but recommended)
-
 ## Security
 
 Actions Up promotes security best practices: