actions-up 0.1.0 → 1.1.0

package/dist/cli/index.js

@@ -10,7 +10,7 @@ import pc from "picocolors";
 import cac from "cac";
 function run() {
 	let cli = cac("actions-up");
-	cli.help().version(version).option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (options) => {
+	cli.help().version(version).option("--yes, -y", "Skip all confirmations").option("--dry-run", "Preview changes without applying them").command("", "Update GitHub Actions").action(async (options) => {
 		console.info(pc.cyan("\n🚀 Actions Up!\n"));
 		let spinner = createSpinner("Scanning GitHub Actions...").start();
 		try {
@@ -33,6 +33,12 @@ function run() {
 				return;
 			}
 			spinner.success(`Found ${pc.yellow(outdated.length)} updates available${breaking.length > 0 ? ` (${pc.red(breaking.length)} breaking)` : ""}`);
+			if (options.dryRun) {
+				console.info(pc.yellow("\n📋 Dry Run - No changes will be made\n"));
+				for (let update of outdated) console.info(`${pc.cyan(update.action.file ?? "unknown")}:\n${update.action.name}: ${pc.red(update.currentVersion)} → ${pc.green(update.latestVersion)} ${update.latestSha ? pc.gray(`(${update.latestSha.slice(0, 7)})`) : ""}\n`);
+				console.info(pc.gray(`\n${outdated.length} actions would be updated\n`));
+				return;
+			}
 			if (options.yes) {
 				let toUpdate = outdated.filter((update) => update.latestSha);
 				if (toUpdate.length === 0) {

package/dist/core/api/check-updates.js

@@ -69,7 +69,7 @@ async function checkUpdates(actions, token) {
 		}
 	}), Promise.resolve([]));
 	if (sharedState.rateLimitError) {
-		let error = /* @__PURE__ */ new Error("GitHub API rate limit exceeded. Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#with-github-token");
+		let error = /* @__PURE__ */ new Error("GitHub API rate limit exceeded. Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits");
 		error.name = "GitHubRateLimitError";
 		throw error;
 	}

package/dist/core/api/client.d.ts

@@ -26,11 +26,11 @@ interface TagInfo {
     /** Git commit SHA that this tag points to. */
     sha: string;
 }
-/** GitHub GraphQL client with optional authentication. */
+/** GitHub REST API client with optional authentication. */
 export declare class Client {
-    private readonly graphqlWithAuth;
-    private rateLimitRemaining;
     private rateLimitReset;
+    private rateLimitRemaining;
+    private readonly octokit;
     /**
      * Creates a new GitHub API client.
      *
@@ -75,5 +75,6 @@ export declare class Client {
      * @returns True if rate limit is below threshold.
      */
     shouldWaitForRateLimit(threshold?: number): boolean;
+    private updateRateLimitInfo;
 }
 export {};

package/dist/core/api/client.js

@@ -1,4 +1,4 @@
-import { GraphqlResponseError, graphql } from "@octokit/graphql";
+import { Octokit } from "@octokit/rest";
 var GitHubRateLimitError = class extends Error {
 	constructor(resetAt) {
 		let resetTime = resetAt.toLocaleTimeString();
@@ -7,73 +7,93 @@ var GitHubRateLimitError = class extends Error {
 	}
 };
 var Client = class Client {
-	graphqlWithAuth;
-	rateLimitRemaining = 5e3;
 	rateLimitReset = /* @__PURE__ */ new Date();
+	rateLimitRemaining = 60;
+	octokit;
 	constructor(token) {
 		let authToken = token ?? process.env["GITHUB_TOKEN"];
-		this.graphqlWithAuth = graphql.defaults({ headers: authToken ? { authorization: `token ${authToken}` } : {} });
+		this.octokit = new Octokit({ auth: authToken ?? void 0 });
 		if (!authToken) console.warn("No GitHub token found. API rate limits will be restricted.");
+		this.rateLimitRemaining = authToken ? 5e3 : 60;
 	}
 	static isRateLimitError(error) {
-		if (error instanceof GraphqlResponseError) return error.errors.some((graphQLError) => graphQLError.type === "RATE_LIMITED" || typeof graphQLError.message === "string" && /rate limit/iu.test(graphQLError.message));
-		if (error instanceof Error) return /rate limit/iu.test(error.message);
+		if (error && typeof error === "object") {
+			let maybeAny = error;
+			let message = typeof maybeAny.message === "string" ? maybeAny.message.toLowerCase() : "";
+			let status = typeof maybeAny.status === "number" ? maybeAny.status : void 0;
+			return message.includes("rate limit") || message.includes("api rate limit") || status === 403;
+		}
 		return false;
 	}
 	async getTagInfo(owner, repo, tag) {
 		try {
-			let qualifiedTag = tag.startsWith("refs/tags/") ? tag : `refs/tags/${tag}`;
 			let displayTag = tag.replace(/^refs\/tags\//u, "");
-			let query = `
-        query getTagInfo($owner: String!, $repo: String!, $tag: String!) {
-          repository(owner: $owner, name: $repo) {
-            ref(qualifiedName: $tag) {
-              target {
-                oid
-                ... on Commit {
-                  committedDate
-                  message
-                }
-                ... on Tag {
-                  tagger {
-                    date
-                  }
-                  message
-                  target {
-                    oid
-                  }
-                }
-              }
-            }
-          }
-          rateLimit {
-            remaining
-            resetAt
-          }
-        }
-      `;
-			let response = await this.graphqlWithAuth(query, {
-				tag: qualifiedTag,
-				owner,
-				repo
-			});
-			this.rateLimitRemaining = response.rateLimit.remaining;
-			this.rateLimitReset = new Date(response.rateLimit.resetAt);
-			if (!response.repository?.ref?.target) return null;
-			let { target } = response.repository.ref;
-			if ("committedDate" in target) return {
-				date: target.committedDate ? new Date(target.committedDate) : null,
-				message: target.message || null,
-				sha: target.oid,
-				tag: displayTag
-			};
-			let tagObject = target.target;
-			return {
-				date: target.tagger?.date ? new Date(target.tagger.date) : null,
-				sha: tagObject?.oid ?? target.oid,
-				message: target.message ?? null,
-				tag: displayTag
-			};
+			try {
+				let { headers: releaseHeaders, data: releaseData } = await this.octokit.repos.getReleaseByTag({
+					tag: displayTag,
+					owner,
+					repo
+				});
+				this.updateRateLimitInfo(releaseHeaders);
+				let sha = null;
+				if (releaseData.target_commitish) try {
+					let { data: commitData } = await this.octokit.repos.getCommit({
+						ref: releaseData.target_commitish,
+						owner,
+						repo
+					});
+					({sha} = commitData);
+				} catch {
+					sha = releaseData.target_commitish;
+				}
+				return {
+					date: releaseData.published_at ? new Date(releaseData.published_at) : null,
+					sha: sha ?? releaseData.target_commitish,
+					message: releaseData.body ?? null,
+					tag: displayTag
+				};
+			} catch (releaseError) {
+				if (releaseError instanceof Error && "status" in releaseError && releaseError.status === 404) try {
+					let { headers: referenceHeaders, data: referenceData } = await this.octokit.git.getRef({
+						ref: `tags/${displayTag}`,
+						owner,
+						repo
+					});
+					this.updateRateLimitInfo(referenceHeaders);
+					let { sha } = referenceData.object;
+					let message = null;
+					let date = null;
+					if (referenceData.object.type === "tag") try {
+						let { data: tagData } = await this.octokit.git.getTag({
+							tag_sha: sha,
+							owner,
+							repo
+						});
+						({sha} = tagData.object);
+						message = tagData.message || null;
+						date = tagData.tagger.date ? new Date(tagData.tagger.date) : null;
+					} catch {}
+					else if (referenceData.object.type === "commit") try {
+						let { data: commitData } = await this.octokit.git.getCommit({
+							commit_sha: sha,
+							owner,
+							repo
+						});
+						({message} = commitData);
+						date = commitData.author.date ? new Date(commitData.author.date) : null;
+					} catch {}
+					return {
+						tag: displayTag,
+						message,
+						date,
+						sha
+					};
+				} catch (tagError) {
+					if (tagError instanceof Error && "status" in tagError && tagError.status === 404) return null;
+					throw tagError;
+				}
+				throw releaseError;
+			}
 		} catch (error) {
 			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
 			throw error;
@@ -81,49 +101,32 @@ var Client = class Client {
 	}
 	async getAllReleases(owner, repo, limit = 10) {
 		try {
-			let query = `
-        query getAllReleases($owner: String!, $repo: String!, $limit: Int!) {
-          repository(owner: $owner, name: $repo) {
-            releases(
-              first: $limit
-              orderBy: { field: CREATED_AT, direction: DESC }
-            ) {
-              nodes {
-                tagName
-                tagCommit {
-                  oid
-                }
-                name
-                description
-                isPrerelease
-                publishedAt
-                url
-              }
-            }
-          }
-          rateLimit {
-            remaining
-            resetAt
-          }
-        }
-      `;
-			let response = await this.graphqlWithAuth(query, {
+			let { data: releases, headers } = await this.octokit.repos.listReleases({
+				per_page: limit,
 				owner,
-				limit,
 				repo
 			});
-			this.rateLimitRemaining = response.rateLimit.remaining;
-			this.rateLimitReset = new Date(response.rateLimit.resetAt);
-			if (!response.repository?.releases?.nodes) return [];
-			return response.repository.releases.nodes.map((release) => ({
-				sha: release.tagCommit?.oid ?? null,
-				publishedAt: new Date(release.publishedAt),
-				description: release.description ?? null,
-				name: release.name ?? release.tagName,
-				isPrerelease: release.isPrerelease,
-				url: release.url,
-				version: release.tagName
+			this.updateRateLimitInfo(headers);
+			let releaseInfos = [];
+			await Promise.all(releases.map(async (release) => {
+				let sha = null;
+				if (release.tag_name) try {
+					let tagInfo = await this.getTagInfo(owner, repo, release.tag_name);
+					if (tagInfo) ({sha} = tagInfo);
+				} catch {
+					sha = release.target_commitish || null;
+				}
+				releaseInfos.push({
+					publishedAt: new Date(release.published_at),
+					name: release.name ?? release.tag_name,
+					description: release.body ?? null,
+					isPrerelease: release.prerelease,
+					version: release.tag_name,
+					url: release.html_url,
+					sha
+				});
 			}));
+			return releaseInfos;
 		} catch (error) {
 			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
 			throw error;
@@ -131,45 +134,29 @@ var Client = class Client {
 	}
 	async getLatestRelease(owner, repo) {
 		try {
-			let query = `
-        query getLatestRelease($owner: String!, $repo: String!) {
-          repository(owner: $owner, name: $repo) {
-            latestRelease {
-              tagName
-              tagCommit {
-                oid
-              }
-              name
-              description
-              isPrerelease
-              publishedAt
-              url
-            }
-          }
-          rateLimit {
-            remaining
-            resetAt
-          }
-        }
-      `;
-			let response = await this.graphqlWithAuth(query, {
+			let { data: release, headers } = await this.octokit.repos.getLatestRelease({
 				owner,
 				repo
 			});
-			this.rateLimitRemaining = response.rateLimit.remaining;
-			this.rateLimitReset = new Date(response.rateLimit.resetAt);
-			if (!response.repository?.latestRelease) return null;
-			let release = response.repository.latestRelease;
+			this.updateRateLimitInfo(headers);
+			let sha = null;
+			if (release.tag_name) try {
+				let tagInfo = await this.getTagInfo(owner, repo, release.tag_name);
+				if (tagInfo) ({sha} = tagInfo);
+			} catch {
+				sha = release.target_commitish || null;
+			}
 			return {
-				sha: release.tagCommit?.oid ?? null,
-				publishedAt: new Date(release.publishedAt),
-				description: release.description ?? null,
-				name: release.name ?? release.tagName,
-				isPrerelease: release.isPrerelease,
-				url: release.url,
-				version: release.tagName
+				publishedAt: new Date(release.published_at),
+				name: release.name ?? release.tag_name,
+				description: release.body ?? null,
+				isPrerelease: release.prerelease,
+				version: release.tag_name,
+				url: release.html_url,
+				sha
 			};
 		} catch (error) {
+			if (error instanceof Error && "status" in error && error.status === 404) return null;
 			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
 			throw error;
 		}
@@ -183,5 +170,14 @@ var Client = class Client {
 	shouldWaitForRateLimit(threshold = 100) {
 		return this.rateLimitRemaining < threshold;
 	}
+	updateRateLimitInfo(headers) {
+		let remaining = headers["x-ratelimit-remaining"];
+		if (remaining !== void 0) this.rateLimitRemaining = typeof remaining === "string" ? Number.parseInt(remaining, 10) : remaining;
+		let reset = headers["x-ratelimit-reset"];
+		if (reset !== void 0) {
+			let resetTime = typeof reset === "string" ? Number.parseInt(reset, 10) : reset;
+			this.rateLimitReset = /* @__PURE__ */ new Date(resetTime * 1e3);
+		}
+	}
 };
 export { Client };

package/dist/core/ast/update/apply-updates.js

@@ -12,9 +12,24 @@ async function applyUpdates(updates) {
 		let content = await readFile(filePath, "utf8");
 		for (let update of fileUpdates) {
 			if (!update.latestSha) continue;
-			let escapedName = update.action.name.replaceAll(/[$()*+.?[\\\]^{|}]/gu, String.raw`\$&`);
-			let escapedVersion = update.currentVersion?.replaceAll(/[$()*+.?[\\\]^{|}]/gu, String.raw`\$&`);
-			let pattern = new RegExp(String.raw`(^\s*-?\s*uses:\s*)(['"]?)(${escapedName})@${escapedVersion}\2(\s*#[^\n]*)?`, "gm");
+			function escapeRegExp(string_) {
+				return string_.replaceAll(/[$()*+\-./?[\\\]^{|}]/gu, String.raw`\$&`);
+			}
+			let escapedName = escapeRegExp(update.action.name);
+			let escapedVersion = update.currentVersion ? escapeRegExp(update.currentVersion) : "";
+			if (escapedName.includes("\n") || escapedName.includes("\r")) {
+				console.error(`Invalid action name: ${update.action.name}`);
+				continue;
+			}
+			if (escapedVersion && (escapedVersion.includes("\n") || escapedVersion.includes("\r"))) {
+				console.error(`Invalid version: ${update.currentVersion}`);
+				continue;
+			}
+			if (!/^[\da-f]{40}$/iu.test(update.latestSha)) {
+				console.error(`Invalid SHA format: ${update.latestSha}`);
+				continue;
+			}
+			let pattern = new RegExp(`(^\\s*-?\\s*uses:\\s*)(['"]?)(${escapedName})@${escapedVersion}\\2(\\s*#[^\\n]*)?`, "gm");
 			let replacement = `$1$2$3@${update.latestSha}$2 # ${update.latestVersion}`;
 			content = content.replace(pattern, replacement);
 		}

package/dist/core/scan-github-actions.js

@@ -2,7 +2,7 @@ import { ACTIONS_DIRECTORY, GITHUB_DIRECTORY, WORKFLOWS_DIRECTORY } from "./cons
 import { scanWorkflowFile } from "./scan-workflow-file.js";
 import { scanActionFile } from "./scan-action-file.js";
 import { isYamlFile } from "./fs/is-yaml-file.js";
-import { join } from "node:path";
+import { isAbsolute, join, relative, resolve } from "node:path";
 import { readdir, stat } from "node:fs/promises";
 async function scanGitHubActions(rootPath = process.cwd()) {
 	let result = {
@@ -10,19 +10,39 @@ async function scanGitHubActions(rootPath = process.cwd()) {
 		workflows: /* @__PURE__ */ new Map(),
 		actions: []
 	};
-	let githubPath = join(rootPath, GITHUB_DIRECTORY);
-	try {
-		await stat(githubPath);
-	} catch {
-		return result;
+	let normalizedRoot = resolve(rootPath);
+	function isWithin(root, candidate) {
+		let relativePath = relative(root, candidate);
+		return relativePath !== "" && !relativePath.startsWith("..") && !isAbsolute(relativePath);
+	}
+	let githubPath = join(normalizedRoot, GITHUB_DIRECTORY);
+	if (!isWithin(normalizedRoot, githubPath)) throw new Error("Invalid path: detected path traversal attempt");
+	function isValidName(name) {
+		if (name.includes("..") || name.includes("/") || name.includes("\\")) {
+			console.warn(`Skipping invalid name: ${name}`);
+			return false;
+		}
+		return true;
 	}
 	let workflowsPath = join(githubPath, WORKFLOWS_DIRECTORY);
+	if (!isWithin(normalizedRoot, workflowsPath)) return result;
 	try {
 		let workflowsStat = await stat(workflowsPath);
 		if (workflowsStat.isDirectory()) {
 			let files = await readdir(workflowsPath);
-			let workflowPromises = files.filter((file) => isYamlFile(file)).map(async (file) => {
+			let workflowPromises = files.filter((file) => {
+				if (!isValidName(file)) return false;
+				return isYamlFile(file);
+			}).map(async (file) => {
 				let filePath = join(workflowsPath, file);
+				if (!isWithin(workflowsPath, filePath)) {
+					console.warn(`Skipping file outside workflows directory: ${file}`);
+					return {
+						success: false,
+						actions: [],
+						path: ""
+					};
+				}
 				try {
 					let actions = await scanWorkflowFile(filePath);
 					return {
@@ -39,29 +59,37 @@ async function scanGitHubActions(rootPath = process.cwd()) {
 				}
 			});
 			let workflowResults = await Promise.all(workflowPromises);
-			for (let workflow of workflowResults) if (workflow.success) if (workflow.actions.length > 0) {
+			for (let workflow of workflowResults) if (workflow.success && workflow.path) if (workflow.actions.length > 0) {
 				result.workflows.set(workflow.path, workflow.actions);
 				result.actions.push(...workflow.actions);
 			} else result.workflows.set(workflow.path, []);
 		}
 	} catch {}
-	let actionsPath = join(githubPath, "actions");
+	let actionsPath = join(githubPath, ACTIONS_DIRECTORY);
+	if (!isWithin(normalizedRoot, actionsPath)) return result;
 	try {
 		let actionsStat = await stat(actionsPath);
 		if (actionsStat.isDirectory()) {
 			let subdirectories = await readdir(actionsPath);
 			let actionPromises = subdirectories.map(async (subdir) => {
+				if (!isValidName(subdir)) return null;
 				let subdirPath = join(actionsPath, subdir);
+				if (!isWithin(actionsPath, subdirPath)) {
+					console.warn(`Skipping subdirectory outside actions path: ${subdir}`);
+					return null;
+				}
 				try {
 					let subdirectoryStat = await stat(subdirPath);
 					if (!subdirectoryStat.isDirectory()) return null;
 					let actionFilePath = join(subdirPath, "action.yml");
+					if (!isWithin(subdirPath, actionFilePath)) return null;
 					let actions = [];
 					try {
 						actions = await scanActionFile(actionFilePath);
 					} catch {
 						try {
 							actionFilePath = join(subdirPath, "action.yaml");
+							if (!isWithin(subdirPath, actionFilePath)) return null;
 							actions = await scanActionFile(actionFilePath);
 						} catch {
 							return null;

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "0.1.0";
+const version = "1.1.0";
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "0.1.0",
+  "version": "1.1.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",
@@ -36,7 +36,7 @@
     "./dist"
   ],
   "dependencies": {
-    "@octokit/graphql": "^9.0.1",
+    "@octokit/rest": "^22.0.0",
     "cac": "^6.7.14",
     "enquirer": "^2.4.1",
     "nanospinner": "^1.2.2",

package/readme.md

@@ -18,12 +18,12 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
 
 ## Features
 
-- **Auto-discovery** - Scans all workflows (`.github/workflows/*.yml`) and composite actions (`.github/actions/*/action.yml`)
-- **SHA Pinning** - Updates actions to use commit SHA instead of tags for better security
-- **Batch Updates** - Update multiple actions at once
-- **Interactive Selection** - Choose which actions to update
-- **Breaking Changes Detection** - Warns about major version updates
-- **Fast & Efficient** - Parallel processing with optimized API calls
+- **Auto-discovery**: Scans all workflows (`.github/workflows/*.yml`) and composite actions (`.github/actions/*/action.yml`)
+- **SHA Pinning**: Updates actions to use commit SHA instead of tags for better security
+- **Batch Updates**: Update multiple actions at once
+- **Interactive Selection**: Choose which actions to update
+- **Breaking Changes Detection**: Warns about major version updates
+- **Fast & Efficient**: Parallel processing with optimized API calls
 
 ###
 
@@ -40,21 +40,50 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
   />
   <img
     src="https://raw.githubusercontent.com/azat-io/actions-up/main/assets/example-light.webp"
-    alt="Token Limit CLI Example"
-    width="600"
+    alt="Actions Up interactive example"
+    width="820"
   />
 </picture>
 
+## Why
+
+### The Problem
+
+Keeping GitHub Actions updated is a critical but tedious task:
+
+- **Security Risk**: Using outdated actions with known vulnerabilities
+- **Manual Hell**: Checking dozens of actions across multiple workflows by hand
+- **Version Tags Are Mutable**: v1 or v2 tags can change without notice, breaking reproducibility
+- **Time Sink**: Hours spent on maintenance that could be used for actual development
+
+### The Solution
+
+Actions Up transforms a painful manual process into a delightful experience:
+
+| Without Actions Up             | With Actions Up                  |
+| :----------------------------- | :------------------------------- |
+| Check each action manually     | Scan all workflows in seconds    |
+| Risk using vulnerable versions | SHA pinning for maximum security |
+| 30+ minutes per repository     | Under 1 minute total             |
+
 ## Installation
 
+Quick use (no installation)
+
+```bash
+npx actions-up
+```
+
+Global installation
+
 ```bash
 npm install -g actions-up
 ```
 
-Or use directly with npx:
+Per-project
 
 ```bash
-npx actions-up
+npm install --save-dev actions-up
 ```
 
 ## Usage
@@ -64,7 +93,7 @@ npx actions-up
 Run in your repository root:
 
 ```bash
-actions-up
+npx actions-up
 ```
 
 This will:
@@ -79,17 +108,9 @@ This will:
 Skip all prompts and update everything:
 
 ```bash
-actions-up --yes
+npx actions-up --yes
 # or
-actions-up -y
-```
-
-### With GitHub Token
-
-To avoid rate limits [create a GitHub personal access token](https://github.com/settings/tokens/new?scopes=public_repo&description=actions-up) and set it as an environment variable:
-
-```bash
-GITHUB_TOKEN=ghp_xxxx actions-up
+npx actions-up -y
 ```
 
 ## Example
@@ -104,11 +125,16 @@ GITHUB_TOKEN=ghp_xxxx actions-up
 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
 ```
 
-## Configuration
+## Advanced Usage
+
+### Using GitHub Token for Higher Rate Limits
+
+While Actions Up works without authentication, providing a GitHub token increases API rate limits from 60 to 5000 requests per hour, useful for large projects:
 
-### Environment Variables
+[Create a GitHub Personal Access Token](https://github.com/settings/tokens/new?scopes=public_repo&description=actions-up).
 
-- `GITHUB_TOKEN` - GitHub personal access token for API requests (optional but recommended)
+- For public repositories: Select `public_repo` scope
+- For private repositories: Select `repo` scope
 
 ## Security