actions-up 1.0.0 → 1.1.0

package/dist/cli/index.js

@@ -10,7 +10,7 @@ import pc from "picocolors";
 import cac from "cac";
 function run() {
 	let cli = cac("actions-up");
-	cli.help().version(version).option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (options) => {
+	cli.help().version(version).option("--yes, -y", "Skip all confirmations").option("--dry-run", "Preview changes without applying them").command("", "Update GitHub Actions").action(async (options) => {
 		console.info(pc.cyan("\n🚀 Actions Up!\n"));
 		let spinner = createSpinner("Scanning GitHub Actions...").start();
 		try {
@@ -33,6 +33,12 @@ function run() {
 				return;
 			}
 			spinner.success(`Found ${pc.yellow(outdated.length)} updates available${breaking.length > 0 ? ` (${pc.red(breaking.length)} breaking)` : ""}`);
+			if (options.dryRun) {
+				console.info(pc.yellow("\n📋 Dry Run - No changes will be made\n"));
+				for (let update of outdated) console.info(`${pc.cyan(update.action.file ?? "unknown")}:\n${update.action.name}: ${pc.red(update.currentVersion)} → ${pc.green(update.latestVersion)} ${update.latestSha ? pc.gray(`(${update.latestSha.slice(0, 7)})`) : ""}\n`);
+				console.info(pc.gray(`\n${outdated.length} actions would be updated\n`));
+				return;
+			}
 			if (options.yes) {
 				let toUpdate = outdated.filter((update) => update.latestSha);
 				if (toUpdate.length === 0) {

package/dist/core/api/check-updates.js

@@ -69,7 +69,7 @@ async function checkUpdates(actions, token) {
 		}
 	}), Promise.resolve([]));
 	if (sharedState.rateLimitError) {
-		let error = /* @__PURE__ */ new Error("GitHub API rate limit exceeded. Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#with-github-token");
+		let error = /* @__PURE__ */ new Error("GitHub API rate limit exceeded. Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits");
 		error.name = "GitHubRateLimitError";
 		throw error;
 	}

package/dist/core/api/client.d.ts

@@ -26,11 +26,11 @@ interface TagInfo {
     /** Git commit SHA that this tag points to. */
     sha: string;
 }
-/** GitHub GraphQL client with optional authentication. */
+/** GitHub REST API client with optional authentication. */
 export declare class Client {
-    private readonly graphqlWithAuth;
-    private rateLimitRemaining;
     private rateLimitReset;
+    private rateLimitRemaining;
+    private readonly octokit;
     /**
      * Creates a new GitHub API client.
      *
@@ -75,5 +75,6 @@ export declare class Client {
      * @returns True if rate limit is below threshold.
      */
     shouldWaitForRateLimit(threshold?: number): boolean;
+    private updateRateLimitInfo;
 }
 export {};

package/dist/core/api/client.js

@@ -1,4 +1,4 @@
-import { GraphqlResponseError, graphql } from "@octokit/graphql";
+import { Octokit } from "@octokit/rest";
 var GitHubRateLimitError = class extends Error {
 	constructor(resetAt) {
 		let resetTime = resetAt.toLocaleTimeString();
@@ -7,73 +7,93 @@ var GitHubRateLimitError = class extends Error {
 	}
 };
 var Client = class Client {
-	graphqlWithAuth;
-	rateLimitRemaining = 5e3;
 	rateLimitReset = /* @__PURE__ */ new Date();
+	rateLimitRemaining = 60;
+	octokit;
 	constructor(token) {
 		let authToken = token ?? process.env["GITHUB_TOKEN"];
-		this.graphqlWithAuth = graphql.defaults({ headers: authToken ? { authorization: `token ${authToken}` } : {} });
+		this.octokit = new Octokit({ auth: authToken ?? void 0 });
 		if (!authToken) console.warn("No GitHub token found. API rate limits will be restricted.");
+		this.rateLimitRemaining = authToken ? 5e3 : 60;
 	}
 	static isRateLimitError(error) {
-		if (error instanceof GraphqlResponseError) return error.errors.some((graphQLError) => graphQLError.type === "RATE_LIMITED" || typeof graphQLError.message === "string" && /rate limit/iu.test(graphQLError.message));
-		if (error instanceof Error) return /rate limit/iu.test(error.message);
+		if (error && typeof error === "object") {
+			let maybeAny = error;
+			let message = typeof maybeAny.message === "string" ? maybeAny.message.toLowerCase() : "";
+			let status = typeof maybeAny.status === "number" ? maybeAny.status : void 0;
+			return message.includes("rate limit") || message.includes("api rate limit") || status === 403;
+		}
 		return false;
 	}
 	async getTagInfo(owner, repo, tag) {
 		try {
-			let qualifiedTag = tag.startsWith("refs/tags/") ? tag : `refs/tags/${tag}`;
 			let displayTag = tag.replace(/^refs\/tags\//u, "");
-			let query = `
-        query getTagInfo($owner: String!, $repo: String!, $tag: String!) {
-          repository(owner: $owner, name: $repo) {
-            ref(qualifiedName: $tag) {
-              target {
-                oid
-                ... on Commit {
-                  committedDate
-                  message
-                }
-                ... on Tag {
-                  tagger {
-                    date
-                  }
-                  message
-                  target {
-                    oid
-                  }
-                }
-              }
-            }
-          }
-          rateLimit {
-            remaining
-            resetAt
-          }
-        }
-      `;
-			let response = await this.graphqlWithAuth(query, {
-				tag: qualifiedTag,
-				owner,
-				repo
-			});
-			this.rateLimitRemaining = response.rateLimit.remaining;
-			this.rateLimitReset = new Date(response.rateLimit.resetAt);
-			if (!response.repository?.ref?.target) return null;
-			let { target } = response.repository.ref;
-			if ("committedDate" in target) return {
-				date: target.committedDate ? new Date(target.committedDate) : null,
-				message: target.message || null,
-				sha: target.oid,
-				tag: displayTag
-			};
-			let tagObject = target.target;
-			return {
-				date: target.tagger?.date ? new Date(target.tagger.date) : null,
-				sha: tagObject?.oid ?? target.oid,
-				message: target.message ?? null,
-				tag: displayTag
-			};
+			try {
+				let { headers: releaseHeaders, data: releaseData } = await this.octokit.repos.getReleaseByTag({
+					tag: displayTag,
+					owner,
+					repo
+				});
+				this.updateRateLimitInfo(releaseHeaders);
+				let sha = null;
+				if (releaseData.target_commitish) try {
+					let { data: commitData } = await this.octokit.repos.getCommit({
+						ref: releaseData.target_commitish,
+						owner,
+						repo
+					});
+					({sha} = commitData);
+				} catch {
+					sha = releaseData.target_commitish;
+				}
+				return {
+					date: releaseData.published_at ? new Date(releaseData.published_at) : null,
+					sha: sha ?? releaseData.target_commitish,
+					message: releaseData.body ?? null,
+					tag: displayTag
+				};
+			} catch (releaseError) {
+				if (releaseError instanceof Error && "status" in releaseError && releaseError.status === 404) try {
+					let { headers: referenceHeaders, data: referenceData } = await this.octokit.git.getRef({
+						ref: `tags/${displayTag}`,
+						owner,
+						repo
+					});
+					this.updateRateLimitInfo(referenceHeaders);
+					let { sha } = referenceData.object;
+					let message = null;
+					let date = null;
+					if (referenceData.object.type === "tag") try {
+						let { data: tagData } = await this.octokit.git.getTag({
+							tag_sha: sha,
+							owner,
+							repo
+						});
+						({sha} = tagData.object);
+						message = tagData.message || null;
+						date = tagData.tagger.date ? new Date(tagData.tagger.date) : null;
+					} catch {}
+					else if (referenceData.object.type === "commit") try {
+						let { data: commitData } = await this.octokit.git.getCommit({
+							commit_sha: sha,
+							owner,
+							repo
+						});
+						({message} = commitData);
+						date = commitData.author.date ? new Date(commitData.author.date) : null;
+					} catch {}
+					return {
+						tag: displayTag,
+						message,
+						date,
+						sha
+					};
+				} catch (tagError) {
+					if (tagError instanceof Error && "status" in tagError && tagError.status === 404) return null;
+					throw tagError;
+				}
+				throw releaseError;
+			}
 		} catch (error) {
 			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
 			throw error;
@@ -81,49 +101,32 @@ var Client = class Client {
 	}
 	async getAllReleases(owner, repo, limit = 10) {
 		try {
-			let query = `
-        query getAllReleases($owner: String!, $repo: String!, $limit: Int!) {
-          repository(owner: $owner, name: $repo) {
-            releases(
-              first: $limit
-              orderBy: { field: CREATED_AT, direction: DESC }
-            ) {
-              nodes {
-                tagName
-                tagCommit {
-                  oid
-                }
-                name
-                description
-                isPrerelease
-                publishedAt
-                url
-              }
-            }
-          }
-          rateLimit {
-            remaining
-            resetAt
-          }
-        }
-      `;
-			let response = await this.graphqlWithAuth(query, {
+			let { data: releases, headers } = await this.octokit.repos.listReleases({
+				per_page: limit,
 				owner,
-				limit,
 				repo
 			});
-			this.rateLimitRemaining = response.rateLimit.remaining;
-			this.rateLimitReset = new Date(response.rateLimit.resetAt);
-			if (!response.repository?.releases?.nodes) return [];
-			return response.repository.releases.nodes.map((release) => ({
-				sha: release.tagCommit?.oid ?? null,
-				publishedAt: new Date(release.publishedAt),
-				description: release.description ?? null,
-				name: release.name ?? release.tagName,
-				isPrerelease: release.isPrerelease,
-				url: release.url,
-				version: release.tagName
+			this.updateRateLimitInfo(headers);
+			let releaseInfos = [];
+			await Promise.all(releases.map(async (release) => {
+				let sha = null;
+				if (release.tag_name) try {
+					let tagInfo = await this.getTagInfo(owner, repo, release.tag_name);
+					if (tagInfo) ({sha} = tagInfo);
+				} catch {
+					sha = release.target_commitish || null;
+				}
+				releaseInfos.push({
+					publishedAt: new Date(release.published_at),
+					name: release.name ?? release.tag_name,
+					description: release.body ?? null,
+					isPrerelease: release.prerelease,
+					version: release.tag_name,
+					url: release.html_url,
+					sha
+				});
 			}));
+			return releaseInfos;
 		} catch (error) {
 			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
 			throw error;
@@ -131,45 +134,29 @@ var Client = class Client {
 	}
 	async getLatestRelease(owner, repo) {
 		try {
-			let query = `
-        query getLatestRelease($owner: String!, $repo: String!) {
-          repository(owner: $owner, name: $repo) {
-            latestRelease {
-              tagName
-              tagCommit {
-                oid
-              }
-              name
-              description
-              isPrerelease
-              publishedAt
-              url
-            }
-          }
-          rateLimit {
-            remaining
-            resetAt
-          }
-        }
-      `;
-			let response = await this.graphqlWithAuth(query, {
+			let { data: release, headers } = await this.octokit.repos.getLatestRelease({
 				owner,
 				repo
 			});
-			this.rateLimitRemaining = response.rateLimit.remaining;
-			this.rateLimitReset = new Date(response.rateLimit.resetAt);
-			if (!response.repository?.latestRelease) return null;
-			let release = response.repository.latestRelease;
+			this.updateRateLimitInfo(headers);
+			let sha = null;
+			if (release.tag_name) try {
+				let tagInfo = await this.getTagInfo(owner, repo, release.tag_name);
+				if (tagInfo) ({sha} = tagInfo);
+			} catch {
+				sha = release.target_commitish || null;
+			}
 			return {
-				sha: release.tagCommit?.oid ?? null,
-				publishedAt: new Date(release.publishedAt),
-				description: release.description ?? null,
-				name: release.name ?? release.tagName,
-				isPrerelease: release.isPrerelease,
-				url: release.url,
-				version: release.tagName
+				publishedAt: new Date(release.published_at),
+				name: release.name ?? release.tag_name,
+				description: release.body ?? null,
+				isPrerelease: release.prerelease,
+				version: release.tag_name,
+				url: release.html_url,
+				sha
 			};
 		} catch (error) {
+			if (error instanceof Error && "status" in error && error.status === 404) return null;
 			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
 			throw error;
 		}
@@ -183,5 +170,14 @@ var Client = class Client {
 	shouldWaitForRateLimit(threshold = 100) {
 		return this.rateLimitRemaining < threshold;
 	}
+	updateRateLimitInfo(headers) {
+		let remaining = headers["x-ratelimit-remaining"];
+		if (remaining !== void 0) this.rateLimitRemaining = typeof remaining === "string" ? Number.parseInt(remaining, 10) : remaining;
+		let reset = headers["x-ratelimit-reset"];
+		if (reset !== void 0) {
+			let resetTime = typeof reset === "string" ? Number.parseInt(reset, 10) : reset;
+			this.rateLimitReset = /* @__PURE__ */ new Date(resetTime * 1e3);
+		}
+	}
 };
 export { Client };

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.0.0";
+const version = "1.1.0";
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",
@@ -36,7 +36,7 @@
     "./dist"
   ],
   "dependencies": {
-    "@octokit/graphql": "^9.0.1",
+    "@octokit/rest": "^22.0.0",
     "cac": "^6.7.14",
     "enquirer": "^2.4.1",
     "nanospinner": "^1.2.2",

package/readme.md

@@ -66,18 +66,6 @@ Actions Up transforms a painful manual process into a delightful experience:
 | Risk using vulnerable versions | SHA pinning for maximum security |
 | 30+ minutes per repository     | Under 1 minute total             |
 
-## GitHub Token Required
-
-> **Important**: GitHub API has strict rate limits (60 requests/hour without token vs 5000 with token).
-> A GitHub token is **practically required** for using Actions Up.
-
-### Quick Token Setup
-
-[Create a GitHub Personal Access Token](https://github.com/settings/tokens/new?scopes=public_repo&description=actions-up).
-
-- For public repositories: Select `public_repo` scope
-- For private repositories: Select `repo` scope
-
 ## Installation
 
 Quick use (no installation)
@@ -102,10 +90,10 @@ npm install --save-dev actions-up
 
 ### Interactive Mode (Default)
 
-Run in your repository root with GitHub token:
+Run in your repository root:
 
 ```bash
-GITHUB_TOKEN=ghp_xxxx npx actions-up
+npx actions-up
 ```
 
 This will:
@@ -120,30 +108,9 @@ This will:
 Skip all prompts and update everything:
 
 ```bash
-GITHUB_TOKEN=ghp_xxxx npx actions-up --yes
+npx actions-up --yes
 # or
-GITHUB_TOKEN=ghp_xxxx npx actions-up -y
-```
-
-## Pro Tips
-
-### Shell Aliases
-
-Add to your `.zshrc`, `.bashrc` or `.config/fish/config.fish`:
-
-```bash
-# Basic alias with token from environment
-export GITHUB_TOKEN=ghp_xxxx  # Add this once to your shell config
-alias actions-up='GITHUB_TOKEN=$GITHUB_TOKEN npx actions-up'
-
-# With token from file
-alias actions-up='GITHUB_TOKEN=$(cat ~/.github-token) npx actions-up'
-
-# With 1Password CLI
-alias actions-up='GITHUB_TOKEN=$(op read "op://Personal/GitHub/token") npx actions-up'
-
-# With macOS Keychain
-alias actions-up='GITHUB_TOKEN=$(security find-generic-password -w -s "github-token") npx actions-up'
+npx actions-up -y
 ```
 
 ## Example
@@ -158,6 +125,17 @@ alias actions-up='GITHUB_TOKEN=$(security find-generic-password -w -s "github-to
 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
 ```
 
+## Advanced Usage
+
+### Using GitHub Token for Higher Rate Limits
+
+While Actions Up works without authentication, providing a GitHub token increases API rate limits from 60 to 5000 requests per hour, useful for large projects:
+
+[Create a GitHub Personal Access Token](https://github.com/settings/tokens/new?scopes=public_repo&description=actions-up).
+
+- For public repositories: Select `public_repo` scope
+- For private repositories: Select `repo` scope
+
 ## Security
 
 Actions Up promotes security best practices: