actions-up 1.0.0 → 1.1.1

package/dist/cli/index.js

@@ -10,7 +10,7 @@ import pc from "picocolors";
 import cac from "cac";
 function run() {
 	let cli = cac("actions-up");
-	cli.help().version(version).option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (options) => {
+	cli.help().version(version).option("--yes, -y", "Skip all confirmations").option("--dry-run", "Preview changes without applying them").command("", "Update GitHub Actions").action(async (options) => {
 		console.info(pc.cyan("\n🚀 Actions Up!\n"));
 		let spinner = createSpinner("Scanning GitHub Actions...").start();
 		try {
@@ -33,6 +33,12 @@ function run() {
 				return;
 			}
 			spinner.success(`Found ${pc.yellow(outdated.length)} updates available${breaking.length > 0 ? ` (${pc.red(breaking.length)} breaking)` : ""}`);
+			if (options.dryRun) {
+				console.info(pc.yellow("\n📋 Dry Run - No changes will be made\n"));
+				for (let update of outdated) console.info(`${pc.cyan(update.action.file ?? "unknown")}:\n${update.action.name}: ${pc.red(update.currentVersion)} → ${pc.green(update.latestVersion)} ${update.latestSha ? pc.gray(`(${update.latestSha.slice(0, 7)})`) : ""}\n`);
+				console.info(pc.gray(`\n${outdated.length} actions would be updated\n`));
+				return;
+			}
 			if (options.yes) {
 				let toUpdate = outdated.filter((update) => update.latestSha);
 				if (toUpdate.length === 0) {

package/dist/core/api/check-updates.js

@@ -69,7 +69,7 @@ async function checkUpdates(actions, token) {
 		}
 	}), Promise.resolve([]));
 	if (sharedState.rateLimitError) {
-		let error = /* @__PURE__ */ new Error("GitHub API rate limit exceeded. Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#with-github-token");
+		let error = /* @__PURE__ */ new Error("GitHub API rate limit exceeded. Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits");
 		error.name = "GitHubRateLimitError";
 		throw error;
 	}

package/dist/core/api/client.d.ts

@@ -1,4 +1,3 @@
-/** Processed release information with normalized types. */
 interface ReleaseInfo {
     /** Release description or null if not provided. */
     description: string | null;
@@ -19,18 +18,19 @@ interface ReleaseInfo {
 interface TagInfo {
     /** Tag or commit message, null if not provided. */
     message: string | null;
+    /** Git commit SHA that this tag points to. */
+    sha: string | null;
     /** Date when the tag was created or committed. */
     date: Date | null;
     /** Tag name (e.g., 'v1.2.3'). */
     tag: string;
-    /** Git commit SHA that this tag points to. */
-    sha: string;
 }
-/** GitHub GraphQL client with optional authentication. */
+/** GitHub REST API client with optional authentication. */
 export declare class Client {
-    private readonly graphqlWithAuth;
-    private rateLimitRemaining;
+    private readonly baseUrl;
+    private readonly token;
     private rateLimitReset;
+    private rateLimitRemaining;
     /**
      * Creates a new GitHub API client.
      *
@@ -75,5 +75,7 @@ export declare class Client {
      * @returns True if rate limit is below threshold.
      */
     shouldWaitForRateLimit(threshold?: number): boolean;
+    private makeRequest;
+    private updateRateLimitInfo;
 }
 export {};

package/dist/core/api/client.js

@@ -1,4 +1,3 @@
-import { GraphqlResponseError, graphql } from "@octokit/graphql";
 var GitHubRateLimitError = class extends Error {
 	constructor(resetAt) {
 		let resetTime = resetAt.toLocaleTimeString();
@@ -7,73 +6,76 @@ var GitHubRateLimitError = class extends Error {
 	}
 };
 var Client = class Client {
-	graphqlWithAuth;
-	rateLimitRemaining = 5e3;
+	baseUrl = "https://api.github.com";
+	token;
 	rateLimitReset = /* @__PURE__ */ new Date();
+	rateLimitRemaining = 60;
 	constructor(token) {
-		let authToken = token ?? process.env["GITHUB_TOKEN"];
-		this.graphqlWithAuth = graphql.defaults({ headers: authToken ? { authorization: `token ${authToken}` } : {} });
-		if (!authToken) console.warn("No GitHub token found. API rate limits will be restricted.");
+		this.token = token ?? process.env["GITHUB_TOKEN"];
+		if (!this.token) console.warn("No GitHub token found. API rate limits will be restricted.");
+		this.rateLimitRemaining = this.token ? 5e3 : 60;
 	}
 	static isRateLimitError(error) {
-		if (error instanceof GraphqlResponseError) return error.errors.some((graphQLError) => graphQLError.type === "RATE_LIMITED" || typeof graphQLError.message === "string" && /rate limit/iu.test(graphQLError.message));
-		if (error instanceof Error) return /rate limit/iu.test(error.message);
+		if (error && typeof error === "object") {
+			let maybeAny = error;
+			let message = typeof maybeAny.message === "string" ? maybeAny.message.toLowerCase() : "";
+			let status = typeof maybeAny.status === "number" ? maybeAny.status : void 0;
+			return message.includes("rate limit") || message.includes("api rate limit") || status === 403;
+		}
 		return false;
 	}
 	async getTagInfo(owner, repo, tag) {
 		try {
-			let qualifiedTag = tag.startsWith("refs/tags/") ? tag : `refs/tags/${tag}`;
 			let displayTag = tag.replace(/^refs\/tags\//u, "");
-			let query = `
-        query getTagInfo($owner: String!, $repo: String!, $tag: String!) {
-          repository(owner: $owner, name: $repo) {
-            ref(qualifiedName: $tag) {
-              target {
-                oid
-                ... on Commit {
-                  committedDate
-                  message
-                }
-                ... on Tag {
-                  tagger {
-                    date
-                  }
-                  message
-                  target {
-                    oid
-                  }
-                }
-              }
-            }
-          }
-          rateLimit {
-            remaining
-            resetAt
-          }
-        }
-      `;
-			let response = await this.graphqlWithAuth(query, {
-				tag: qualifiedTag,
-				owner,
-				repo
-			});
-			this.rateLimitRemaining = response.rateLimit.remaining;
-			this.rateLimitReset = new Date(response.rateLimit.resetAt);
-			if (!response.repository?.ref?.target) return null;
-			let { target } = response.repository.ref;
-			if ("committedDate" in target) return {
-				date: target.committedDate ? new Date(target.committedDate) : null,
-				message: target.message || null,
-				sha: target.oid,
-				tag: displayTag
-			};
-			let tagObject = target.target;
-			return {
-				date: target.tagger?.date ? new Date(target.tagger.date) : null,
-				sha: tagObject?.oid ?? target.oid,
-				message: target.message ?? null,
-				tag: displayTag
-			};
+			try {
+				let releaseResp = await this.makeRequest(`/repos/${owner}/${repo}/releases/tags/${displayTag}`);
+				let releaseData = releaseResp.data;
+				let sha = null;
+				if (releaseData.target_commitish) try {
+					let commitResp = await this.makeRequest(`/repos/${owner}/${repo}/commits/${releaseData.target_commitish}`);
+					let commitData = commitResp.data;
+					({sha} = commitData);
+				} catch {
+					sha = releaseData.target_commitish;
+				}
+				return {
+					date: releaseData.published_at ? new Date(releaseData.published_at) : null,
+					sha: sha ?? releaseData.target_commitish,
+					message: releaseData.body ?? null,
+					tag: displayTag
+				};
+			} catch (releaseError) {
+				if (releaseError && typeof releaseError === "object" && "status" in releaseError && releaseError.status === 404) try {
+					let referenceResp = await this.makeRequest(`/repos/${owner}/${repo}/git/refs/tags/${displayTag}`);
+					let referenceData = referenceResp.data;
+					let { sha } = referenceData.object;
+					let message = null;
+					let date = null;
+					if (referenceData.object.type === "tag") try {
+						let tagResp = await this.makeRequest(`/repos/${owner}/${repo}/git/tags/${sha}`);
+						let tagData = tagResp.data;
+						({sha} = tagData.object);
+						({message} = tagData);
+						date = tagData.tagger.date ? new Date(tagData.tagger.date) : null;
+					} catch {}
+					else try {
+						let commitResp = await this.makeRequest(`/repos/${owner}/${repo}/git/commits/${sha}`);
+						let commitData = commitResp.data;
+						({message} = commitData);
+						date = commitData.author.date ? new Date(commitData.author.date) : null;
+					} catch {}
+					return {
+						tag: displayTag,
+						message,
+						date,
+						sha
+					};
+				} catch (tagError) {
+					if (tagError && typeof tagError === "object" && "status" in tagError && tagError.status === 404) return null;
+					throw tagError;
+				}
+				throw releaseError;
+			}
 		} catch (error) {
 			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
 			throw error;
@@ -81,49 +83,28 @@ var Client = class Client {
 	}
 	async getAllReleases(owner, repo, limit = 10) {
 		try {
-			let query = `
-        query getAllReleases($owner: String!, $repo: String!, $limit: Int!) {
-          repository(owner: $owner, name: $repo) {
-            releases(
-              first: $limit
-              orderBy: { field: CREATED_AT, direction: DESC }
-            ) {
-              nodes {
-                tagName
-                tagCommit {
-                  oid
-                }
-                name
-                description
-                isPrerelease
-                publishedAt
-                url
-              }
-            }
-          }
-          rateLimit {
-            remaining
-            resetAt
-          }
-        }
-      `;
-			let response = await this.graphqlWithAuth(query, {
-				owner,
-				limit,
-				repo
-			});
-			this.rateLimitRemaining = response.rateLimit.remaining;
-			this.rateLimitReset = new Date(response.rateLimit.resetAt);
-			if (!response.repository?.releases?.nodes) return [];
-			return response.repository.releases.nodes.map((release) => ({
-				sha: release.tagCommit?.oid ?? null,
-				publishedAt: new Date(release.publishedAt),
-				description: release.description ?? null,
-				name: release.name ?? release.tagName,
-				isPrerelease: release.isPrerelease,
-				url: release.url,
-				version: release.tagName
+			let releasesResp = await this.makeRequest(`/repos/${owner}/${repo}/releases?per_page=${limit}`);
+			let releases = releasesResp.data;
+			let releaseInfos = [];
+			await Promise.all(releases.map(async (release) => {
+				let sha = null;
+				if (release.tag_name) try {
+					let tagInfo = await this.getTagInfo(owner, repo, release.tag_name);
+					if (tagInfo) ({sha} = tagInfo);
+				} catch {
+					sha = release.target_commitish;
+				}
+				releaseInfos.push({
+					publishedAt: new Date(release.published_at),
+					name: release.name ?? release.tag_name,
+					description: release.body ?? null,
+					isPrerelease: release.prerelease,
+					version: release.tag_name,
+					url: release.html_url,
+					sha
+				});
 			}));
+			return releaseInfos;
 		} catch (error) {
 			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
 			throw error;
@@ -131,45 +112,26 @@ var Client = class Client {
 	}
 	async getLatestRelease(owner, repo) {
 		try {
-			let query = `
-        query getLatestRelease($owner: String!, $repo: String!) {
-          repository(owner: $owner, name: $repo) {
-            latestRelease {
-              tagName
-              tagCommit {
-                oid
-              }
-              name
-              description
-              isPrerelease
-              publishedAt
-              url
-            }
-          }
-          rateLimit {
-            remaining
-            resetAt
-          }
-        }
-      `;
-			let response = await this.graphqlWithAuth(query, {
-				owner,
-				repo
-			});
-			this.rateLimitRemaining = response.rateLimit.remaining;
-			this.rateLimitReset = new Date(response.rateLimit.resetAt);
-			if (!response.repository?.latestRelease) return null;
-			let release = response.repository.latestRelease;
+			let releaseResp = await this.makeRequest(`/repos/${owner}/${repo}/releases/latest`);
+			let release = releaseResp.data;
+			let sha = null;
+			if (release.tag_name) try {
+				let tagInfo = await this.getTagInfo(owner, repo, release.tag_name);
+				if (tagInfo) ({sha} = tagInfo);
+			} catch {
+				sha = release.target_commitish;
+			}
 			return {
-				sha: release.tagCommit?.oid ?? null,
-				publishedAt: new Date(release.publishedAt),
-				description: release.description ?? null,
-				name: release.name ?? release.tagName,
-				isPrerelease: release.isPrerelease,
-				url: release.url,
-				version: release.tagName
+				publishedAt: new Date(release.published_at),
+				name: release.name ?? release.tag_name,
+				description: release.body ?? null,
+				isPrerelease: release.prerelease,
+				version: release.tag_name,
+				url: release.html_url,
+				sha
 			};
 		} catch (error) {
+			if (error && typeof error === "object" && "status" in error && error.status === 404) return null;
 			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
 			throw error;
 		}
@@ -183,5 +145,43 @@ var Client = class Client {
 	shouldWaitForRateLimit(threshold = 100) {
 		return this.rateLimitRemaining < threshold;
 	}
+	async makeRequest(path, options = {}) {
+		let headers = {
+			Accept: "application/vnd.github.v3+json",
+			"User-Agent": "actions-up",
+			...options.headers
+		};
+		if (this.token) headers["Authorization"] = `Bearer ${this.token}`;
+		let response = await fetch(`${this.baseUrl}${path}`, {
+			...options,
+			headers
+		});
+		let responseHeaders = {};
+		for (let [key, value] of response.headers.entries()) responseHeaders[key] = value;
+		this.updateRateLimitInfo(responseHeaders);
+		if (!response.ok) {
+			let error = /* @__PURE__ */ new Error(`GitHub API error: ${response.status} ${response.statusText}`);
+			error.status = response.status;
+			if (response.status === 403) {
+				let text = await response.text();
+				if (text.includes("rate limit") || text.includes("API rate limit")) error.message = "API rate limit exceeded";
+			}
+			throw error;
+		}
+		let data = await response.json();
+		return {
+			headers: responseHeaders,
+			data
+		};
+	}
+	updateRateLimitInfo(headers) {
+		let remaining = headers["x-ratelimit-remaining"];
+		if (remaining !== void 0) this.rateLimitRemaining = typeof remaining === "string" ? Number.parseInt(remaining, 10) : remaining;
+		let reset = headers["x-ratelimit-reset"];
+		if (reset !== void 0) {
+			let resetTime = typeof reset === "string" ? Number.parseInt(reset, 10) : reset;
+			this.rateLimitReset = /* @__PURE__ */ new Date(resetTime * 1e3);
+		}
+	}
 };
 export { Client };

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.0.0";
+const version = "1.1.1";
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.0.0",
+  "version": "1.1.1",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",
@@ -36,7 +36,6 @@
     "./dist"
   ],
   "dependencies": {
-    "@octokit/graphql": "^9.0.1",
     "cac": "^6.7.14",
     "enquirer": "^2.4.1",
     "nanospinner": "^1.2.2",

package/readme.md

@@ -66,18 +66,6 @@ Actions Up transforms a painful manual process into a delightful experience:
 | Risk using vulnerable versions | SHA pinning for maximum security |
 | 30+ minutes per repository     | Under 1 minute total             |
 
-## GitHub Token Required
-
-> **Important**: GitHub API has strict rate limits (60 requests/hour without token vs 5000 with token).
-> A GitHub token is **practically required** for using Actions Up.
-
-### Quick Token Setup
-
-[Create a GitHub Personal Access Token](https://github.com/settings/tokens/new?scopes=public_repo&description=actions-up).
-
-- For public repositories: Select `public_repo` scope
-- For private repositories: Select `repo` scope
-
 ## Installation
 
 Quick use (no installation)
@@ -102,10 +90,10 @@ npm install --save-dev actions-up
 
 ### Interactive Mode (Default)
 
-Run in your repository root with GitHub token:
+Run in your repository root:
 
 ```bash
-GITHUB_TOKEN=ghp_xxxx npx actions-up
+npx actions-up
 ```
 
 This will:
@@ -120,30 +108,9 @@ This will:
 Skip all prompts and update everything:
 
 ```bash
-GITHUB_TOKEN=ghp_xxxx npx actions-up --yes
+npx actions-up --yes
 # or
-GITHUB_TOKEN=ghp_xxxx npx actions-up -y
-```
-
-## Pro Tips
-
-### Shell Aliases
-
-Add to your `.zshrc`, `.bashrc` or `.config/fish/config.fish`:
-
-```bash
-# Basic alias with token from environment
-export GITHUB_TOKEN=ghp_xxxx  # Add this once to your shell config
-alias actions-up='GITHUB_TOKEN=$GITHUB_TOKEN npx actions-up'
-
-# With token from file
-alias actions-up='GITHUB_TOKEN=$(cat ~/.github-token) npx actions-up'
-
-# With 1Password CLI
-alias actions-up='GITHUB_TOKEN=$(op read "op://Personal/GitHub/token") npx actions-up'
-
-# With macOS Keychain
-alias actions-up='GITHUB_TOKEN=$(security find-generic-password -w -s "github-token") npx actions-up'
+npx actions-up -y
 ```
 
 ## Example
@@ -158,6 +125,17 @@ alias actions-up='GITHUB_TOKEN=$(security find-generic-password -w -s "github-to
 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
 ```
 
+## Advanced Usage
+
+### Using GitHub Token for Higher Rate Limits
+
+While Actions Up works without authentication, providing a GitHub token increases API rate limits from 60 to 5000 requests per hour, useful for large projects:
+
+[Create a GitHub Personal Access Token](https://github.com/settings/tokens/new?scopes=public_repo&description=actions-up).
+
+- For public repositories: Select `public_repo` scope
+- For private repositories: Select `repo` scope
+
 ## Security
 
 Actions Up promotes security best practices: