actions-up 1.1.0 → 1.2.0

package/dist/core/api/check-updates.js

@@ -20,19 +20,47 @@ async function checkUpdates(actions, token) {
 			actionName,
 			sha: null
 		}];
-		let [owner, repo] = actionName.split("/");
+		let segments = actionName.split("/");
+		if (segments.length < 2) return [...results, {
+			version: null,
+			actionName,
+			sha: null
+		}];
+		let [owner, repo] = segments;
 		if (!owner || !repo) return [...results, {
 			version: null,
 			actionName,
 			sha: null
 		}];
 		try {
+			let currentVersions = uniqueActions.get(actionName);
+			let firstVersion = currentVersions[0]?.version;
+			if (firstVersion) {
+				let referenceType = await client.getRefType(owner, repo, firstVersion);
+				if (referenceType === "branch") return [...results, {
+					version: null,
+					actionName,
+					sha: null
+				}];
+			}
 			let release = await client.getLatestRelease(owner, repo);
 			if (!release) {
 				let allReleases = await client.getAllReleases(owner, repo, 10);
 				let stableRelease = allReleases.find((currentRelease) => !currentRelease.isPrerelease);
 				release = stableRelease ?? allReleases[0] ?? null;
 			}
+			if (!release) {
+				let tags = await client.getAllTags(owner, repo, 30);
+				if (tags.length > 0) {
+					let semverTag = tags.find((tag) => /^v?\d+(?:\.\d+){0,2}/u.test(tag.tag));
+					let latestTag = semverTag ?? tags[0];
+					if (latestTag) return [...results, {
+						version: latestTag.tag,
+						sha: latestTag.sha,
+						actionName
+					}];
+				}
+			}
 			if (release) {
 				let { version, sha } = release;
 				if (!sha) try {
@@ -104,6 +132,10 @@ function createUpdate(action, latestVersion, latestSha) {
 				let latestMajor = semver.major(latest);
 				isBreaking = latestMajor > currentMajor;
 			}
+			if (!hasUpdate && semver.eq(current, latest) && !isSha(action.version) && latestSha) {
+				hasUpdate = true;
+				isBreaking = false;
+			}
 		} else if (currentVersion !== normalized) hasUpdate = true;
 	}
 	return {

package/dist/core/api/client.d.ts

@@ -1,4 +1,3 @@
-/** Processed release information with normalized types. */
 interface ReleaseInfo {
     /** Release description or null if not provided. */
     description: string | null;
@@ -19,18 +18,19 @@ interface ReleaseInfo {
 interface TagInfo {
     /** Tag or commit message, null if not provided. */
     message: string | null;
+    /** Git commit SHA that this tag points to. */
+    sha: string | null;
     /** Date when the tag was created or committed. */
     date: Date | null;
     /** Tag name (e.g., 'v1.2.3'). */
     tag: string;
-    /** Git commit SHA that this tag points to. */
-    sha: string;
 }
 /** GitHub REST API client with optional authentication. */
 export declare class Client {
+    private readonly baseUrl;
+    private readonly token;
     private rateLimitReset;
     private rateLimitRemaining;
-    private readonly octokit;
     /**
      * Creates a new GitHub API client.
      *
@@ -64,6 +64,8 @@ export declare class Client {
      * @returns Latest release information or null if not found.
      */
     getLatestRelease(owner: string, repo: string): Promise<ReleaseInfo | null>;
+    getAllTags(owner: string, repo: string, limit?: number): Promise<TagInfo[]>;
+    getRefType(owner: string, repo: string, reference: string): Promise<'branch' | 'tag' | null>;
     getRateLimitStatus(): {
         remaining: number;
         resetAt: Date;
@@ -75,6 +77,22 @@ export declare class Client {
      * @returns True if rate limit is below threshold.
      */
     shouldWaitForRateLimit(threshold?: number): boolean;
+    private makeRequest;
     private updateRateLimitInfo;
 }
+/**
+ * Resolve GitHub token from multiple sources with descending priority.
+ *
+ * Priority:
+ *
+ * 1. Env GITHUB_TOKEN
+ * 2. Env GH_TOKEN
+ * 3. Gh auth token
+ * 4. .git/config keys (github.token, github.oauth-token, hub.oauthtoken).
+ *
+ * This is a synchronous best-effort resolver without throwing on failures.
+ *
+ * @returns Token string or undefined when not found.
+ */
+export declare function resolveGitHubTokenSync(): undefined | string;
 export {};

package/dist/core/api/client.js

@@ -1,4 +1,6 @@
-import { Octokit } from "@octokit/rest";
+import { join } from "node:path";
+import { execFileSync } from "node:child_process";
+import { readFileSync } from "node:fs";
 var GitHubRateLimitError = class extends Error {
 	constructor(resetAt) {
 		let resetTime = resetAt.toLocaleTimeString();
@@ -7,14 +9,13 @@ var GitHubRateLimitError = class extends Error {
 	}
 };
 var Client = class Client {
+	baseUrl = "https://api.github.com";
+	token;
 	rateLimitReset = /* @__PURE__ */ new Date();
 	rateLimitRemaining = 60;
-	octokit;
 	constructor(token) {
-		let authToken = token ?? process.env["GITHUB_TOKEN"];
-		this.octokit = new Octokit({ auth: authToken ?? void 0 });
-		if (!authToken) console.warn("No GitHub token found. API rate limits will be restricted.");
-		this.rateLimitRemaining = authToken ? 5e3 : 60;
+		this.token = token ?? process.env["GITHUB_TOKEN"] ?? resolveGitHubTokenSync();
+		this.rateLimitRemaining = this.token ? 5e3 : 60;
 	}
 	static isRateLimitError(error) {
 		if (error && typeof error === "object") {
@@ -29,19 +30,12 @@ var Client = class Client {
 		try {
 			let displayTag = tag.replace(/^refs\/tags\//u, "");
 			try {
-				let { headers: releaseHeaders, data: releaseData } = await this.octokit.repos.getReleaseByTag({
-					tag: displayTag,
-					owner,
-					repo
-				});
-				this.updateRateLimitInfo(releaseHeaders);
+				let releaseResp = await this.makeRequest(`/repos/${owner}/${repo}/releases/tags/${displayTag}`);
+				let releaseData = releaseResp.data;
 				let sha = null;
 				if (releaseData.target_commitish) try {
-					let { data: commitData } = await this.octokit.repos.getCommit({
-						ref: releaseData.target_commitish,
-						owner,
-						repo
-					});
+					let commitResp = await this.makeRequest(`/repos/${owner}/${repo}/commits/${releaseData.target_commitish}`);
+					let commitData = commitResp.data;
 					({sha} = commitData);
 				} catch {
 					sha = releaseData.target_commitish;
@@ -53,32 +47,22 @@ var Client = class Client {
 					tag: displayTag
 				};
 			} catch (releaseError) {
-				if (releaseError instanceof Error && "status" in releaseError && releaseError.status === 404) try {
-					let { headers: referenceHeaders, data: referenceData } = await this.octokit.git.getRef({
-						ref: `tags/${displayTag}`,
-						owner,
-						repo
-					});
-					this.updateRateLimitInfo(referenceHeaders);
+				if (releaseError && typeof releaseError === "object" && "status" in releaseError && releaseError.status === 404) try {
+					let referenceResp = await this.makeRequest(`/repos/${owner}/${repo}/git/refs/tags/${displayTag}`);
+					let referenceData = referenceResp.data;
 					let { sha } = referenceData.object;
 					let message = null;
 					let date = null;
 					if (referenceData.object.type === "tag") try {
-						let { data: tagData } = await this.octokit.git.getTag({
-							tag_sha: sha,
-							owner,
-							repo
-						});
+						let tagResp = await this.makeRequest(`/repos/${owner}/${repo}/git/tags/${sha}`);
+						let tagData = tagResp.data;
 						({sha} = tagData.object);
-						message = tagData.message || null;
+						({message} = tagData);
 						date = tagData.tagger.date ? new Date(tagData.tagger.date) : null;
 					} catch {}
-					else if (referenceData.object.type === "commit") try {
-						let { data: commitData } = await this.octokit.git.getCommit({
-							commit_sha: sha,
-							owner,
-							repo
-						});
+					else try {
+						let commitResp = await this.makeRequest(`/repos/${owner}/${repo}/git/commits/${sha}`);
+						let commitData = commitResp.data;
 						({message} = commitData);
 						date = commitData.author.date ? new Date(commitData.author.date) : null;
 					} catch {}
@@ -89,7 +73,7 @@ var Client = class Client {
 						sha
 					};
 				} catch (tagError) {
-					if (tagError instanceof Error && "status" in tagError && tagError.status === 404) return null;
+					if (tagError && typeof tagError === "object" && "status" in tagError && tagError.status === 404) return null;
 					throw tagError;
 				}
 				throw releaseError;
@@ -101,12 +85,8 @@ var Client = class Client {
 	}
 	async getAllReleases(owner, repo, limit = 10) {
 		try {
-			let { data: releases, headers } = await this.octokit.repos.listReleases({
-				per_page: limit,
-				owner,
-				repo
-			});
-			this.updateRateLimitInfo(headers);
+			let releasesResp = await this.makeRequest(`/repos/${owner}/${repo}/releases?per_page=${limit}`);
+			let releases = releasesResp.data;
 			let releaseInfos = [];
 			await Promise.all(releases.map(async (release) => {
 				let sha = null;
@@ -114,7 +94,7 @@ var Client = class Client {
 					let tagInfo = await this.getTagInfo(owner, repo, release.tag_name);
 					if (tagInfo) ({sha} = tagInfo);
 				} catch {
-					sha = release.target_commitish || null;
+					sha = release.target_commitish;
 				}
 				releaseInfos.push({
 					publishedAt: new Date(release.published_at),
@@ -134,17 +114,14 @@ var Client = class Client {
 	}
 	async getLatestRelease(owner, repo) {
 		try {
-			let { data: release, headers } = await this.octokit.repos.getLatestRelease({
-				owner,
-				repo
-			});
-			this.updateRateLimitInfo(headers);
+			let releaseResp = await this.makeRequest(`/repos/${owner}/${repo}/releases/latest`);
+			let release = releaseResp.data;
 			let sha = null;
 			if (release.tag_name) try {
 				let tagInfo = await this.getTagInfo(owner, repo, release.tag_name);
 				if (tagInfo) ({sha} = tagInfo);
 			} catch {
-				sha = release.target_commitish || null;
+				sha = release.target_commitish;
 			}
 			return {
 				publishedAt: new Date(release.published_at),
@@ -156,11 +133,39 @@ var Client = class Client {
 				sha
 			};
 		} catch (error) {
-			if (error instanceof Error && "status" in error && error.status === 404) return null;
+			if (error && typeof error === "object" && "status" in error && error.status === 404) return null;
 			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
 			throw error;
 		}
 	}
+	async getAllTags(owner, repo, limit = 30) {
+		try {
+			let tagsResp = await this.makeRequest(`/repos/${owner}/${repo}/tags?per_page=${limit}`);
+			let tags = tagsResp.data;
+			return tags.map((tag) => ({
+				sha: tag.commit.sha,
+				tag: tag.name,
+				message: null,
+				date: null
+			}));
+		} catch (error) {
+			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
+			throw error;
+		}
+	}
+	async getRefType(owner, repo, reference) {
+		try {
+			await this.makeRequest(`/repos/${owner}/${repo}/git/refs/tags/${reference}`);
+			return "tag";
+		} catch {
+			try {
+				await this.makeRequest(`/repos/${owner}/${repo}/git/refs/heads/${reference}`);
+				return "branch";
+			} catch {
+				return null;
+			}
+		}
+	}
 	getRateLimitStatus() {
 		return {
 			remaining: this.rateLimitRemaining,
@@ -170,6 +175,35 @@ var Client = class Client {
 	shouldWaitForRateLimit(threshold = 100) {
 		return this.rateLimitRemaining < threshold;
 	}
+	async makeRequest(path$1, options = {}) {
+		let headers = {
+			Accept: "application/vnd.github.v3+json",
+			"User-Agent": "actions-up",
+			...options.headers
+		};
+		if (this.token) headers["Authorization"] = `Bearer ${this.token}`;
+		let response = await fetch(`${this.baseUrl}${path$1}`, {
+			...options,
+			headers
+		});
+		let responseHeaders = {};
+		for (let [key, value] of response.headers.entries()) responseHeaders[key] = value;
+		this.updateRateLimitInfo(responseHeaders);
+		if (!response.ok) {
+			let error = /* @__PURE__ */ new Error(`GitHub API error: ${response.status} ${response.statusText}`);
+			error.status = response.status;
+			if (response.status === 403) {
+				let text = await response.text();
+				if (text.includes("rate limit") || text.includes("API rate limit")) error.message = "API rate limit exceeded";
+			}
+			throw error;
+		}
+		let data = await response.json();
+		return {
+			headers: responseHeaders,
+			data
+		};
+	}
 	updateRateLimitInfo(headers) {
 		let remaining = headers["x-ratelimit-remaining"];
 		if (remaining !== void 0) this.rateLimitRemaining = typeof remaining === "string" ? Number.parseInt(remaining, 10) : remaining;
@@ -180,4 +214,48 @@ var Client = class Client {
 		}
 	}
 };
+function resolveGitHubTokenSync() {
+	let fromGithubToken = process.env["GITHUB_TOKEN"];
+	if (fromGithubToken && fromGithubToken.trim() !== "") return fromGithubToken.trim();
+	let fromGhToken = process.env["GH_TOKEN"];
+	if (fromGhToken && fromGhToken.trim() !== "") return fromGhToken.trim();
+	try {
+		let output = execFileSync("gh", ["auth", "token"], {
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			],
+			encoding: "utf8",
+			timeout: 500
+		});
+		let token = output.trim();
+		if (token) return token;
+	} catch {}
+	try {
+		let gitConfigPath = join(process.cwd(), ".git", "config");
+		let content = readFileSync(gitConfigPath, "utf8");
+		let directMatch = content.match(/^\s*(?:github\.(?:oauth-token|token)|hub\.oauthtoken)\s*=\s*(?<token>\S[^\n\r]*)$/mu);
+		let directToken = directMatch?.groups?.["token"]?.trim();
+		if (directToken) return directToken;
+		let currentSection = null;
+		for (let rawLine of content.split(/\r?\n/u)) {
+			let line = rawLine.trim();
+			let sectionMatch = line.match(/^\[(?<name>[^\]]+)\]$/u);
+			if (sectionMatch?.groups) {
+				currentSection = sectionMatch.groups["name"].toLowerCase();
+				continue;
+			}
+			if (currentSection === "github") {
+				let tokenMatch = line.match(/^(?:oauth-token|token)\s*=\s*(?<val>\S[^\n\r]*)$/u);
+				if (tokenMatch?.groups?.["val"]) return tokenMatch.groups["val"].trim();
+			}
+			if (currentSection === "hub") {
+				let oauthMatch = line.match(/^oauthtoken\s*=\s*(?<val>\S[^\n\r]*)$/u);
+				if (oauthMatch?.groups?.["val"]) return oauthMatch.groups["val"].trim();
+			}
+		}
+	} catch {}
+	return void 0;
+}
 export { Client };

package/dist/core/scan-github-actions.js

@@ -3,7 +3,7 @@ import { scanWorkflowFile } from "./scan-workflow-file.js";
 import { scanActionFile } from "./scan-action-file.js";
 import { isYamlFile } from "./fs/is-yaml-file.js";
 import { isAbsolute, join, relative, resolve } from "node:path";
-import { readdir, stat } from "node:fs/promises";
+import { readFile, readdir, stat } from "node:fs/promises";
 async function scanGitHubActions(rootPath = process.cwd()) {
 	let result = {
 		compositeActions: /* @__PURE__ */ new Map(),
@@ -111,6 +111,84 @@ async function scanGitHubActions(rootPath = process.cwd()) {
 			}
 		}
 	} catch {}
+	try {
+		let repoSlug = await getCurrentRepoSlug(normalizedRoot);
+		if (repoSlug) {
+			if (process.env["ACTIONS_UP_TEST_THROW"] === "1") throw new Error("test");
+			let seenCompositeDirectories = /* @__PURE__ */ new Set();
+			let queue = [];
+			for (let action of result.actions) {
+				if (action.type !== "external") continue;
+				let segs = action.name.split("/");
+				if (segs.length < 3) continue;
+				let candidateSlug = `${segs[0]}/${segs[1]}`;
+				if (candidateSlug !== repoSlug) continue;
+				let compositeDirectory = join(normalizedRoot, ...segs.slice(2));
+				if (!isWithin(normalizedRoot, compositeDirectory)) continue;
+				if (seenCompositeDirectories.has(compositeDirectory)) continue;
+				seenCompositeDirectories.add(compositeDirectory);
+				queue.push(compositeDirectory);
+			}
+			async function processQueue() {
+				if (queue.length === 0) return;
+				let batch = queue.splice(0);
+				let discoveredNext = await Promise.all(batch.map(async (directory) => {
+					try {
+						let ymlPath = join(directory, "action.yml");
+						let yamlPath = join(directory, "action.yaml");
+						let filePath = ymlPath;
+						try {
+							let fileInfo = await stat(ymlPath);
+							if (!fileInfo.isFile()) throw new Error("not a file");
+						} catch {
+							let yamlInfo = await stat(yamlPath);
+							if (!yamlInfo.isFile()) throw new Error("not a file");
+							filePath = yamlPath;
+						}
+						let nestedActions = await scanActionFile(filePath);
+						if (nestedActions.length > 0) result.actions.push(...nestedActions);
+						let nextDirectories = [];
+						for (let nestedAction of nestedActions) {
+							if (nestedAction.type !== "external") continue;
+							let nameSegments = nestedAction.name.split("/");
+							if (nameSegments.length < 3) continue;
+							let nameSlug = `${nameSegments[0]}/${nameSegments[1]}`;
+							if (nameSlug !== repoSlug) continue;
+							let nextDirectory = join(normalizedRoot, ...nameSegments.slice(2));
+							if (!isWithin(normalizedRoot, nextDirectory)) continue;
+							if (seenCompositeDirectories.has(nextDirectory)) continue;
+							seenCompositeDirectories.add(nextDirectory);
+							nextDirectories.push(nextDirectory);
+						}
+						return nextDirectories;
+					} catch {
+						return [];
+					}
+				}));
+				for (let list of discoveredNext) for (let directory of list) queue.push(directory);
+				await processQueue();
+			}
+			await processQueue();
+		}
+	} catch {}
 	return result;
 }
+async function getCurrentRepoSlug(root) {
+	let environmentSlug = process.env["GITHUB_REPOSITORY"];
+	if (environmentSlug && /^[^\s/]+\/[^\s/]+$/u.test(environmentSlug)) return environmentSlug;
+	try {
+		let gitConfigPath = join(root, ".git", "config");
+		let content = await readFile(gitConfigPath, "utf8");
+		let originUrlMatch = content.match(/\[remote "origin"\][\s\S]*?url\s*=\s*(?<url>.+)/u);
+		let url = originUrlMatch?.groups?.["url"]?.trim();
+		if (!url) {
+			let anyUrlMatch = content.match(/url\s*=\s*(?<url>.+)/u);
+			url = anyUrlMatch?.groups?.["url"]?.trim();
+		}
+		if (!url) return null;
+		let httpsMatch = url.match(/github\.com[/:](?<owner>[^/]+)\/(?<repo>[^./]+)(?:\.git)?$/u);
+		if (httpsMatch?.groups) return `${httpsMatch.groups["owner"]}/${httpsMatch.groups["repo"]}`;
+	} catch {}
+	return null;
+}
 export { scanGitHubActions };

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.1.0";
+const version = "1.2.0";
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",
@@ -36,7 +36,6 @@
     "./dist"
   ],
   "dependencies": {
-    "@octokit/rest": "^22.0.0",
     "cac": "^6.7.14",
     "enquirer": "^2.4.1",
     "nanospinner": "^1.2.2",

package/readme.md

@@ -14,7 +14,7 @@
 
 Actions Up scans your workflows and composite actions to discover every referenced GitHub Action, then checks for newer releases.
 
-Interactively upgrade and pin actions to exact commit SHAs for secure, reproducible CI and low‑friction maintenance.
+Interactively upgrade and pin actions to exact commit SHAs for secure, reproducible CI and low-friction maintenance.
 
 ## Features
 
@@ -24,6 +24,7 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
 - **Interactive Selection**: Choose which actions to update
 - **Breaking Changes Detection**: Warns about major version updates
 - **Fast & Efficient**: Parallel processing with optimized API calls
+- **CI/CD Integration**: Can be used as a GitHub Action for automated PR checks
 
 ###
 
@@ -113,6 +114,371 @@ npx actions-up --yes
 npx actions-up -y
 ```
 
+### Dry Run Mode
+
+Check for updates without making any changes:
+
+```bash
+npx actions-up --dry-run
+```
+
+## GitHub Actions Integration
+
+### Automated PR Checks
+
+You can integrate Actions Up into your CI/CD pipeline to automatically check for outdated actions on every pull request. This helps maintain security and ensures your team stays aware of available updates.
+
+<details>
+<summary>Create <code>.github/workflows/check-actions-updates.yml</code>.</summary>
+
+````yaml
+name: Check for outdated GitHub Actions
+on:
+  pull_request:
+    types: [edited, opened, synchronize, reopened]
+
+jobs:
+  check-actions:
+    name: Check for GHA updates
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install actions-up
+        run: npm install -g actions-up
+
+      - name: Run actions-up check
+        id: actions-check
+        run: |
+          echo "## GitHub Actions Update Check" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # Initialize variables
+          HAS_UPDATES=false
+          UPDATE_COUNT=0
+
+          # Run actions-up and capture output
+          echo "Running actions-up to check for updates..."
+          actions-up --dry-run > actions-up-raw.txt 2>&1 || true
+
+          # Strip ANSI color codes from the output
+          sed -i 's/\x1b\[[0-9;]*m//g' actions-up-raw.txt
+
+          # Also remove any other control characters
+          sed -i 's/\x1b\[[0-9;]*[a-zA-Z]//g' actions-up-raw.txt
+
+          # Parse the output to detect updates
+          # Look for patterns like "v3 → v4" or "would be updated"
+          if grep -E "(→|would be updated|Update available)" actions-up-raw.txt > /dev/null 2>&1; then
+            HAS_UPDATES=true
+            # Count the number of updates (lines with arrows)
+            UPDATE_COUNT=$(grep -c "→" actions-up-raw.txt || echo "0")
+          fi
+
+          # Create formatted output
+          if [ "$HAS_UPDATES" = true ]; then
+            echo "Found $UPDATE_COUNT GitHub Actions with available updates" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "<details>" >> $GITHUB_STEP_SUMMARY
+            echo "<summary>Click to see details</summary>" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            cat actions-up-raw.txt >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            echo "</details>" >> $GITHUB_STEP_SUMMARY
+
+            # Create detailed markdown report with better formatting
+            {
+              echo "## GitHub Actions Update Report"
+              echo ""
+
+              # Extract summary information
+              TOTAL_ACTIONS=$(grep -oP 'Found \K[0-9]+(?= actions)' actions-up-raw.txt | head -1 || echo "0")
+              BREAKING_UPDATES=$(grep -oP '\(([0-9]+) breaking\)' actions-up-raw.txt | grep -oP '[0-9]+' || echo "0")
+
+              echo "### Summary"
+              echo "- **Total actions scanned:** $TOTAL_ACTIONS"
+              echo "- **Updates available:** $UPDATE_COUNT"
+              if [ "$BREAKING_UPDATES" != "0" ]; then
+                echo "- **Breaking changes:** $BREAKING_UPDATES"
+              fi
+              echo ""
+
+              echo "### Available Updates"
+              echo ""
+
+              # Format the updates in a table
+              echo "| Workflow File | Action | Current | Available | Type | Release Notes |"
+              echo "|--------------|--------|---------|-----------|------|---------------|"
+
+              # Parse each update line
+              grep "→" actions-up-raw.txt | while IFS= read -r line; do
+                # Extract workflow file path (remove leading path)
+                if echo "$line" | grep -q "\.github/workflows/"; then
+                  PREV_FILE=$(echo "$line" | grep -oP '\.github/workflows/[^:]+' | head -1)
+                fi
+
+                # Skip file path lines, process only action updates
+                if echo "$line" | grep -q ": .* → "; then
+                  # Extract action name and versions
+                  ACTION=$(echo "$line" | cut -d: -f1 | xargs)
+                  CURRENT=$(echo "$line" | grep -oP 'v[0-9]+(\.[0-9]+)*' | head -1)
+                  NEW=$(echo "$line" | grep -oP '→ \Kv[0-9]+(\.[0-9]+)*' | head -1)
+
+                  # Determine if it's a breaking change
+                  CURRENT_MAJOR=$(echo "$CURRENT" | grep -oP 'v\K[0-9]+' || echo "0")
+                  NEW_MAJOR=$(echo "$NEW" | grep -oP 'v\K[0-9]+' || echo "0")
+
+                  if [ "$CURRENT_MAJOR" != "$NEW_MAJOR" ]; then
+                    TYPE="Breaking"
+                    # Generate release URL
+                    # Handle both owner/repo and just repo formats
+                    if echo "$ACTION" | grep -q "/"; then
+                      REPO_PATH="$ACTION"
+                    else
+                      # For actions without owner, assume it's under 'actions' org
+                      REPO_PATH="actions/$ACTION"
+                    fi
+                    RELEASE_URL="https://github.com/${REPO_PATH}/releases/tag/${NEW}"
+                    RELEASE_LINK="[Release](${RELEASE_URL})"
+                  else
+                    TYPE="Minor"
+                    RELEASE_LINK="-"
+                  fi
+
+                  # Output table row
+                  WORKFLOW_NAME=$(basename "$PREV_FILE" 2>/dev/null || echo "workflow.yml")
+                  echo "| \`$WORKFLOW_NAME\` | $ACTION | $CURRENT | **$NEW** | $TYPE | $RELEASE_LINK |"
+                fi
+              done
+
+              echo ""
+              echo "### How to Update"
+              echo ""
+              echo "You have several options to update these actions:"
+              echo ""
+              echo "#### Option 1: Automatic Update (Recommended)"
+              echo '```bash'
+              echo "# Run this command locally in your repository"
+              echo "npx actions-up"
+              echo '```'
+              echo ""
+              echo "#### Option 2: Manual Update"
+              echo "1. Review each update in the table above"
+              echo "2. For breaking changes, click the Release Notes link to review changes"
+              echo "3. Edit the workflow files and update the version numbers"
+              echo "4. Test the changes in your CI/CD pipeline"
+              echo ""
+              echo "#### Option 3: Selective Update"
+              echo '```bash'
+              echo "# Update only non-breaking changes"
+              echo "npx actions-up --breaking false"
+              echo '```'
+              echo ""
+
+              if [ "$BREAKING_UPDATES" != "0" ]; then
+                echo "### Breaking Changes Warning"
+                echo ""
+                echo "This update includes **$BREAKING_UPDATES breaking change(s)**. Please review the release notes before updating:"
+                echo ""
+                grep "→" actions-up-raw.txt | while IFS= read -r line; do
+                  if echo "$line" | grep -q ": .* → "; then
+                    ACTION=$(echo "$line" | cut -d: -f1 | xargs)
+                    CURRENT=$(echo "$line" | grep -oP 'v[0-9]+' | head -1)
+                    NEW=$(echo "$line" | grep -oP '→ \Kv[0-9]+(\.[0-9]+)*' | head -1)
+                    CURRENT_MAJOR=$(echo "$CURRENT" | grep -oP '[0-9]+' || echo "0")
+                    NEW_MAJOR=$(echo "$NEW" | grep -oP '[0-9]+' || echo "0")
+                    if [ "$CURRENT_MAJOR" != "$NEW_MAJOR" ]; then
+                      # Generate release URL
+                      if echo "$ACTION" | grep -q "/"; then
+                        REPO_PATH="$ACTION"
+                      else
+                        REPO_PATH="actions/$ACTION"
+                      fi
+                      RELEASE_URL="https://github.com/${REPO_PATH}/releases/tag/${NEW}"
+                      echo "- **$ACTION**: $CURRENT → $NEW - [View Release Notes](${RELEASE_URL})"
+                    fi
+                  fi
+                done
+                echo ""
+                echo "**Important:** Breaking changes may require modifications to your workflow configuration. Always review the release notes and test thoroughly."
+                echo ""
+              fi
+
+              echo "---"
+              echo ""
+              echo "<details>"
+              echo "<summary>Raw actions-up output</summary>"
+              echo ""
+              echo '```'
+              cat actions-up-raw.txt
+              echo '```'
+              echo "</details>"
+            } > actions-up-report.md
+
+            echo "has-updates=true" >> $GITHUB_OUTPUT
+            echo "update-count=$UPDATE_COUNT" >> $GITHUB_OUTPUT
+          else
+            echo "All GitHub Actions are up to date!" >> $GITHUB_STEP_SUMMARY
+
+            {
+              echo "## GitHub Actions Update Report"
+              echo ""
+              echo "### All GitHub Actions in this repository are up to date!"
+              echo ""
+              echo "No action required. Your workflow files are using the latest versions of all GitHub Actions."
+            } > actions-up-report.md
+
+            echo "has-updates=false" >> $GITHUB_OUTPUT
+            echo "update-count=0" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Comment PR with updates
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const report = fs.readFileSync('actions-up-report.md', 'utf8');
+            const hasUpdates = '${{ steps.actions-check.outputs.has-updates }}' === 'true';
+            const updateCount = '${{ steps.actions-check.outputs.update-count }}';
+
+            // Check if we already commented
+            const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number
+            });
+
+            const botComment = comments.data.find(comment =>
+              comment.user.type === 'Bot' &&
+              comment.body.includes('GitHub Actions Update Report')
+            );
+
+            const commentBody = `${report}
+
+            ---
+            *Generated by [actions-up](https://github.com/azat-io/actions-up) | Last check: ${new Date().toISOString()}*`;
+
+            // Only comment if there are updates or if we previously commented
+            if (hasUpdates || botComment) {
+              if (botComment) {
+                // Update existing comment
+                await github.rest.issues.updateComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: botComment.id,
+                  body: commentBody
+                });
+                console.log('Updated existing comment');
+              } else {
+                // Create new comment only if there are updates
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.issue.number,
+                  body: commentBody
+                });
+                console.log('Created new comment');
+              }
+            } else {
+              console.log('No updates found and no previous comment exists - skipping comment');
+            }
+
+            // Add or update PR labels based on status
+            const labels = await github.rest.issues.listLabelsOnIssue({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number
+            });
+
+            const hasOutdatedLabel = labels.data.some(label => label.name === 'outdated-actions');
+
+            if (hasUpdates && !hasOutdatedLabel) {
+              // Add label if updates are found
+              try {
+                await github.rest.issues.addLabels({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.issue.number,
+                  labels: ['outdated-actions']
+                });
+                console.log('Added outdated-actions label');
+              } catch (error) {
+                console.log('Could not add label (might not exist in repo):', error.message);
+              }
+            } else if (!hasUpdates && hasOutdatedLabel) {
+              // Remove label if no updates
+              try {
+                await github.rest.issues.removeLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.issue.number,
+                  name: 'outdated-actions'
+                });
+                console.log('Removed outdated-actions label');
+              } catch (error) {
+                console.log('Could not remove label:', error.message);
+              }
+            }
+
+      - name: Fail if outdated actions found
+        if: steps.actions-check.outputs.has-updates == 'true'
+        run: |
+          echo "::error:: Found ${{ steps.actions-check.outputs.update-count }} outdated GitHub Actions. Please update them before merging."
+          echo ""
+          echo "You can update them by running: npx actions-up"
+          echo "Or manually update the versions in your workflow files."
+          exit 1
+````
+
+</details>
+
+### Advanced PR Integration with Comments
+
+For a more sophisticated integration that comments directly on PRs with detailed update information, check out our [example workflow with PR comments](https://github.com/azat-io/actions-up/blob/main/examples/workflows/check-with-comments.yml).
+
+This advanced workflow:
+
+- Comments on PRs with a formatted table of available updates
+- Adds labels to PRs with outdated actions
+- Includes links to release notes for breaking changes
+- Updates existing comments instead of creating duplicates
+
+### Scheduled Checks
+
+You can also set up scheduled checks to stay informed about updates:
+
+```yaml
+name: Weekly Actions Update Check
+
+on:
+  schedule:
+    - cron: '0 9 * * 1' # Every Monday at 9 AM
+  workflow_dispatch: # Allow manual triggers
+
+jobs:
+  check-updates:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - run: npm install -g actions-up
+      - run: |
+          if actions-up --dry-run | grep -q "→"; then
+            echo "Updates available! Run 'npx actions-up' to update."
+            exit 1
+          fi
+```
+
 ## Example
 
 ```yaml
@@ -136,6 +502,38 @@ While Actions Up works without authentication, providing a GitHub token increase
 - For public repositories: Select `public_repo` scope
 - For private repositories: Select `repo` scope
 
+Set the token as an environment variable:
+
+```bash
+export GITHUB_TOKEN=your_token_here
+npx actions-up
+```
+
+Or in GitHub Actions:
+
+```yaml
+- name: Check for updates
+  env:
+    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  run: npx actions-up --dry-run
+```
+
+### Command Line Options
+
+```bash
+# Update all actions without prompts
+npx actions-up --yes
+
+# Check for updates without making changes
+npx actions-up --dry-run
+
+# Update only non-breaking changes
+npx actions-up --breaking false
+
+# Specify custom workflow directory
+npx actions-up --workflows ./custom/workflows
+```
+
 ## Security
 
 Actions Up promotes security best practices:
@@ -143,6 +541,16 @@ Actions Up promotes security best practices:
 - **SHA Pinning**: Uses commit SHA instead of mutable tags
 - **Version Comments**: Adds version as comment for readability
 - **No Auto-Updates**: Full control over what gets updated
+- **Breaking Change Warnings**: Alerts you to major version updates that may require configuration changes
+
+## CI/CD Best Practices
+
+When using Actions Up in your CI/CD pipeline:
+
+1. **Start with warnings**: Begin by running checks without failing builds to gauge the update frequency
+2. **Regular updates**: Schedule weekly or monthly update PRs rather than blocking every PR
+3. **Team education**: Ensure your team understands the security benefits of keeping actions updated
+4. **Gradual adoption**: Roll out to a few repositories first before organization-wide deployment
 
 ## Contributing
 

package/dist/core/schema/composite/is-composite-action-step.d.ts

@@ -1,8 +0,0 @@
-import { CompositeActionStep } from '../../../types/composite-action-step';
-/**
- * Type guard to check if a value conforms to the CompositeActionStep interface.
- *
- * @param value - The value to check.
- * @returns True if the value is a valid composite action step.
- */
-export declare function isCompositeActionStep(value: unknown): value is CompositeActionStep;

package/dist/core/schema/workflow/is-workflow-job.d.ts

@@ -1,8 +0,0 @@
-import { WorkflowJob } from '../../../types/workflow-job';
-/**
- * Type guard to check if a value conforms to the WorkflowJob interface.
- *
- * @param value - The value to check.
- * @returns True if the value is a valid workflow job.
- */
-export declare function isWorkflowJob(value: unknown): value is WorkflowJob;

package/dist/core/schema/workflow/is-workflow-step.d.ts

@@ -1,8 +0,0 @@
-import { WorkflowStep } from '../../../types/workflow-step';
-/**
- * Type guard to check if a value conforms to the WorkflowStep interface.
- *
- * @param value - The value to check.
- * @returns True if the value is a valid workflow step.
- */
-export declare function isWorkflowStep(value: unknown): value is WorkflowStep;