actions-up 1.1.1 → 1.2.1

package/dist/core/api/check-updates.js

@@ -20,19 +20,47 @@ async function checkUpdates(actions, token) {
 			actionName,
 			sha: null
 		}];
-		let [owner, repo] = actionName.split("/");
+		let segments = actionName.split("/");
+		if (segments.length < 2) return [...results, {
+			version: null,
+			actionName,
+			sha: null
+		}];
+		let [owner, repo] = segments;
 		if (!owner || !repo) return [...results, {
 			version: null,
 			actionName,
 			sha: null
 		}];
 		try {
+			let currentVersions = uniqueActions.get(actionName);
+			let firstVersion = currentVersions[0]?.version;
+			if (firstVersion) {
+				let referenceType = await client.getRefType(owner, repo, firstVersion);
+				if (referenceType === "branch") return [...results, {
+					version: null,
+					actionName,
+					sha: null
+				}];
+			}
 			let release = await client.getLatestRelease(owner, repo);
 			if (!release) {
 				let allReleases = await client.getAllReleases(owner, repo, 10);
 				let stableRelease = allReleases.find((currentRelease) => !currentRelease.isPrerelease);
 				release = stableRelease ?? allReleases[0] ?? null;
 			}
+			if (!release) {
+				let tags = await client.getAllTags(owner, repo, 30);
+				if (tags.length > 0) {
+					let semverTag = tags.find((tag) => /^v?\d+(?:\.\d+){0,2}/u.test(tag.tag));
+					let latestTag = semverTag ?? tags[0];
+					if (latestTag) return [...results, {
+						version: latestTag.tag,
+						sha: latestTag.sha,
+						actionName
+					}];
+				}
+			}
 			if (release) {
 				let { version, sha } = release;
 				if (!sha) try {
@@ -104,6 +132,10 @@ function createUpdate(action, latestVersion, latestSha) {
 				let latestMajor = semver.major(latest);
 				isBreaking = latestMajor > currentMajor;
 			}
+			if (!hasUpdate && semver.eq(current, latest) && !isSha(action.version) && latestSha) {
+				hasUpdate = true;
+				isBreaking = false;
+			}
 		} else if (currentVersion !== normalized) hasUpdate = true;
 	}
 	return {

package/dist/core/api/client.d.ts

@@ -64,6 +64,8 @@ export declare class Client {
      * @returns Latest release information or null if not found.
      */
     getLatestRelease(owner: string, repo: string): Promise<ReleaseInfo | null>;
+    getAllTags(owner: string, repo: string, limit?: number): Promise<TagInfo[]>;
+    getRefType(owner: string, repo: string, reference: string): Promise<'branch' | 'tag' | null>;
     getRateLimitStatus(): {
         remaining: number;
         resetAt: Date;
@@ -78,4 +80,19 @@ export declare class Client {
     private makeRequest;
     private updateRateLimitInfo;
 }
+/**
+ * Resolve GitHub token from multiple sources with descending priority.
+ *
+ * Priority:
+ *
+ * 1. Env GITHUB_TOKEN
+ * 2. Env GH_TOKEN
+ * 3. Gh auth token
+ * 4. .git/config keys (github.token, github.oauth-token, hub.oauthtoken).
+ *
+ * This is a synchronous best-effort resolver without throwing on failures.
+ *
+ * @returns Token string or undefined when not found.
+ */
+export declare function resolveGitHubTokenSync(): undefined | string;
 export {};

package/dist/core/api/client.js

@@ -1,3 +1,6 @@
+import { join } from "node:path";
+import { execFileSync } from "node:child_process";
+import { readFileSync } from "node:fs";
 var GitHubRateLimitError = class extends Error {
 	constructor(resetAt) {
 		let resetTime = resetAt.toLocaleTimeString();
@@ -11,8 +14,7 @@ var Client = class Client {
 	rateLimitReset = /* @__PURE__ */ new Date();
 	rateLimitRemaining = 60;
 	constructor(token) {
-		this.token = token ?? process.env["GITHUB_TOKEN"];
-		if (!this.token) console.warn("No GitHub token found. API rate limits will be restricted.");
+		this.token = token ?? process.env["GITHUB_TOKEN"] ?? resolveGitHubTokenSync();
 		this.rateLimitRemaining = this.token ? 5e3 : 60;
 	}
 	static isRateLimitError(error) {
@@ -30,19 +32,45 @@ var Client = class Client {
 			try {
 				let releaseResp = await this.makeRequest(`/repos/${owner}/${repo}/releases/tags/${displayTag}`);
 				let releaseData = releaseResp.data;
+				let date = releaseData.published_at ? new Date(releaseData.published_at) : null;
+				let message = releaseData.body ?? null;
 				let sha = null;
-				if (releaseData.target_commitish) try {
-					let commitResp = await this.makeRequest(`/repos/${owner}/${repo}/commits/${releaseData.target_commitish}`);
-					let commitData = commitResp.data;
-					({sha} = commitData);
+				try {
+					let referenceResp = await this.makeRequest(`/repos/${owner}/${repo}/git/refs/tags/${displayTag}`);
+					let referenceData = referenceResp.data;
+					let objectSha = referenceData.object.sha;
+					let objectType = referenceData.object.type;
+					if (objectSha && objectType === "tag") try {
+						let tagResp = await this.makeRequest(`/repos/${owner}/${repo}/git/tags/${objectSha}`);
+						let tagData = tagResp.data;
+						let tagObject = tagData.object;
+						sha = tagObject?.sha ?? null;
+						let taggerDate = tagData.tagger?.date;
+						if (!date && taggerDate) date = new Date(taggerDate);
+						let tagMessage = tagData.message;
+						if (!message && typeof tagMessage === "string") message = tagMessage;
+					} catch {
+						sha = objectSha;
+					}
+					else if (objectSha && objectType === "commit") {
+						sha = objectSha;
+						if (!date || !message) try {
+							let commitResp = await this.makeRequest(`/repos/${owner}/${repo}/git/commits/${objectSha}`);
+							let commitData = commitResp.data;
+							let { message: commitMessage } = commitData;
+							if (!message && typeof commitMessage === "string") message = commitMessage;
+							let authorDate = commitData.author?.date;
+							if (!date && authorDate) date = new Date(authorDate);
+						} catch {}
+					}
 				} catch {
-					sha = releaseData.target_commitish;
+					if (isLikelySha(releaseData.target_commitish)) sha = releaseData.target_commitish;
 				}
 				return {
-					date: releaseData.published_at ? new Date(releaseData.published_at) : null,
-					sha: sha ?? releaseData.target_commitish,
-					message: releaseData.body ?? null,
-					tag: displayTag
+					tag: displayTag,
+					message,
+					date,
+					sha
 				};
 			} catch (releaseError) {
 				if (releaseError && typeof releaseError === "object" && "status" in releaseError && releaseError.status === 404) try {
@@ -92,7 +120,7 @@ var Client = class Client {
 					let tagInfo = await this.getTagInfo(owner, repo, release.tag_name);
 					if (tagInfo) ({sha} = tagInfo);
 				} catch {
-					sha = release.target_commitish;
+					sha = isLikelySha(release.target_commitish) ? release.target_commitish : null;
 				}
 				releaseInfos.push({
 					publishedAt: new Date(release.published_at),
@@ -119,7 +147,7 @@ var Client = class Client {
 				let tagInfo = await this.getTagInfo(owner, repo, release.tag_name);
 				if (tagInfo) ({sha} = tagInfo);
 			} catch {
-				sha = release.target_commitish;
+				sha = isLikelySha(release.target_commitish) ? release.target_commitish : null;
 			}
 			return {
 				publishedAt: new Date(release.published_at),
@@ -136,6 +164,34 @@ var Client = class Client {
 			throw error;
 		}
 	}
+	async getAllTags(owner, repo, limit = 30) {
+		try {
+			let tagsResp = await this.makeRequest(`/repos/${owner}/${repo}/tags?per_page=${limit}`);
+			let tags = tagsResp.data;
+			return tags.map((tag) => ({
+				sha: tag.commit.sha,
+				tag: tag.name,
+				message: null,
+				date: null
+			}));
+		} catch (error) {
+			if (Client.isRateLimitError(error)) throw new GitHubRateLimitError(this.rateLimitReset);
+			throw error;
+		}
+	}
+	async getRefType(owner, repo, reference) {
+		try {
+			await this.makeRequest(`/repos/${owner}/${repo}/git/refs/tags/${reference}`);
+			return "tag";
+		} catch {
+			try {
+				await this.makeRequest(`/repos/${owner}/${repo}/git/refs/heads/${reference}`);
+				return "branch";
+			} catch {
+				return null;
+			}
+		}
+	}
 	getRateLimitStatus() {
 		return {
 			remaining: this.rateLimitRemaining,
@@ -145,14 +201,14 @@ var Client = class Client {
 	shouldWaitForRateLimit(threshold = 100) {
 		return this.rateLimitRemaining < threshold;
 	}
-	async makeRequest(path, options = {}) {
+	async makeRequest(path$1, options = {}) {
 		let headers = {
 			Accept: "application/vnd.github.v3+json",
 			"User-Agent": "actions-up",
 			...options.headers
 		};
 		if (this.token) headers["Authorization"] = `Bearer ${this.token}`;
-		let response = await fetch(`${this.baseUrl}${path}`, {
+		let response = await fetch(`${this.baseUrl}${path$1}`, {
 			...options,
 			headers
 		});
@@ -184,4 +240,53 @@ var Client = class Client {
 		}
 	}
 };
+function resolveGitHubTokenSync() {
+	let fromGithubToken = process.env["GITHUB_TOKEN"];
+	if (fromGithubToken && fromGithubToken.trim() !== "") return fromGithubToken.trim();
+	let fromGhToken = process.env["GH_TOKEN"];
+	if (fromGhToken && fromGhToken.trim() !== "") return fromGhToken.trim();
+	try {
+		let output = execFileSync("gh", ["auth", "token"], {
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			],
+			encoding: "utf8",
+			timeout: 500
+		});
+		let token = output.trim();
+		if (token) return token;
+	} catch {}
+	try {
+		let gitConfigPath = join(process.cwd(), ".git", "config");
+		let content = readFileSync(gitConfigPath, "utf8");
+		let directMatch = content.match(/^\s*(?:github\.(?:oauth-token|token)|hub\.oauthtoken)\s*=\s*(?<token>\S[^\n\r]*)$/mu);
+		let directToken = directMatch?.groups?.["token"]?.trim();
+		if (directToken) return directToken;
+		let currentSection = null;
+		for (let rawLine of content.split(/\r?\n/u)) {
+			let line = rawLine.trim();
+			let sectionMatch = line.match(/^\[(?<name>[^\]]+)\]$/u);
+			if (sectionMatch?.groups) {
+				currentSection = sectionMatch.groups["name"].toLowerCase();
+				continue;
+			}
+			if (currentSection === "github") {
+				let tokenMatch = line.match(/^(?:oauth-token|token)\s*=\s*(?<val>\S[^\n\r]*)$/u);
+				if (tokenMatch?.groups?.["val"]) return tokenMatch.groups["val"].trim();
+			}
+			if (currentSection === "hub") {
+				let oauthMatch = line.match(/^oauthtoken\s*=\s*(?<val>\S[^\n\r]*)$/u);
+				if (oauthMatch?.groups?.["val"]) return oauthMatch.groups["val"].trim();
+			}
+		}
+	} catch {}
+	return void 0;
+}
+function isLikelySha(value) {
+	if (typeof value !== "string" || value.trim() === "") return false;
+	let normalized = value.replace(/^v/u, "");
+	return /^[0-9a-f]{7,40}$/iu.test(normalized);
+}
 export { Client };

package/dist/core/scan-github-actions.js

@@ -3,7 +3,7 @@ import { scanWorkflowFile } from "./scan-workflow-file.js";
 import { scanActionFile } from "./scan-action-file.js";
 import { isYamlFile } from "./fs/is-yaml-file.js";
 import { isAbsolute, join, relative, resolve } from "node:path";
-import { readdir, stat } from "node:fs/promises";
+import { readFile, readdir, stat } from "node:fs/promises";
 async function scanGitHubActions(rootPath = process.cwd()) {
 	let result = {
 		compositeActions: /* @__PURE__ */ new Map(),
@@ -111,6 +111,84 @@ async function scanGitHubActions(rootPath = process.cwd()) {
 			}
 		}
 	} catch {}
+	try {
+		let repoSlug = await getCurrentRepoSlug(normalizedRoot);
+		if (repoSlug) {
+			if (process.env["ACTIONS_UP_TEST_THROW"] === "1") throw new Error("test");
+			let seenCompositeDirectories = /* @__PURE__ */ new Set();
+			let queue = [];
+			for (let action of result.actions) {
+				if (action.type !== "external") continue;
+				let segs = action.name.split("/");
+				if (segs.length < 3) continue;
+				let candidateSlug = `${segs[0]}/${segs[1]}`;
+				if (candidateSlug !== repoSlug) continue;
+				let compositeDirectory = join(normalizedRoot, ...segs.slice(2));
+				if (!isWithin(normalizedRoot, compositeDirectory)) continue;
+				if (seenCompositeDirectories.has(compositeDirectory)) continue;
+				seenCompositeDirectories.add(compositeDirectory);
+				queue.push(compositeDirectory);
+			}
+			async function processQueue() {
+				if (queue.length === 0) return;
+				let batch = queue.splice(0);
+				let discoveredNext = await Promise.all(batch.map(async (directory) => {
+					try {
+						let ymlPath = join(directory, "action.yml");
+						let yamlPath = join(directory, "action.yaml");
+						let filePath = ymlPath;
+						try {
+							let fileInfo = await stat(ymlPath);
+							if (!fileInfo.isFile()) throw new Error("not a file");
+						} catch {
+							let yamlInfo = await stat(yamlPath);
+							if (!yamlInfo.isFile()) throw new Error("not a file");
+							filePath = yamlPath;
+						}
+						let nestedActions = await scanActionFile(filePath);
+						if (nestedActions.length > 0) result.actions.push(...nestedActions);
+						let nextDirectories = [];
+						for (let nestedAction of nestedActions) {
+							if (nestedAction.type !== "external") continue;
+							let nameSegments = nestedAction.name.split("/");
+							if (nameSegments.length < 3) continue;
+							let nameSlug = `${nameSegments[0]}/${nameSegments[1]}`;
+							if (nameSlug !== repoSlug) continue;
+							let nextDirectory = join(normalizedRoot, ...nameSegments.slice(2));
+							if (!isWithin(normalizedRoot, nextDirectory)) continue;
+							if (seenCompositeDirectories.has(nextDirectory)) continue;
+							seenCompositeDirectories.add(nextDirectory);
+							nextDirectories.push(nextDirectory);
+						}
+						return nextDirectories;
+					} catch {
+						return [];
+					}
+				}));
+				for (let list of discoveredNext) for (let directory of list) queue.push(directory);
+				await processQueue();
+			}
+			await processQueue();
+		}
+	} catch {}
 	return result;
 }
+async function getCurrentRepoSlug(root) {
+	let environmentSlug = process.env["GITHUB_REPOSITORY"];
+	if (environmentSlug && /^[^\s/]+\/[^\s/]+$/u.test(environmentSlug)) return environmentSlug;
+	try {
+		let gitConfigPath = join(root, ".git", "config");
+		let content = await readFile(gitConfigPath, "utf8");
+		let originUrlMatch = content.match(/\[remote "origin"\][\s\S]*?url\s*=\s*(?<url>.+)/u);
+		let url = originUrlMatch?.groups?.["url"]?.trim();
+		if (!url) {
+			let anyUrlMatch = content.match(/url\s*=\s*(?<url>.+)/u);
+			url = anyUrlMatch?.groups?.["url"]?.trim();
+		}
+		if (!url) return null;
+		let httpsMatch = url.match(/github\.com[/:](?<owner>[^/]+)\/(?<repo>[^./]+)(?:\.git)?$/u);
+		if (httpsMatch?.groups) return `${httpsMatch.groups["owner"]}/${httpsMatch.groups["repo"]}`;
+	} catch {}
+	return null;
+}
 export { scanGitHubActions };

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.1.1";
+const version = "1.2.1";
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.1.1",
+  "version": "1.2.1",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",

package/readme.md

@@ -14,7 +14,7 @@
 
 Actions Up scans your workflows and composite actions to discover every referenced GitHub Action, then checks for newer releases.
 
-Interactively upgrade and pin actions to exact commit SHAs for secure, reproducible CI and low‑friction maintenance.
+Interactively upgrade and pin actions to exact commit SHAs for secure, reproducible CI and low-friction maintenance.
 
 ## Features
 
@@ -23,7 +23,8 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
 - **Batch Updates**: Update multiple actions at once
 - **Interactive Selection**: Choose which actions to update
 - **Breaking Changes Detection**: Warns about major version updates
-- **Fast & Efficient**: Parallel processing with optimized API calls
+- **Fast & Efficient**: Optimized API usage with deduped lookups
+- **CI/CD Integration**: Use in GitHub Actions workflows for automated PR checks
 
 ###
 
@@ -113,6 +114,261 @@ npx actions-up --yes
 npx actions-up -y
 ```
 
+### Dry Run Mode
+
+Check for updates without making any changes:
+
+```bash
+npx actions-up --dry-run
+```
+
+## GitHub Actions Integration
+
+### Automated PR Checks
+
+You can integrate Actions Up into your CI/CD pipeline to automatically check for outdated actions on every pull request. This helps maintain security and ensures your team stays aware of available updates.
+
+<details>
+<summary>Create <code>.github/workflows/check-actions-updates.yml</code>.</summary>
+
+````yaml
+name: Check for outdated GitHub Actions
+on:
+  pull_request:
+    types: [edited, opened, synchronize, reopened]
+
+jobs:
+  check-actions:
+    name: Check for GHA updates
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install actions-up
+        run: npm install -g actions-up
+
+      - name: Run actions-up check
+        id: actions-check
+        run: |
+          echo "## GitHub Actions Update Check" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # Initialize variables
+          HAS_UPDATES=false
+          UPDATE_COUNT=0
+
+          # Run actions-up and capture output
+          echo "Running actions-up to check for updates..."
+          actions-up --dry-run > actions-up-raw.txt 2>&1 || true
+
+          # Parse the output to detect updates
+          if grep -q "→" actions-up-raw.txt; then
+            HAS_UPDATES=true
+            # Count the number of updates (lines with arrows)
+            UPDATE_COUNT=$(grep -c "→" actions-up-raw.txt || echo "0")
+          fi
+
+          # Create formatted output
+          if [ "$HAS_UPDATES" = true ]; then
+            echo "Found $UPDATE_COUNT GitHub Actions with available updates" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "<details>" >> $GITHUB_STEP_SUMMARY
+            echo "<summary>Click to see details</summary>" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            cat actions-up-raw.txt >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            echo "</details>" >> $GITHUB_STEP_SUMMARY
+
+            # Create detailed markdown report with better formatting
+            {
+              echo "## GitHub Actions Update Report"
+              echo ""
+
+              echo "### Summary"
+              echo "- **Updates available:** $UPDATE_COUNT"
+              echo ""
+
+              # See the raw output above for details.
+              echo "### How to Update"
+              echo ""
+              echo "You have several options to update these actions:"
+              echo ""
+              echo "#### Option 1: Automatic Update (Recommended)"
+              echo '```bash'
+              echo "# Run this command locally in your repository"
+              echo "npx actions-up"
+              echo '```'
+              echo ""
+              echo "#### Option 2: Manual Update"
+              echo "1. Review each update in the table above"
+              echo "2. For breaking changes, click the Release Notes link to review changes"
+              echo "3. Edit the workflow files and update the version numbers"
+              echo "4. Test the changes in your CI/CD pipeline"
+              echo ""
+              echo "---"
+              echo ""
+              echo "<details>"
+              echo "<summary>Raw actions-up output</summary>"
+              echo ""
+              echo '```'
+              cat actions-up-raw.txt
+              echo '```'
+              echo "</details>"
+            } > actions-up-report.md
+
+            echo "has-updates=true" >> $GITHUB_OUTPUT
+            echo "update-count=$UPDATE_COUNT" >> $GITHUB_OUTPUT
+          else
+            echo "All GitHub Actions are up to date!" >> $GITHUB_STEP_SUMMARY
+
+            {
+              echo "## GitHub Actions Update Report"
+              echo ""
+              echo "### All GitHub Actions in this repository are up to date!"
+              echo ""
+              echo "No action required. Your workflow files are using the latest versions of all GitHub Actions."
+            } > actions-up-report.md
+
+            echo "has-updates=false" >> $GITHUB_OUTPUT
+            echo "update-count=0" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Comment PR with updates
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const report = fs.readFileSync('actions-up-report.md', 'utf8');
+            const hasUpdates = '${{ steps.actions-check.outputs.has-updates }}' === 'true';
+            const updateCount = '${{ steps.actions-check.outputs.update-count }}';
+
+            // Check if we already commented
+            const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number
+            });
+
+            const botComment = comments.data.find(comment =>
+              comment.user.type === 'Bot' &&
+              comment.body.includes('GitHub Actions Update Report')
+            );
+
+            const commentBody = `${report}
+
+            ---
+            *Generated by [actions-up](https://github.com/azat-io/actions-up) | Last check: ${new Date().toISOString()}*`;
+
+            // Only comment if there are updates or if we previously commented
+            if (hasUpdates || botComment) {
+              if (botComment) {
+                // Update existing comment
+                await github.rest.issues.updateComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: botComment.id,
+                  body: commentBody
+                });
+                console.log('Updated existing comment');
+              } else {
+                // Create new comment only if there are updates
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.issue.number,
+                  body: commentBody
+                });
+                console.log('Created new comment');
+              }
+            } else {
+              console.log('No updates found and no previous comment exists - skipping comment');
+            }
+
+            // Add or update PR labels based on status
+            const labels = await github.rest.issues.listLabelsOnIssue({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number
+            });
+
+            const hasOutdatedLabel = labels.data.some(label => label.name === 'outdated-actions');
+
+            if (hasUpdates && !hasOutdatedLabel) {
+              // Add label if updates are found
+              try {
+                await github.rest.issues.addLabels({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.issue.number,
+                  labels: ['outdated-actions']
+                });
+                console.log('Added outdated-actions label');
+              } catch (error) {
+                console.log('Could not add label (might not exist in repo):', error.message);
+              }
+            } else if (!hasUpdates && hasOutdatedLabel) {
+              // Remove label if no updates
+              try {
+                await github.rest.issues.removeLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.issue.number,
+                  name: 'outdated-actions'
+                });
+                console.log('Removed outdated-actions label');
+              } catch (error) {
+                console.log('Could not remove label:', error.message);
+              }
+            }
+
+      - name: Fail if outdated actions found
+        if: steps.actions-check.outputs.has-updates == 'true'
+        run: |
+          echo "::error:: Found ${{ steps.actions-check.outputs.update-count }} outdated GitHub Actions. Please update them before merging."
+          echo ""
+          echo "You can update them by running: npx actions-up"
+          echo "Or manually update the versions in your workflow files."
+          exit 1
+````
+
+</details>
+
+### Scheduled Checks
+
+You can also set up scheduled checks to stay informed about updates:
+
+```yaml
+name: Weekly Actions Update Check
+
+on:
+  schedule:
+    - cron: '0 9 * * 1' # Every Monday at 9 AM
+  workflow_dispatch: # Allow manual triggers
+
+jobs:
+  check-updates:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - run: npm install -g actions-up
+      - run: |
+          if actions-up --dry-run | grep -q "→"; then
+            echo "Updates available! Run 'npx actions-up' to update."
+            exit 1
+          fi
+```
+
 ## Example
 
 ```yaml
@@ -136,6 +392,22 @@ While Actions Up works without authentication, providing a GitHub token increase
 - For public repositories: Select `public_repo` scope
 - For private repositories: Select `repo` scope
 
+Set the token as an environment variable:
+
+```bash
+export GITHUB_TOKEN=your_token_here
+npx actions-up
+```
+
+Or in GitHub Actions:
+
+```yaml
+- name: Check for updates
+  env:
+    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  run: npx actions-up --dry-run
+```
+
 ## Security
 
 Actions Up promotes security best practices:
@@ -143,6 +415,16 @@ Actions Up promotes security best practices:
 - **SHA Pinning**: Uses commit SHA instead of mutable tags
 - **Version Comments**: Adds version as comment for readability
 - **No Auto-Updates**: Full control over what gets updated
+- **Breaking Change Warnings**: Alerts you to major version updates that may require configuration changes
+
+## CI/CD Best Practices
+
+When using Actions Up in your CI/CD pipeline:
+
+1. **Start with warnings**: Begin by running checks without failing builds to gauge the update frequency
+2. **Regular updates**: Schedule weekly or monthly update PRs rather than blocking every PR
+3. **Team education**: Ensure your team understands the security benefits of keeping actions updated
+4. **Gradual adoption**: Roll out to a few repositories first before organization-wide deployment
 
 ## Contributing
 

package/dist/core/schema/composite/is-composite-action-step.d.ts

@@ -1,8 +0,0 @@
-import { CompositeActionStep } from '../../../types/composite-action-step';
-/**
- * Type guard to check if a value conforms to the CompositeActionStep interface.
- *
- * @param value - The value to check.
- * @returns True if the value is a valid composite action step.
- */
-export declare function isCompositeActionStep(value: unknown): value is CompositeActionStep;

package/dist/core/schema/workflow/is-workflow-job.d.ts

@@ -1,8 +0,0 @@
-import { WorkflowJob } from '../../../types/workflow-job';
-/**
- * Type guard to check if a value conforms to the WorkflowJob interface.
- *
- * @param value - The value to check.
- * @returns True if the value is a valid workflow job.
- */
-export declare function isWorkflowJob(value: unknown): value is WorkflowJob;

package/dist/core/schema/workflow/is-workflow-step.d.ts

@@ -1,8 +0,0 @@
-import { WorkflowStep } from '../../../types/workflow-step';
-/**
- * Type guard to check if a value conforms to the WorkflowStep interface.
- *
- * @param value - The value to check.
- * @returns True if the value is a valid workflow step.
- */
-export declare function isWorkflowStep(value: unknown): value is WorkflowStep;