actions-up 1.10.1 → 1.11.0

package/dist/cli/index.js

@@ -1,87 +1,95 @@
 import { readInlineVersionComment } from "../core/versions/read-inline-version-comment.js";
+import { GITHUB_DIRECTORY } from "../core/constants.js";
 import { isSha } from "../core/versions/is-sha.js";
 import { promptUpdateSelection } from "../core/interactive/prompt-update-selection.js";
 import { getUpdateLevel } from "../core/versions/get-update-level.js";
 import { applyUpdates } from "../core/ast/update/apply-updates.js";
 import { shouldIgnore } from "../core/ignore/should-ignore.js";
 import { checkUpdates } from "../core/api/check-updates.js";
+import { scanRecursive } from "../core/scan-recursive.js";
 import { scanGitHubActions } from "../core/scan-github-actions.js";
 import "../core/index.js";
 import { version } from "../package.js";
+import { relative, resolve } from "node:path";
 import { createSpinner } from "nanospinner";
 import "node:worker_threads";
 import pc from "picocolors";
 import cac from "cac";
 function run() {
-	let h = cac("actions-up");
-	h.help().version(version).option("--dir <directory>", "Custom directory name (default: .github)").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--include-branches", "Also check actions pinned to branches (default: false)").option("--min-age <days>", "Minimum age in days for updates (default: 0)", { default: 0 }).option("--mode <mode>", "Update mode: major, minor, or patch (default: major)", { default: "major" }).option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (p) => {
+	let b = cac("actions-up");
+	b.help().version(version).option("--dir <directory>", "Custom directory name (default: .github)").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--include-branches", "Also check actions pinned to branches (default: false)").option("--min-age <days>", "Minimum age in days for updates (default: 0)", { default: 0 }).option("--mode <mode>", "Update mode: major, minor, or patch (default: major)", { default: "major" }).option("--recursive, -r", "Recursively scan directories for YAML files").option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (g) => {
 		console.info(pc.cyan("\n🚀 Actions Up!\n"));
-		let m = createSpinner("Scanning GitHub Actions...").start();
+		let y = createSpinner("Scanning GitHub Actions...").start(), b = [];
+		Array.isArray(g.dir) ? b.push(...g.dir) : typeof g.dir == "string" ? b.push(g.dir) : b.push(GITHUB_DIRECTORY);
+		let x = [...new Set(b.map((e) => {
+			let d = process.cwd();
+			return relative(d, resolve(d, e)) || ".";
+		}))];
 		try {
-			let h = await scanGitHubActions(process.cwd(), p.dir), g = h.actions.length, _ = h.workflows.size, v = h.compositeActions.size;
-			if (m.success(`Found ${pc.yellow(g)} actions in ${pc.yellow(_)} workflows and ${pc.yellow(v)} composite actions`), g === 0) {
+			let d = mergeScanResults(g.recursive ? await Promise.all(x.map((e) => scanRecursive(process.cwd(), e))) : await Promise.all(x.map((e) => scanGitHubActions(process.cwd(), e)))), _ = d.actions.length, v = d.workflows.size, b = d.compositeActions.size;
+			if (y.success(`Found ${pc.yellow(_)} actions in ${pc.yellow(v)} workflows and ${pc.yellow(b)} composite actions`), _ === 0) {
 				console.info(pc.green("\n✨ No GitHub Actions found in this repository"));
 				return;
 			}
-			let y = h.actions, b = [];
-			Array.isArray(p.exclude) ? b.push(...p.exclude) : typeof p.exclude == "string" && b.push(p.exclude);
-			let x = b.flatMap((e) => e.split(",")).map((e) => e.trim()).filter(Boolean);
-			if (x.length > 0) {
-				let { parseExcludePatterns: e } = await import("../core/filters/parse-exclude-patterns.js"), s = e(x);
-				s.length > 0 && (y = y.filter((e) => {
-					let { name: c } = e;
-					for (let e of s) if (e.test(c)) return !1;
+			let S = d.actions, C = [];
+			Array.isArray(g.exclude) ? C.push(...g.exclude) : typeof g.exclude == "string" && C.push(g.exclude);
+			let w = C.flatMap((e) => e.split(",")).map((e) => e.trim()).filter(Boolean);
+			if (w.length > 0) {
+				let { parseExcludePatterns: e } = await import("../core/filters/parse-exclude-patterns.js"), d = e(w);
+				d.length > 0 && (S = S.filter((e) => {
+					let { name: f } = e;
+					for (let e of d) if (e.test(f)) return !1;
 					return !0;
 				}));
 			}
-			if (m = createSpinner("Checking for updates...").start(), y.length === 0) {
-				m.success("No actions to check after excludes"), console.info(pc.green("\n✨ Nothing to check after excludes\n"));
+			if (y = createSpinner("Checking for updates...").start(), S.length === 0) {
+				y.success("No actions to check after excludes"), console.info(pc.green("\n✨ Nothing to check after excludes\n"));
 				return;
 			}
-			let S = p.includeBranches ?? !1, C = await checkUpdates(y, process.env.GITHUB_TOKEN, { includeBranches: S }), w = [];
-			await Promise.all(C.map(async (e) => {
-				await shouldIgnore(e.action.file, e.action.line) || w.push(e);
+			let T = g.includeBranches ?? !1, E = await checkUpdates(S, process.env.GITHUB_TOKEN, { includeBranches: T }), D = [];
+			await Promise.all(E.map(async (e) => {
+				await shouldIgnore(e.action.file, e.action.line) || D.push(e);
 			}));
-			let T = w.filter((e) => e.status === "skipped"), E = w.filter((e) => e.hasUpdate), D = p.minAge * 24 * 60 * 60 * 1e3, O = Date.now();
-			E = E.filter((e) => e.publishedAt ? O - e.publishedAt.getTime() >= D : !0);
-			let k = normalizeUpdateMode(p.mode), A = [];
-			if (k !== "major") {
-				let c = /* @__PURE__ */ new Map(), u = await Promise.all(E.map(async (u) => {
-					let d = u.currentVersion;
-					if (isSha(u.currentVersion)) {
-						let s = await readInlineVersionComment(u.action.file, u.action.line, c);
-						s && (d = s);
+			let O = D.filter((e) => e.status === "skipped"), k = D.filter((e) => e.hasUpdate), A = g.minAge * 24 * 60 * 60 * 1e3, j = Date.now();
+			k = k.filter((e) => e.publishedAt ? j - e.publishedAt.getTime() >= A : !0);
+			let M = normalizeUpdateMode(g.mode), N = [];
+			if (M !== "major") {
+				let d = /* @__PURE__ */ new Map(), p = await Promise.all(k.map(async (p) => {
+					let m = p.currentVersion;
+					if (isSha(p.currentVersion)) {
+						let f = await readInlineVersionComment(p.action.file, p.action.line, d);
+						f && (m = f);
 					}
-					let f = getUpdateLevel(d, u.latestVersion);
+					let h = getUpdateLevel(m, p.latestVersion);
 					return {
-						allowed: k === "minor" ? f === "minor" || f === "patch" || f === "none" : f === "patch" || f === "none",
-						update: u
+						allowed: M === "minor" ? h === "minor" || h === "patch" || h === "none" : h === "patch" || h === "none",
+						update: p
 					};
-				})), d = [];
-				for (let e of u) e.allowed ? d.push(e.update) : A.push(e.update);
-				E = d;
+				})), m = [];
+				for (let e of p) e.allowed ? m.push(e.update) : N.push(e.update);
+				k = m;
 			}
-			let j = E.filter((e) => e.isBreaking);
-			if (E.length === 0) {
-				m.success("All actions are up to date!"), T.length > 0 && printSkippedWarning(T, S), A.length > 0 && printModeWarning(A, k), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
+			let P = k.filter((e) => e.isBreaking);
+			if (k.length === 0) {
+				y.success("All actions are up to date!"), O.length > 0 && printSkippedWarning(O, T), N.length > 0 && printModeWarning(N, M), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
 				return;
 			}
-			if (m.success(`Found ${pc.yellow(E.length)} updates available${j.length > 0 ? ` (${pc.redBright(j.length)} breaking)` : ""}`), T.length > 0 && printSkippedWarning(T, S), A.length > 0 && printModeWarning(A, k), p.dryRun) {
+			if (y.success(`Found ${pc.yellow(k.length)} updates available${P.length > 0 ? ` (${pc.redBright(P.length)} breaking)` : ""}`), O.length > 0 && printSkippedWarning(O, T), N.length > 0 && printModeWarning(N, M), g.dryRun) {
 				console.info(pc.yellow("\n📋 Dry Run - No changes will be made\n"));
-				for (let e of E) console.info(`${pc.cyan(e.action.file ?? "unknown")}:\n${e.action.name}: ${pc.redBright(e.currentVersion)} → ${pc.green(e.latestVersion)} ${e.latestSha ? pc.gray(`(${e.latestSha.slice(0, 7)})`) : ""}\n`);
-				console.info(pc.gray(`\n${E.length} actions would be updated\n`));
+				for (let e of k) console.info(`${pc.cyan(e.action.file ?? "unknown")}:\n${e.action.name}: ${pc.redBright(e.currentVersion)} → ${pc.green(e.latestVersion)} ${e.latestSha ? pc.gray(`(${e.latestSha.slice(0, 7)})`) : ""}\n`);
+				console.info(pc.gray(`\n${k.length} actions would be updated\n`));
 				return;
 			}
-			if (p.yes) {
-				let e = E.filter((e) => e.latestSha);
+			if (g.yes) {
+				let e = k.filter((e) => e.latestSha);
 				if (e.length === 0) {
 					console.info(pc.yellow("\n⚠️ No actions with SHA available for update\n"));
 					return;
 				}
 				console.info(pc.yellow(`\n🔄 Updating ${e.length} actions...\n`)), await applyUpdates(e), console.info(pc.green("\n✓ Updates applied successfully!"));
 			} else {
-				(T.length > 0 || A.length > 0) && console.info("");
-				let e = await promptUpdateSelection(E, { showAge: p.minAge > 0 });
+				(O.length > 0 || N.length > 0) && console.info("");
+				let e = await promptUpdateSelection(k, { showAge: g.minAge > 0 });
 				if (!e || e.length === 0) {
 					console.info(pc.gray("\nNo updates applied"));
 					return;
@@ -89,30 +97,47 @@ function run() {
 				console.info(pc.yellow(`\n🔄 Updating ${e.length} selected actions...\n`)), await applyUpdates(e), console.info(pc.green("\n✓ Updates applied successfully!"));
 			}
 		} catch (e) {
-			m.error("Failed"), e instanceof Error && e.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(e.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), e instanceof Error ? e.message : String(e)), process.exit(1);
+			y.error("Failed"), e instanceof Error && e.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(e.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), e instanceof Error ? e.message : String(e)), process.exit(1);
 		}
-	}), h.parse();
+	}), b.parse();
 }
-function printModeWarning(e, s) {
+function mergeScanResults(e) {
+	let d = {
+		compositeActions: /* @__PURE__ */ new Map(),
+		workflows: /* @__PURE__ */ new Map(),
+		actions: []
+	};
+	for (let f of e) {
+		for (let [e, p] of f.workflows) d.workflows.set(e, p);
+		for (let [, e] of f.compositeActions) d.compositeActions.set(e, e);
+		d.actions.push(...f.actions);
+	}
+	let f = /* @__PURE__ */ new Set();
+	return d.actions = d.actions.filter((e) => {
+		let d = `${e.file}:${e.line}:${e.name}:${e.version}`;
+		return f.has(d) ? !1 : (f.add(d), !0);
+	}), d;
+}
+function printModeWarning(e, d) {
 	if (e.length === 0) return;
-	let c = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", l = s === "minor" ? "major" : "major/minor";
-	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${c} due to ${l} updates`));
-	for (let s of e) {
-		let e = s.action.uses ?? `${s.action.name}@${s.currentVersion ?? "unknown"}`;
+	let f = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", p = d === "minor" ? "major" : "major/minor";
+	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${f} due to ${p} updates`));
+	for (let d of e) {
+		let e = d.action.uses ?? `${d.action.name}@${d.currentVersion ?? "unknown"}`;
 		console.info(pc.gray(`   • ${e}`));
 	}
 }
-function printSkippedWarning(e, s) {
-	let c = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", l = s ? "" : " (use --include-branches to check them)";
-	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${c} pinned to branches${l}`));
-	for (let s of e) {
-		let e = s.action.uses ?? `${s.action.name}@${s.currentVersion ?? "unknown"}`;
+function printSkippedWarning(e, d) {
+	let f = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", p = d ? "" : " (use --include-branches to check them)";
+	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${f} pinned to branches${p}`));
+	for (let d of e) {
+		let e = d.action.uses ?? `${d.action.name}@${d.currentVersion ?? "unknown"}`;
 		console.info(pc.gray(`   • ${e}`));
 	}
 }
 function normalizeUpdateMode(e) {
-	let s = (e ?? "major").toLowerCase();
-	if (s === "major" || s === "minor" || s === "patch") return s;
+	let d = (e ?? "major").toLowerCase();
+	if (d === "major" || d === "minor" || d === "patch") return d;
 	throw Error(`Invalid mode "${e}". Expected "major", "minor", or "patch".`);
 }
 export { run };

package/dist/core/ast/scanners/scan-composite-action-ast.js

@@ -1,8 +1,8 @@
+import { isCompositeActionStructure } from "../../schema/composite/is-composite-action-structure.js";
+import { isCompositeActionRuns } from "../../schema/composite/is-composite-action-runs.js";
 import { isYAMLMap } from "../guards/is-yaml-map.js";
 import { extractUsesFromSteps } from "../utils/extract-uses-from-steps.js";
 import { findMapPair } from "../utils/find-map-pair.js";
-import { isCompositeActionStructure } from "../../schema/composite/is-composite-action-structure.js";
-import { isCompositeActionRuns } from "../../schema/composite/is-composite-action-runs.js";
 function scanCompositeActionAst(a, o, s) {
 	let c = a.toJSON();
 	if (!isCompositeActionStructure(c) || !a.contents || !isYAMLMap(a.contents)) return [];

package/dist/core/ast/scanners/scan-workflow-ast.js

@@ -1,4 +1,3 @@
-import { isWorkflowStructure } from "../../schema/workflow/is-workflow-structure.js";
 import { parseActionReference } from "../../parsing/parse-action-reference.js";
 import { getLineNumberForKey } from "../utils/get-line-number.js";
 import { isYAMLMap } from "../guards/is-yaml-map.js";
@@ -7,19 +6,20 @@ import { isNode } from "../guards/is-node.js";
 import { isPair } from "../guards/is-pair.js";
 import { extractUsesFromSteps } from "../utils/extract-uses-from-steps.js";
 import { findMapPair } from "../utils/find-map-pair.js";
+import { isWorkflowStructure } from "../../schema/workflow/is-workflow-structure.js";
 function scanWorkflowAst(l, u, d) {
 	if (!isWorkflowStructure(l.toJSON()) || !l.contents || !isYAMLMap(l.contents)) return [];
 	let f = findMapPair(l.contents, "jobs");
 	if (!f?.value || !isYAMLMap(f.value)) return [];
 	let p = [];
-	for (let e of f.value.items) {
-		if (!isPair(e) || !e.value || !isNode(e.value) || !isYAMLMap(e.value)) continue;
-		let l = isScalar(e.key) ? String(e.key.value) : void 0, f = findMapPair(e.value, "uses");
+	for (let c of f.value.items) {
+		if (!isPair(c) || !c.value || !isNode(c.value) || !isYAMLMap(c.value)) continue;
+		let l = isScalar(c.key) ? String(c.key.value) : void 0, f = findMapPair(c.value, "uses");
 		if (f?.value && f.key && isScalar(f.value)) {
-			let e = parseActionReference(String(f.value.value), d, getLineNumberForKey(u, f.key));
-			e && (l && (e.job = l), p.push(e));
+			let s = parseActionReference(String(f.value.value), d, getLineNumberForKey(u, f.key));
+			s && (l && (s.job = l), p.push(s));
 		}
-		let m = findMapPair(e.value, "steps");
+		let m = findMapPair(c.value, "steps");
 		m?.value && p.push(...extractUsesFromSteps({
 			stepsNode: m.value,
 			filePath: d,

package/dist/core/fs/find-yaml-files-recursive.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Recursively finds all YAML files in a directory.
+ *
+ * @param directory - The absolute path to the directory to search.
+ * @returns A promise that resolves to an array of absolute paths to YAML files.
+ */
+export declare function findYamlFilesRecursive(directory: string): Promise<string[]>;

package/dist/core/fs/find-yaml-files-recursive.js

@@ -0,0 +1,20 @@
+import { isYamlFile } from "./is-yaml-file.js";
+import { join } from "node:path";
+import { lstat, readdir } from "node:fs/promises";
+async function findYamlFilesRecursive(i) {
+	let a = [], o = /* @__PURE__ */ new Set();
+	async function s(i) {
+		if ((await lstat(i)).isSymbolicLink() || o.has(i)) return;
+		o.add(i);
+		let c = (await readdir(i)).map(async (r) => {
+			try {
+				let o = join(i, r), c = await lstat(o);
+				if (c.isSymbolicLink()) return;
+				c.isDirectory() ? await s(o) : c.isFile() && isYamlFile(r) && a.push(o);
+			} catch {}
+		});
+		await Promise.all(c);
+	}
+	return await s(i), a;
+}
+export { findYamlFilesRecursive };

package/dist/core/index.d.ts

@@ -1,3 +1,4 @@
 export { scanGitHubActions } from './scan-github-actions';
 export { applyUpdates } from './ast/update/apply-updates';
 export { checkUpdates } from './api/check-updates';
+export { scanRecursive } from './scan-recursive';

package/dist/core/index.js

@@ -1,4 +1,5 @@
 import { applyUpdates } from "./ast/update/apply-updates.js";
 import { checkUpdates } from "./api/check-updates.js";
+import { scanRecursive } from "./scan-recursive.js";
 import { scanGitHubActions } from "./scan-github-actions.js";
-export { applyUpdates, checkUpdates, scanGitHubActions };
+export { applyUpdates, checkUpdates, scanGitHubActions, scanRecursive };

package/dist/core/interactive/prompt-update-selection.js

@@ -4,10 +4,10 @@ import { GITHUB_DIRECTORY } from "../constants.js";
 import { isSha } from "../versions/is-sha.js";
 import { stripAnsi } from "./strip-ansi.js";
 import { padString } from "./pad-string.js";
+import path from "node:path";
 import "node:worker_threads";
 import pc from "picocolors";
 import enquirer from "enquirer";
-import path from "node:path";
 var MIN_ACTION_WIDTH = 40, MIN_JOB_WIDTH = 4, MIN_CURRENT_WIDTH = 16, MAX_VERSION_WIDTH = 7;
 async function promptUpdateSelection(g, v = {}) {
 	let { showAge: y = !1 } = v;
@@ -41,8 +41,8 @@ async function promptUpdateSelection(g, v = {}) {
 		};
 	})), C = [], w = stripAnsi("Action").length, T = stripAnsi("Current").length, E = stripAnsi("Job").length, D = 0, O = !1;
 	for (let [t, a] of b.entries()) {
-		let o = a.action.name, u = S[t], d = u.display, f = a.action.job ?? "–";
-		if (w = Math.max(w, o.length), T = Math.max(T, stripAnsi(d).length, u.versionForPadding && u.shortSha ? stripAnsi(`${padString(u.versionForPadding, D + 1)}${pc.gray(`(${u.shortSha})`)}`).length : 0), E = Math.max(E, f.length), a.latestVersion) {
+		let o = a.action.name, l = S[t], d = l.display, f = a.action.job ?? "–";
+		if (w = Math.max(w, o.length), T = Math.max(T, stripAnsi(d).length, l.versionForPadding && l.shortSha ? stripAnsi(`${padString(l.versionForPadding, D + 1)}${pc.gray(`(${l.shortSha})`)}`).length : 0), E = Math.max(E, f.length), a.latestVersion) {
 			let o = formatVersion(a.latestVersion, S[t]?.effectiveForDiff ?? a.currentVersion);
 			D = Math.max(D, stripAnsi(o).length);
 		}
@@ -56,7 +56,7 @@ async function promptUpdateSelection(g, v = {}) {
 			console.warn(`Unexpected missing group for file: ${a}`);
 			continue;
 		}
-		let s = [], u = o;
+		let s = [], l = o;
 		s.push({
 			current: "Current",
 			action: "Action",
@@ -65,10 +65,10 @@ async function promptUpdateSelection(g, v = {}) {
 			job: "Job",
 			age: "Age"
 		});
-		for (let { update: t, index: a } of u) {
-			let o = !!t.latestSha, u = S[a], d = u.display;
-			u.versionForPadding && u.shortSha && (d = `${padString(u.versionForPadding, M + 1)}${pc.gray(`(${u.shortSha})`)}`);
-			let f = u.effectiveForDiff ?? t.currentVersion, p = formatVersion(t.latestVersion, f), m = t.action.name;
+		for (let { update: t, index: a } of l) {
+			let o = !!t.latestSha, l = S[a], d = l.display;
+			l.versionForPadding && l.shortSha && (d = `${padString(l.versionForPadding, M + 1)}${pc.gray(`(${l.shortSha})`)}`);
+			let f = l.effectiveForDiff ?? t.currentVersion, p = formatVersion(t.latestVersion, f), m = t.action.name;
 			if (t.latestSha) {
 				let i = t.latestSha.slice(0, 7);
 				p = `${padString(p, M + 1)}${pc.gray(`(${i})`)}`;
@@ -101,7 +101,7 @@ async function promptUpdateSelection(g, v = {}) {
 				name: ""
 			});
 			else {
-				let { update: i, index: a } = u[t - 1], s = !!i.latestSha, c = s && !i.isBreaking;
+				let { update: i, index: a } = l[t - 1], s = !!i.latestSha, c = s && !i.isBreaking;
 				_.push({
 					message: o,
 					value: String(a),

package/dist/core/scan-action-file.js

@@ -1,5 +1,5 @@
-import { readYamlDocument } from "./fs/read-yaml-document.js";
 import { scanCompositeActionAst } from "./ast/scanners/scan-composite-action-ast.js";
+import { readYamlDocument } from "./fs/read-yaml-document.js";
 async function scanActionFile(n) {
 	let { document: r, content: i } = await readYamlDocument(n);
 	return scanCompositeActionAst(r, i, n);

package/dist/core/scan-github-actions.js

@@ -1,18 +1,18 @@
 import { ACTIONS_DIRECTORY, GITHUB_DIRECTORY, WORKFLOWS_DIRECTORY } from "./constants.js";
+import { isYamlFile } from "./fs/is-yaml-file.js";
 import { scanWorkflowFile } from "./scan-workflow-file.js";
 import { scanActionFile } from "./scan-action-file.js";
-import { isYamlFile } from "./fs/is-yaml-file.js";
-import { readFile, readdir, stat } from "node:fs/promises";
 import { isAbsolute, join, relative, resolve } from "node:path";
-async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
+import { readFile, readdir, stat } from "node:fs/promises";
+async function scanGitHubActions(p = process.cwd(), m = GITHUB_DIRECTORY) {
 	let h = {
 		compositeActions: /* @__PURE__ */ new Map(),
 		workflows: /* @__PURE__ */ new Map(),
 		actions: []
-	}, g = resolve(d);
-	function _(e, o) {
-		let s = relative(e, o);
-		return s !== "" && !s.startsWith("..") && !isAbsolute(s);
+	}, g = resolve(p);
+	function _(e, a) {
+		let o = relative(e, a);
+		return o !== "" && !o.startsWith("..") && !isAbsolute(o);
 	}
 	let v = join(g, m);
 	if (!_(g, v)) throw Error("Invalid path: detected path traversal attempt");
@@ -21,8 +21,8 @@ async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
 	}
 	async function b(e) {
 		try {
-			let o = await stat(e);
-			return typeof o.isFile == "function" ? o.isFile() : !1;
+			let a = await stat(e);
+			return typeof a.isFile == "function" ? a.isFile() : !1;
 		} catch {
 			return !1;
 		}
@@ -31,13 +31,13 @@ async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
 	try {
 		if ((await stat(x)).isDirectory()) {
 			let e = (await readdir(x)).filter((e) => y(e) ? isYamlFile(e) : !1).map(async (e) => {
-				let o = join(x, e);
+				let a = join(x, e);
 				try {
-					let l = await scanWorkflowFile(o);
+					let s = await scanWorkflowFile(a);
 					return {
 						path: `${m}/${WORKFLOWS_DIRECTORY}/${e}`,
 						success: !0,
-						actions: l
+						actions: s
 					};
 				} catch {
 					return {
@@ -46,111 +46,111 @@ async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
 						actions: []
 					};
 				}
-			}), o = await Promise.all(e);
-			for (let e of o) e.success && e.path && (e.actions.length > 0 ? (h.workflows.set(e.path, e.actions), h.actions.push(...e.actions)) : h.workflows.set(e.path, []));
+			}), a = await Promise.all(e);
+			for (let e of a) e.success && e.path && (e.actions.length > 0 ? (h.workflows.set(e.path, e.actions), h.actions.push(...e.actions)) : h.workflows.set(e.path, []));
 		}
 	} catch {}
 	try {
-		let e = join(g, "action.yml"), o = join(g, "action.yaml"), s = null, c = [];
+		let e = join(g, "action.yml"), a = join(g, "action.yaml"), o = null, s = [];
 		if (await b(e)) try {
-			c = await scanActionFile(e), s = e;
+			s = await scanActionFile(e), o = e;
 		} catch {
-			s = null;
+			o = null;
 		}
-		if (!s && await b(o)) try {
-			c = await scanActionFile(o), s = o;
+		if (!o && await b(a)) try {
+			s = await scanActionFile(a), o = a;
 		} catch {
-			s = null;
+			o = null;
 		}
-		if (s) {
-			let e = relative(g, s);
-			h.compositeActions.set(e, e), c.length > 0 && h.actions.push(...c);
+		if (o) {
+			let e = relative(g, o);
+			h.compositeActions.set(e, e), s.length > 0 && h.actions.push(...s);
 		}
 	} catch {}
 	let S = join(v, ACTIONS_DIRECTORY);
 	try {
 		if ((await stat(S)).isDirectory()) {
-			let o = (await readdir(S)).map(async (o) => {
-				if (!y(o)) return null;
-				let s = join(S, o);
+			let a = (await readdir(S)).map(async (a) => {
+				if (!y(a)) return null;
+				let o = join(S, a);
 				try {
-					if (!(await stat(s)).isDirectory()) return null;
-					let c = join(s, "action.yml"), u = [];
+					if (!(await stat(o)).isDirectory()) return null;
+					let s = join(o, "action.yml"), c = [];
 					try {
-						u = await scanActionFile(c);
+						c = await scanActionFile(s);
 					} catch {
 						try {
-							c = join(s, "action.yaml"), u = await scanActionFile(c);
+							s = join(o, "action.yaml"), c = await scanActionFile(s);
 						} catch {
 							return null;
 						}
 					}
 					return {
-						path: `${m}/${ACTIONS_DIRECTORY}/${o}`,
-						name: o,
-						actions: u
+						path: `${m}/${ACTIONS_DIRECTORY}/${a}`,
+						name: a,
+						actions: c
 					};
 				} catch {
 					return null;
 				}
-			}), s = await Promise.all(o);
-			for (let e of s) e && (h.compositeActions.set(e.name, e.path), h.actions.push(...e.actions));
+			}), o = await Promise.all(a);
+			for (let e of o) e && (h.compositeActions.set(e.name, e.path), h.actions.push(...e.actions));
 		}
 	} catch {}
 	try {
 		let e = await getCurrentRepoSlug(g);
 		if (e) {
 			if (process.env.ACTIONS_UP_TEST_THROW === "1") throw Error("test");
-			let o = /* @__PURE__ */ new Set(), s = [];
-			for (let c of h.actions) {
-				if (c.type !== "external") continue;
-				let l = c.name.split("/");
-				if (l.length < 3 || `${l[0]}/${l[1]}` !== e) continue;
-				let u = join(g, ...l.slice(2));
-				_(g, u) && (o.has(u) || (o.add(u), s.push(u)));
+			let a = /* @__PURE__ */ new Set(), o = [];
+			for (let s of h.actions) {
+				if (s.type !== "external") continue;
+				let c = s.name.split("/");
+				if (c.length < 3 || `${c[0]}/${c[1]}` !== e) continue;
+				let l = join(g, ...c.slice(2));
+				_(g, l) && (a.has(l) || (a.add(l), o.push(l)));
 			}
-			async function c() {
-				if (s.length === 0) return;
-				let u = s.splice(0), d = await Promise.all(u.map(async (s) => {
+			async function s() {
+				if (o.length === 0) return;
+				let c = o.splice(0), u = await Promise.all(c.map(async (o) => {
 					try {
-						let c = join(s, "action.yml"), u = join(s, "action.yaml"), d = c;
+						let s = join(o, "action.yml"), c = join(o, "action.yaml"), u = s;
 						try {
-							if (!(await stat(c)).isFile()) throw Error("not a file");
+							if (!(await stat(s)).isFile()) throw Error("not a file");
 						} catch {
-							if (!(await stat(u)).isFile()) throw Error("not a file");
-							d = u;
+							if (!(await stat(c)).isFile()) throw Error("not a file");
+							u = c;
 						}
-						let f = await scanActionFile(d);
-						f.length > 0 && h.actions.push(...f);
-						let p = [];
-						for (let s of f) {
-							if (s.type !== "external") continue;
-							let c = s.name.split("/");
-							if (c.length < 3 || `${c[0]}/${c[1]}` !== e) continue;
-							let l = join(g, ...c.slice(2));
-							_(g, l) && (o.has(l) || (o.add(l), p.push(l)));
+						let d = await scanActionFile(u);
+						d.length > 0 && h.actions.push(...d);
+						let f = [];
+						for (let o of d) {
+							if (o.type !== "external") continue;
+							let s = o.name.split("/");
+							if (s.length < 3 || `${s[0]}/${s[1]}` !== e) continue;
+							let c = join(g, ...s.slice(2));
+							_(g, c) && (a.has(c) || (a.add(c), f.push(c)));
 						}
-						return p;
+						return f;
 					} catch {
 						return [];
 					}
 				}));
-				for (let e of d) for (let o of e) s.push(o);
-				await c();
+				for (let e of u) for (let a of e) o.push(a);
+				await s();
 			}
-			await c();
+			await s();
 		}
 	} catch {}
 	return h;
 }
 async function getCurrentRepoSlug(e) {
-	let o = process.env.GITHUB_REPOSITORY;
-	if (o && /^[^\s/]+\/[^\s/]+$/u.test(o)) return o;
+	let a = process.env.GITHUB_REPOSITORY;
+	if (a && /^[^\s/]+\/[^\s/]+$/u.test(a)) return a;
 	try {
-		let o = await readFile(join(e, ".git", "config"), "utf8"), s = o.match(/\[remote "origin"\][\s\S]*?url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim();
-		if (s ||= o.match(/url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim(), !s) return null;
-		let c = s.match(/github\.com[/:](?<owner>[^/]+)\/(?<repo>[^./]+)(?:\.git)?$/u);
-		if (c?.groups) return `${c.groups.owner}/${c.groups.repo}`;
+		let a = await readFile(join(e, ".git", "config"), "utf8"), o = a.match(/\[remote "origin"\][\s\S]*?url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim();
+		if (o ||= a.match(/url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim(), !o) return null;
+		let s = o.match(/github\.com[/:](?<owner>[^/]+)\/(?<repo>[^./]+)(?:\.git)?$/u);
+		if (s?.groups) return `${s.groups.owner}/${s.groups.repo}`;
 	} catch {}
 	return null;
 }

package/dist/core/scan-recursive.d.ts

@@ -0,0 +1,10 @@
+import { ScanResult } from '../types/scan-result';
+/**
+ * Recursively scans a directory for all YAML files and classifies them as
+ * workflows or composite actions.
+ *
+ * @param rootPath - The root path of the repository.
+ * @param directory - The directory to scan recursively, relative to rootPath.
+ * @returns A promise that resolves to a ScanResult.
+ */
+export declare function scanRecursive(rootPath: string, directory: string): Promise<ScanResult>;

package/dist/core/scan-recursive.js

@@ -0,0 +1,48 @@
+import { isCompositeActionStructure } from "./schema/composite/is-composite-action-structure.js";
+import { scanCompositeActionAst } from "./ast/scanners/scan-composite-action-ast.js";
+import { isWorkflowStructure } from "./schema/workflow/is-workflow-structure.js";
+import { findYamlFilesRecursive } from "./fs/find-yaml-files-recursive.js";
+import { scanWorkflowAst } from "./ast/scanners/scan-workflow-ast.js";
+import { readYamlDocument } from "./fs/read-yaml-document.js";
+import { dirname, isAbsolute, relative, resolve } from "node:path";
+async function scanRecursive(d, f) {
+	let p = {
+		compositeActions: /* @__PURE__ */ new Map(),
+		workflows: /* @__PURE__ */ new Map(),
+		actions: []
+	}, m = resolve(d), h = resolve(m, f), g = relative(m, h);
+	if (g !== "" && (g.startsWith("..") || isAbsolute(g))) throw Error("Invalid path: detected path traversal attempt");
+	let _;
+	try {
+		_ = await findYamlFilesRecursive(h);
+	} catch {
+		return p;
+	}
+	let v = _.map(async (o) => {
+		let s = relative(m, o);
+		try {
+			let { document: c, content: l } = await readYamlDocument(o), u = c.toJSON();
+			if (isWorkflowStructure(u) && hasKey(u, "jobs")) return {
+				type: "workflow",
+				path: s,
+				actions: scanWorkflowAst(c, l, o)
+			};
+			if (isCompositeActionStructure(u) && hasKey(u, "runs")) return {
+				type: "action",
+				path: s,
+				actions: scanCompositeActionAst(c, l, o)
+			};
+		} catch {}
+		return null;
+	}), y = await Promise.all(v);
+	for (let e of y) if (e) if (e.type === "workflow") p.workflows.set(e.path, e.actions), p.actions.push(...e.actions);
+	else {
+		let i = dirname(e.path), a = i === "." || i === "" ? e.path : i;
+		p.compositeActions.set(a, e.path), p.actions.push(...e.actions);
+	}
+	return p;
+}
+function hasKey(e, i) {
+	return typeof e == "object" && !!e && i in e;
+}
+export { scanRecursive };

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.10.1";
+const version = "1.11.0";
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.10.1",
+  "version": "1.11.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",

package/readme.md

@@ -132,10 +132,21 @@ npx actions-up --dry-run
 
 ### Custom Directory
 
-By default, Actions Up scans the `.github` directory. You can specify a different directory (e.g., for Gitea):
+By default, Actions Up scans `.github`.
+
+Use `--dir` to choose another directory, and pass it multiple times to scan several directories:
 
 ```bash
 npx actions-up --dir .gitea
+npx actions-up --dir .github --dir ./other/.github
+```
+
+### Recursive Scanning
+
+Use `--recursive` (`-r`) to scan YAML workflow/composite-action files recursively in the selected directories:
+
+```bash
+npx actions-up --dir ./gh-repo-defaults -r
 ```
 
 ### Branch References