actions-up 1.10.1 → 1.12.0

package/dist/cli/index.js

@@ -1,10 +1,18 @@
 import { readInlineVersionComment } from "../core/versions/read-inline-version-comment.js";
 import { isSha } from "../core/versions/is-sha.js";
 import { promptUpdateSelection } from "../core/interactive/prompt-update-selection.js";
+import { getCompatibleUpdate } from "../core/api/get-compatible-update.js";
+import { createGitHubClient } from "../core/api/create-github-client.js";
+import { resolveScanDirectories } from "./resolve-scan-directories.js";
 import { getUpdateLevel } from "../core/versions/get-update-level.js";
 import { applyUpdates } from "../core/ast/update/apply-updates.js";
+import { printSkippedWarning } from "./print-skipped-warning.js";
+import { normalizeUpdateMode } from "./normalize-update-mode.js";
 import { shouldIgnore } from "../core/ignore/should-ignore.js";
 import { checkUpdates } from "../core/api/check-updates.js";
+import { mergeScanResults } from "./merge-scan-results.js";
+import { printModeWarning } from "./print-mode-warning.js";
+import { scanRecursive } from "../core/scan-recursive.js";
 import { scanGitHubActions } from "../core/scan-github-actions.js";
 import "../core/index.js";
 import { version } from "../package.js";
@@ -13,106 +21,114 @@ import "node:worker_threads";
 import pc from "picocolors";
 import cac from "cac";
 function run() {
-	let h = cac("actions-up");
-	h.help().version(version).option("--dir <directory>", "Custom directory name (default: .github)").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--include-branches", "Also check actions pinned to branches (default: false)").option("--min-age <days>", "Minimum age in days for updates (default: 0)", { default: 0 }).option("--mode <mode>", "Update mode: major, minor, or patch (default: major)", { default: "major" }).option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (p) => {
+	let b = cac("actions-up");
+	b.help().version(version).option("--dir <directory>", "Directory to scan (repeatable). Default: .github, or . with --recursive").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--include-branches", "Also check actions pinned to branches (default: false)").option("--min-age <days>", "Minimum age in days for updates (default: 0)", { default: 0 }).option("--mode <mode>", "Update mode: major, minor, or patch (default: major)", { default: "major" }).option("--recursive, -r", "Recursively scan directories for YAML files").option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (v) => {
 		console.info(pc.cyan("\n🚀 Actions Up!\n"));
-		let m = createSpinner("Scanning GitHub Actions...").start();
+		let y = createSpinner("Scanning GitHub Actions...").start(), b = resolveScanDirectories({
+			recursive: v.recursive,
+			cwd: process.cwd(),
+			dir: v.dir
+		});
 		try {
-			let h = await scanGitHubActions(process.cwd(), p.dir), g = h.actions.length, _ = h.workflows.size, v = h.compositeActions.size;
-			if (m.success(`Found ${pc.yellow(g)} actions in ${pc.yellow(_)} workflows and ${pc.yellow(v)} composite actions`), g === 0) {
+			let m = mergeScanResults(v.recursive ? await Promise.all(b.map(({ root: t, dir: u }) => scanRecursive(t, u))) : await Promise.all(b.map(({ root: t, dir: u }) => scanGitHubActions(t, u)))), x = m.actions.length, S = m.workflows.size, C = m.compositeActions.size;
+			if (y.success(`Found ${pc.yellow(x)} actions in ${pc.yellow(S)} workflows and ${pc.yellow(C)} composite actions`), x === 0) {
 				console.info(pc.green("\n✨ No GitHub Actions found in this repository"));
 				return;
 			}
-			let y = h.actions, b = [];
-			Array.isArray(p.exclude) ? b.push(...p.exclude) : typeof p.exclude == "string" && b.push(p.exclude);
-			let x = b.flatMap((e) => e.split(",")).map((e) => e.trim()).filter(Boolean);
-			if (x.length > 0) {
-				let { parseExcludePatterns: e } = await import("../core/filters/parse-exclude-patterns.js"), s = e(x);
-				s.length > 0 && (y = y.filter((e) => {
-					let { name: c } = e;
-					for (let e of s) if (e.test(c)) return !1;
+			let w = m.actions, T = [];
+			Array.isArray(v.exclude) ? T.push(...v.exclude) : typeof v.exclude == "string" && T.push(v.exclude);
+			let E = T.flatMap((t) => t.split(",")).map((t) => t.trim()).filter(Boolean);
+			if (E.length > 0) {
+				let { parseExcludePatterns: t } = await import("../core/filters/parse-exclude-patterns.js"), u = t(E);
+				u.length > 0 && (w = w.filter((t) => {
+					let { name: d } = t;
+					for (let t of u) if (t.test(d)) return !1;
 					return !0;
 				}));
 			}
-			if (m = createSpinner("Checking for updates...").start(), y.length === 0) {
-				m.success("No actions to check after excludes"), console.info(pc.green("\n✨ Nothing to check after excludes\n"));
+			if (y = createSpinner("Checking for updates...").start(), w.length === 0) {
+				y.success("No actions to check after excludes"), console.info(pc.green("\n✨ Nothing to check after excludes\n"));
 				return;
 			}
-			let S = p.includeBranches ?? !1, C = await checkUpdates(y, process.env.GITHUB_TOKEN, { includeBranches: S }), w = [];
-			await Promise.all(C.map(async (e) => {
-				await shouldIgnore(e.action.file, e.action.line) || w.push(e);
+			let D = process.env.GITHUB_TOKEN, O = createGitHubClient(D), k = v.includeBranches ?? !1, A = await checkUpdates(w, D, {
+				client: O,
+				includeBranches: k
+			}), j = [];
+			await Promise.all(A.map(async (t) => {
+				await shouldIgnore(t.action.file, t.action.line) || j.push(t);
 			}));
-			let T = w.filter((e) => e.status === "skipped"), E = w.filter((e) => e.hasUpdate), D = p.minAge * 24 * 60 * 60 * 1e3, O = Date.now();
-			E = E.filter((e) => e.publishedAt ? O - e.publishedAt.getTime() >= D : !0);
-			let k = normalizeUpdateMode(p.mode), A = [];
-			if (k !== "major") {
-				let c = /* @__PURE__ */ new Map(), u = await Promise.all(E.map(async (u) => {
-					let d = u.currentVersion;
-					if (isSha(u.currentVersion)) {
-						let s = await readInlineVersionComment(u.action.file, u.action.line, c);
-						s && (d = s);
+			let M = j.filter((t) => t.status === "skipped"), N = j.filter((t) => t.hasUpdate), P = v.minAge * 24 * 60 * 60 * 1e3, F = Date.now();
+			N = N.filter((t) => t.publishedAt ? F - t.publishedAt.getTime() >= P : !0);
+			let I = normalizeUpdateMode(v.mode), L = [];
+			if (I !== "major") {
+				let d = /* @__PURE__ */ new Map(), p = /* @__PURE__ */ new Map(), m = /* @__PURE__ */ new Map(), h = await Promise.all(N.map(async (d) => {
+					let f = d.currentVersion;
+					if (isSha(d.currentVersion)) {
+						let u = await readInlineVersionComment(d.action.file, d.action.line, m);
+						u && (f = u);
 					}
-					let f = getUpdateLevel(d, u.latestVersion);
+					let p = getUpdateLevel(f, d.latestVersion);
 					return {
-						allowed: k === "minor" ? f === "minor" || f === "patch" || f === "none" : f === "patch" || f === "none",
-						update: u
+						effectiveCurrentVersion: f,
+						allowed: I === "minor" ? p === "minor" || p === "patch" || p === "none" : p === "patch" || p === "none",
+						update: d
 					};
-				})), d = [];
-				for (let e of u) e.allowed ? d.push(e.update) : A.push(e.update);
-				E = d;
+				})), g = [], _ = await Promise.all(h.map(async (t) => {
+					if (t.allowed) return { update: t.update };
+					let u = await getCompatibleUpdate(O, {
+						currentVersion: t.effectiveCurrentVersion,
+						actionName: t.update.action.name,
+						tagsCache: d,
+						shaCache: p,
+						mode: I
+					});
+					return u ? { update: {
+						...t.update,
+						latestVersion: u.version,
+						latestSha: u.sha,
+						isBreaking: !1,
+						hasUpdate: !0
+					} } : { blocked: t.update };
+				}));
+				for (let t of _) {
+					if (t.update) {
+						g.push(t.update);
+						continue;
+					}
+					L.push(t.blocked);
+				}
+				N = g;
 			}
-			let j = E.filter((e) => e.isBreaking);
-			if (E.length === 0) {
-				m.success("All actions are up to date!"), T.length > 0 && printSkippedWarning(T, S), A.length > 0 && printModeWarning(A, k), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
+			let R = N.filter((t) => t.isBreaking);
+			if (N.length === 0) {
+				y.success("All actions are up to date!"), M.length > 0 && printSkippedWarning(M, k), L.length > 0 && printModeWarning(L, I), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
 				return;
 			}
-			if (m.success(`Found ${pc.yellow(E.length)} updates available${j.length > 0 ? ` (${pc.redBright(j.length)} breaking)` : ""}`), T.length > 0 && printSkippedWarning(T, S), A.length > 0 && printModeWarning(A, k), p.dryRun) {
+			if (y.success(`Found ${pc.yellow(N.length)} updates available${R.length > 0 ? ` (${pc.redBright(R.length)} breaking)` : ""}`), M.length > 0 && printSkippedWarning(M, k), L.length > 0 && printModeWarning(L, I), v.dryRun) {
 				console.info(pc.yellow("\n📋 Dry Run - No changes will be made\n"));
-				for (let e of E) console.info(`${pc.cyan(e.action.file ?? "unknown")}:\n${e.action.name}: ${pc.redBright(e.currentVersion)} → ${pc.green(e.latestVersion)} ${e.latestSha ? pc.gray(`(${e.latestSha.slice(0, 7)})`) : ""}\n`);
-				console.info(pc.gray(`\n${E.length} actions would be updated\n`));
+				for (let t of N) console.info(`${pc.cyan(t.action.file ?? "unknown")}:\n${t.action.name}: ${pc.redBright(t.currentVersion)} → ${pc.green(t.latestVersion)} ${t.latestSha ? pc.gray(`(${t.latestSha.slice(0, 7)})`) : ""}\n`);
+				console.info(pc.gray(`\n${N.length} actions would be updated\n`));
 				return;
 			}
-			if (p.yes) {
-				let e = E.filter((e) => e.latestSha);
-				if (e.length === 0) {
+			if (v.yes) {
+				let t = N.filter((t) => t.latestSha);
+				if (t.length === 0) {
 					console.info(pc.yellow("\n⚠️ No actions with SHA available for update\n"));
 					return;
 				}
-				console.info(pc.yellow(`\n🔄 Updating ${e.length} actions...\n`)), await applyUpdates(e), console.info(pc.green("\n✓ Updates applied successfully!"));
+				console.info(pc.yellow(`\n🔄 Updating ${t.length} actions...\n`)), await applyUpdates(t), console.info(pc.green("\n✓ Updates applied successfully!"));
 			} else {
-				(T.length > 0 || A.length > 0) && console.info("");
-				let e = await promptUpdateSelection(E, { showAge: p.minAge > 0 });
-				if (!e || e.length === 0) {
+				(M.length > 0 || L.length > 0) && console.info("");
+				let t = await promptUpdateSelection(N, { showAge: v.minAge > 0 });
+				if (!t || t.length === 0) {
 					console.info(pc.gray("\nNo updates applied"));
 					return;
 				}
-				console.info(pc.yellow(`\n🔄 Updating ${e.length} selected actions...\n`)), await applyUpdates(e), console.info(pc.green("\n✓ Updates applied successfully!"));
+				console.info(pc.yellow(`\n🔄 Updating ${t.length} selected actions...\n`)), await applyUpdates(t), console.info(pc.green("\n✓ Updates applied successfully!"));
 			}
-		} catch (e) {
-			m.error("Failed"), e instanceof Error && e.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(e.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), e instanceof Error ? e.message : String(e)), process.exit(1);
+		} catch (t) {
+			y.error("Failed"), t instanceof Error && t.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(t.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), t instanceof Error ? t.message : String(t)), process.exit(1);
 		}
-	}), h.parse();
-}
-function printModeWarning(e, s) {
-	if (e.length === 0) return;
-	let c = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", l = s === "minor" ? "major" : "major/minor";
-	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${c} due to ${l} updates`));
-	for (let s of e) {
-		let e = s.action.uses ?? `${s.action.name}@${s.currentVersion ?? "unknown"}`;
-		console.info(pc.gray(`   • ${e}`));
-	}
-}
-function printSkippedWarning(e, s) {
-	let c = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", l = s ? "" : " (use --include-branches to check them)";
-	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${c} pinned to branches${l}`));
-	for (let s of e) {
-		let e = s.action.uses ?? `${s.action.name}@${s.currentVersion ?? "unknown"}`;
-		console.info(pc.gray(`   • ${e}`));
-	}
-}
-function normalizeUpdateMode(e) {
-	let s = (e ?? "major").toLowerCase();
-	if (s === "major" || s === "minor" || s === "patch") return s;
-	throw Error(`Invalid mode "${e}". Expected "major", "minor", or "patch".`);
+	}), b.parse();
 }
 export { run };

package/dist/cli/merge-scan-results.d.ts

@@ -0,0 +1,8 @@
+import { ScanResult } from '../types/scan-result';
+/**
+ * Merge multiple scan results into one.
+ *
+ * @param results - Array of scan results.
+ * @returns Merged scan result.
+ */
+export declare function mergeScanResults(results: ScanResult[]): ScanResult;

package/dist/cli/merge-scan-results.js

@@ -0,0 +1,18 @@
+function mergeScanResults(e) {
+	let t = {
+		compositeActions: /* @__PURE__ */ new Map(),
+		workflows: /* @__PURE__ */ new Map(),
+		actions: []
+	};
+	for (let [n, r] of e.entries()) {
+		for (let [e, i] of r.workflows) t.workflows.set(`${n}:${e}`, i);
+		for (let [, e] of r.compositeActions) t.compositeActions.set(`${n}:${e}`, e);
+		t.actions.push(...r.actions);
+	}
+	let n = /* @__PURE__ */ new Set();
+	return t.actions = t.actions.filter((e) => {
+		let t = `${e.file}:${e.line}:${e.name}:${e.version}`;
+		return n.has(t) ? !1 : (n.add(t), !0);
+	}), t;
+}
+export { mergeScanResults };

package/dist/cli/normalize-update-mode.d.ts

@@ -0,0 +1,8 @@
+import { UpdateMode } from '../types/update-mode';
+/**
+ * Normalizes the update mode option.
+ *
+ * @param mode - Raw mode option.
+ * @returns Normalized update mode.
+ */
+export declare function normalizeUpdateMode(mode: undefined | string): UpdateMode;

package/dist/cli/normalize-update-mode.js

@@ -0,0 +1,6 @@
+function normalizeUpdateMode(e) {
+	let t = (e ?? "major").toLowerCase();
+	if (t === "major" || t === "minor" || t === "patch") return t;
+	throw Error(`Invalid mode "${e}". Expected "major", "minor", or "patch".`);
+}
+export { normalizeUpdateMode };

package/dist/cli/print-mode-warning.d.ts

@@ -0,0 +1,16 @@
+import { UpdateMode } from '../types/update-mode';
+/**
+ * Prints a warning message for actions that were skipped due to update mode
+ * restrictions.
+ *
+ * @param blocked - Array of blocked actions with their current versions.
+ * @param mode - The current update mode (patch/minor/major).
+ */
+export declare function printModeWarning(blocked: {
+    action: {
+        version?: string | null;
+        uses?: string;
+        name: string;
+    };
+    currentVersion: string | null;
+}[], mode: UpdateMode): void;

package/dist/cli/print-mode-warning.js

@@ -0,0 +1,11 @@
+import pc from "picocolors";
+function printModeWarning(t, n) {
+	if (t.length === 0) return;
+	let r = new Intl.PluralRules("en-US", { type: "cardinal" }).select(t.length) === "one" ? "action" : "actions", i = n === "minor" ? "major" : "major/minor";
+	console.info(pc.yellow(`\n⚠️  Skipped ${t.length} ${r} due to ${i} updates`));
+	for (let n of t) {
+		let t = n.action.uses ?? `${n.action.name}@${n.currentVersion ?? "unknown"}`;
+		console.info(pc.gray(`   • ${t}`));
+	}
+}
+export { printModeWarning };

package/dist/cli/print-skipped-warning.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Prints a warning message for actions that were skipped during scanning.
+ *
+ * @param skipped - Array of skipped actions with their current versions.
+ * @param includeBranches - Whether branch-pinned actions are being checked.
+ */
+export declare function printSkippedWarning(skipped: {
+    action: {
+        version?: string | null;
+        uses?: string;
+        name: string;
+    };
+    currentVersion: string | null;
+}[], includeBranches: boolean): void;

package/dist/cli/print-skipped-warning.js

@@ -0,0 +1,10 @@
+import pc from "picocolors";
+function printSkippedWarning(t, n) {
+	let r = new Intl.PluralRules("en-US", { type: "cardinal" }).select(t.length) === "one" ? "action" : "actions", i = n ? "" : " (use --include-branches to check them)";
+	console.info(pc.yellow(`\n⚠️  Skipped ${t.length} ${r} pinned to branches${i}`));
+	for (let n of t) {
+		let t = n.action.uses ?? `${n.action.name}@${n.currentVersion ?? "unknown"}`;
+		console.info(pc.gray(`   • ${t}`));
+	}
+}
+export { printSkippedWarning };

package/dist/cli/resolve-scan-directories.d.ts

@@ -0,0 +1,27 @@
+/** Options for resolving scan directories from CLI flags. */
+interface ResolveScanDirectoriesOptions {
+    dir?: string[] | string;
+    recursive?: boolean;
+    cwd: string;
+}
+/** Resolved directory with root and relative directory. */
+interface ResolvedDirectory {
+    root: string;
+    dir: string;
+}
+/**
+ * Resolve directories to scan from CLI options.
+ *
+ * Defaults:
+ *
+ * - Non-recursive mode: `.github`
+ * - Recursive mode without --dir: `.`.
+ *
+ * @param options - CLI options used to compute scan directories.
+ * @param options.cwd - Current working directory.
+ * @param options.dir - Optional directory flag value(s).
+ * @param options.recursive - Whether recursive mode is enabled.
+ * @returns Unique resolved directories.
+ */
+export declare function resolveScanDirectories(options: ResolveScanDirectoriesOptions): ResolvedDirectory[];
+export {};

package/dist/cli/resolve-scan-directories.js

@@ -0,0 +1,24 @@
+import { GITHUB_DIRECTORY } from "../core/constants.js";
+import { basename, dirname, isAbsolute, relative, resolve } from "node:path";
+function resolveScanDirectories(o) {
+	let { recursive: s, cwd: c, dir: l } = o, u = [];
+	Array.isArray(l) ? u.push(...l) : typeof l == "string" ? u.push(l) : s ? u.push(".") : u.push(GITHUB_DIRECTORY);
+	let d = /* @__PURE__ */ new Set(), f = [];
+	for (let e of u) {
+		let o = resolve(c, e), l = relative(c, o), u = l.startsWith("..") || isAbsolute(l) || resolve(c, l) !== o, p;
+		p = s ? {
+			root: o,
+			dir: "."
+		} : u ? {
+			dir: basename(o),
+			root: dirname(o)
+		} : {
+			dir: l || ".github",
+			root: c
+		};
+		let m = `${p.root}\0${p.dir}`;
+		d.has(m) || (d.add(m), f.push(p));
+	}
+	return f;
+}
+export { resolveScanDirectories };

package/dist/core/api/check-updates.d.ts

@@ -1,3 +1,4 @@
+import { GitHubClient } from '../../types/github-client';
 import { GitHubAction } from '../../types/github-action';
 import { ActionUpdate } from '../../types/action-update';
 /**
@@ -5,9 +6,11 @@ import { ActionUpdate } from '../../types/action-update';
  *
  * @param actions - Array of GitHub Actions to check.
  * @param token - Optional GitHub token for authentication.
- * @param options - Additional options (e.g., include branch refs).
+ * @param options - Additional options (e.g., include branch refs, shared
+ *   client).
  * @returns Array of update information.
  */
 export declare function checkUpdates(actions: GitHubAction[], token?: string, options?: {
     includeBranches?: boolean;
+    client?: GitHubClient;
 }): Promise<ActionUpdate[]>;

package/dist/core/api/check-updates.js

@@ -1,7 +1,9 @@
+import { normalizeVersion } from "../versions/normalize-version.js";
+import { isSemverLike } from "../versions/is-semver-like.js";
 import { createGitHubClient } from "./create-github-client.js";
 import semver from "semver";
-async function checkUpdates(n, i, c) {
-	let l = createGitHubClient(i), u = c?.includeBranches ?? !1, d = n.filter((e) => e.type === "external" || e.type === "reusable-workflow");
+async function checkUpdates(i, o, c) {
+	let l = c?.client ?? createGitHubClient(o), u = c?.includeBranches ?? !1, d = i.filter((e) => e.type === "external" || e.type === "reusable-workflow");
 	if (d.length === 0) return [];
 	let f = /* @__PURE__ */ new Map();
 	for (let e of d) {
@@ -11,135 +13,135 @@ async function checkUpdates(n, i, c) {
 	let p = {
 		rateLimitError: null,
 		rateLimitHit: !1
-	}, m = await [...f.keys()].reduce((e, n) => e.then(async (e) => {
-		if (p.rateLimitHit) return [...e, {
+	}, m = await [...f.keys()].reduce((n, i) => n.then(async (n) => {
+		if (p.rateLimitHit) return [...n, {
 			publishedAt: null,
 			version: null,
-			actionName: n,
+			actionName: i,
 			sha: null
 		}];
-		let r = n.split("/");
-		if (r.length < 2) return [...e, {
+		let a = i.split("/");
+		if (a.length < 2) return [...n, {
 			publishedAt: null,
 			version: null,
-			actionName: n,
+			actionName: i,
 			sha: null
 		}];
-		let [i, c] = r;
-		if (!i || !c) return [...e, {
+		let [o, c] = a;
+		if (!o || !c) return [...n, {
 			publishedAt: null,
 			version: null,
-			actionName: n,
+			actionName: i,
 			sha: null
 		}];
 		try {
-			let r = f.get(n)[0]?.version;
-			if (r && !isSha(r) && !isSemverLike(r) && await l.getRefType(i, c, r) === "branch" && !u) return [...e, {
+			let a = f.get(i)[0]?.version;
+			if (a && !isSha(a) && !isSemverLike(a) && await l.getRefType(o, c, a) === "branch" && !u) return [...n, {
 				skipReason: "branch",
 				status: "skipped",
 				publishedAt: null,
 				version: null,
-				actionName: n,
+				actionName: i,
 				sha: null
 			}];
-			let d = await l.getLatestRelease(i, c);
+			let d = await l.getLatestRelease(o, c);
 			if (!d) {
-				let e = await l.getAllReleases(i, c, 1);
+				let e = await l.getAllReleases(o, c, 1);
 				d = e.find((e) => !e.isPrerelease) ?? e[0] ?? null;
 			}
 			if (d) {
-				let { publishedAt: r, version: o, sha: u } = d, f = !1;
+				let { publishedAt: a, version: s, sha: u } = d, f = !1;
 				{
-					let e = normalizeVersion(o), n = !!(o && o.trim() !== ""), r = n && /^v?\d+$/u.test(o.trim()), i = semver.valid(e);
-					f = !n || r || !i || !isSemverLike(o);
+					let n = normalizeVersion(s), i = !!(s && s.trim() !== ""), a = i && /^v?\d+$/u.test(s.trim()), o = semver.valid(n);
+					f = !i || a || !o || !isSemverLike(s);
 				}
 				if (f) {
-					let r = await l.getAllTags(i, c, 30);
-					if (r.length > 0) {
-						let u = r.filter((e) => isSemverLike(e.tag)).map((e) => ({
-							v: semver.valid(normalizeVersion(e.tag)),
-							raw: e
+					let a = await l.getAllTags(o, c, 30);
+					if (a.length > 0) {
+						let u = a.filter((e) => isSemverLike(e.tag)).map((t) => ({
+							v: semver.valid(normalizeVersion(t.tag)),
+							raw: t
 						}));
 						if (u.length > 0) {
-							u.sort((e, n) => {
-								let r = semver.rcompare(e.v, n.v);
-								if (r !== 0) return r;
+							u.sort((e, t) => {
+								let n = semver.rcompare(e.v, t.v);
+								if (n !== 0) return n;
 								let i = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
-								return (/\d+\.\d+/u.test(n.raw.tag) ? 1 : 0) - i;
+								return (/\d+\.\d+/u.test(t.raw.tag) ? 1 : 0) - i;
 							});
-							let r = u[0].raw, s = semver.valid(normalizeVersion(o) ?? void 0);
-							if (!s || semver.gt(u[0].v, s) || semver.eq(u[0].v, s) && /\d+\.\d+/u.test(r.tag)) {
-								let t = r.tag, a = r.sha?.length ? r.sha : null;
-								if (!a && t) try {
-									a = await l.getTagSha(i, c, t);
+							let t = u[0].raw, a = semver.valid(normalizeVersion(s) ?? void 0);
+							if (!a || semver.gt(u[0].v, a) || semver.eq(u[0].v, a) && /\d+\.\d+/u.test(t.tag)) {
+								let e = t.tag, r = t.sha?.length ? t.sha : null;
+								if (!r && e) try {
+									r = await l.getTagSha(o, c, e);
 								} catch {}
-								return [...e, {
-									version: t,
+								return [...n, {
+									version: e,
 									publishedAt: null,
-									sha: a,
-									actionName: n
+									sha: r,
+									actionName: i
 								}];
 							}
 						}
 					}
 				}
-				if (!u && o) try {
-					u = await l.getTagSha(i, c, o);
+				if (!u && s) try {
+					u = await l.getTagSha(o, c, s);
 				} catch {}
-				return [...e, {
+				return [...n, {
 					status: "ok",
-					publishedAt: r,
-					actionName: n,
-					version: o,
+					publishedAt: a,
+					actionName: i,
+					version: s,
 					sha: u
 				}];
 			}
-			let p = await l.getAllTags(i, c, 30);
+			let p = await l.getAllTags(o, c, 30);
 			if (p.length > 0) {
-				let r = p.filter((e) => isSemverLike(e.tag)).map((e) => ({
-					v: semver.valid(normalizeVersion(e.tag)),
-					raw: e
-				})), o;
-				r.length > 0 ? (r.sort((e, n) => {
-					let r = semver.rcompare(e.v, n.v);
-					if (r !== 0) return r;
+				let a = p.filter((e) => isSemverLike(e.tag)).map((t) => ({
+					v: semver.valid(normalizeVersion(t.tag)),
+					raw: t
+				})), s;
+				a.length > 0 ? (a.sort((e, t) => {
+					let n = semver.rcompare(e.v, t.v);
+					if (n !== 0) return n;
 					let i = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
-					return (/\d+\.\d+/u.test(n.raw.tag) ? 1 : 0) - i;
-				}), o = r[0].raw) : o = p[0];
-				let u = o.tag, d = o.sha?.length ? o.sha : null;
+					return (/\d+\.\d+/u.test(t.raw.tag) ? 1 : 0) - i;
+				}), s = a[0].raw) : s = p[0];
+				let u = s.tag, d = s.sha?.length ? s.sha : null;
 				if (!d && u) try {
-					d = await l.getTagSha(i, c, u);
+					d = await l.getTagSha(o, c, u);
 				} catch {}
-				return [...e, {
+				return [...n, {
 					status: "ok",
 					publishedAt: null,
-					actionName: n,
+					actionName: i,
 					version: u,
 					sha: d
 				}];
 			}
-			return [...e, {
+			return [...n, {
 				publishedAt: null,
 				version: null,
-				actionName: n,
+				actionName: i,
 				sha: null
 			}];
-		} catch (t) {
-			return t instanceof Error && t.name === "GitHubRateLimitError" ? (p.rateLimitHit = !0, p.rateLimitError = t, [...e, {
+		} catch (e) {
+			return e instanceof Error && e.name === "GitHubRateLimitError" ? (p.rateLimitHit = !0, p.rateLimitError = e, [...n, {
 				publishedAt: null,
 				version: null,
-				actionName: n,
+				actionName: i,
 				sha: null
-			}]) : (console.warn(`Failed to check ${n}:`, t), [...e, {
+			}]) : (console.warn(`Failed to check ${i}:`, e), [...n, {
 				publishedAt: null,
 				version: null,
-				actionName: n,
+				actionName: i,
 				sha: null
 			}]);
 		}
 	}), Promise.resolve([]));
 	if (p.rateLimitError) {
-		let e = !!(i ?? process.env.GITHUB_TOKEN), t = `${p.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits"}`, n = Error(t);
+		let e = !!(o ?? process.env.GITHUB_TOKEN), t = `${p.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits"}`, n = Error(t);
 		throw n.name = "GitHubRateLimitError", n;
 	}
 	let h = /* @__PURE__ */ new Map();
@@ -169,39 +171,39 @@ async function checkUpdates(n, i, c) {
 	}
 	return g;
 }
-function createUpdate(e, n, r = {}) {
-	let { version: s, sha: c, publishedAt: l } = n, u = e.version ?? "unknown", d = normalizeVersion(u), f = s ? normalizeVersion(s) : null, p = r.status ?? "ok", m = r.skipReason, h = !1, g = !1;
+function createUpdate(t, n, i = {}) {
+	let { version: a, sha: c, publishedAt: l } = n, u = t.version ?? "unknown", d = normalizeVersion(u), f = a ? normalizeVersion(a) : null, p = i.status ?? "ok", m = i.skipReason, h = !1, g = !1;
 	if (p === "skipped") return {
 		currentVersion: u,
 		isBreaking: !1,
 		hasUpdate: !1,
-		latestVersion: s,
+		latestVersion: a,
 		publishedAt: l,
 		skipReason: m,
 		latestSha: c,
-		action: e,
+		action: t,
 		status: p
 	};
 	if (d && isSha(d)) c ? h = !compareSha(d, c) : f && (h = !0);
 	else if (d && f) {
-		let n = semver.valid(d), r = semver.valid(f);
-		if (n && r) {
-			if (h = semver.lt(n, r), h) {
-				let e = semver.major(n);
-				g = semver.major(r) > e;
+		let e = semver.valid(d), n = semver.valid(f);
+		if (e && n) {
+			if (h = semver.lt(e, n), h) {
+				let t = semver.major(e);
+				g = semver.major(n) > t;
 			}
-			!h && semver.eq(n, r) && !isSha(e.version) && c && (h = !0, g = !1);
+			!h && semver.eq(e, n) && !isSha(t.version) && c && (h = !0, g = !1);
 		} else d !== f && (h = !0);
 	}
 	return {
 		currentVersion: u,
-		latestVersion: s,
+		latestVersion: a,
 		publishedAt: l,
 		isBreaking: g,
 		skipReason: m,
 		latestSha: c,
 		hasUpdate: h,
-		action: e,
+		action: t,
 		status: p
 	};
 }
@@ -209,21 +211,9 @@ function compareSha(e, t) {
 	let n = e.replace(/^v/u, ""), r = t.replace(/^v/u, ""), i = Math.min(n.length, r.length);
 	return i < 7 ? !1 : n.slice(0, Math.max(0, i)).toLowerCase() === r.slice(0, Math.max(0, i)).toLowerCase();
 }
-function normalizeVersion(e) {
-	if (!e) return null;
-	let n = e.replace(/^v/u, "");
-	if (/^[0-9a-f]{7,40}$/iu.test(n)) return e;
-	let r = semver.coerce(n);
-	return r ? r.version : e;
-}
 function isSha(e) {
 	if (!e) return !1;
 	let t = e.replace(/^v/u, "");
 	return /^[0-9a-f]{7,40}$/iu.test(t);
 }
-function isSemverLike(e) {
-	if (!e) return !1;
-	let t = e.trim();
-	return /^v?\d+(?:\.\d+){0,2}$/u.test(t);
-}
 export { checkUpdates };

package/dist/core/api/get-compatible-update.d.ts

@@ -0,0 +1,27 @@
+import { GitHubClient } from '../../types/github-client';
+import { UpdateMode } from '../../types/update-mode';
+import { TagInfo } from '../../types/tag-info';
+interface GetCompatibleUpdateParameters {
+    /** Optional in-memory cache for resolved tag SHAs. */
+    shaCache?: Map<string, string | null>;
+    /** Update mode that limits which tag can be selected. */
+    mode: Exclude<UpdateMode, 'major'>;
+    /** Optional in-memory cache for action tags. */
+    tagsCache?: Map<string, TagInfo[]>;
+    /** Current action version used as compatibility baseline. */
+    currentVersion: string | null;
+    /** Action name in `owner/repo` format (path suffix is allowed). */
+    actionName: string;
+}
+/**
+ * Resolve the newest compatible update for an action.
+ *
+ * @param client - GitHub client instance.
+ * @param parameters - Lookup parameters.
+ * @returns Compatible target version and SHA, or null when none found.
+ */
+export declare function getCompatibleUpdate(client: GitHubClient, parameters: GetCompatibleUpdateParameters): Promise<{
+    sha: string | null;
+    version: string;
+} | null>;
+export {};

package/dist/core/api/get-compatible-update.js

@@ -0,0 +1,40 @@
+import { isSemverLike } from "../versions/is-semver-like.js";
+import { findCompatibleTag } from "../versions/find-compatible-tag.js";
+async function getCompatibleUpdate(n, r) {
+	let { currentVersion: i, actionName: a, mode: o } = r;
+	if (!i || !isSemverLike(i)) return null;
+	let s = a.split("/");
+	if (s.length < 2) return null;
+	let [c, l] = s;
+	if (!c || !l) return null;
+	let u = r.tagsCache ?? /* @__PURE__ */ new Map(), d = r.shaCache ?? /* @__PURE__ */ new Map(), f = u.get(a);
+	if (!f) {
+		try {
+			f = await n.getAllTags(c, l, 100);
+		} catch {
+			return null;
+		}
+		u.set(a, f);
+	}
+	let p = findCompatibleTag(f, i, o);
+	if (!p) return null;
+	let m = p.tag, h = p.sha?.length ? p.sha : null;
+	if (!h) {
+		let e = `${a}@${m}`;
+		if (d.has(e)) return {
+			sha: d.get(e) ?? null,
+			version: m
+		};
+		try {
+			h = await n.getTagSha(c, l, m);
+		} catch {
+			h = null;
+		}
+		d.set(e, h);
+	}
+	return {
+		version: m,
+		sha: h
+	};
+}
+export { getCompatibleUpdate };

package/dist/core/ast/scanners/scan-composite-action-ast.js

@@ -1,8 +1,8 @@
+import { isCompositeActionStructure } from "../../schema/composite/is-composite-action-structure.js";
+import { isCompositeActionRuns } from "../../schema/composite/is-composite-action-runs.js";
 import { isYAMLMap } from "../guards/is-yaml-map.js";
 import { extractUsesFromSteps } from "../utils/extract-uses-from-steps.js";
 import { findMapPair } from "../utils/find-map-pair.js";
-import { isCompositeActionStructure } from "../../schema/composite/is-composite-action-structure.js";
-import { isCompositeActionRuns } from "../../schema/composite/is-composite-action-runs.js";
 function scanCompositeActionAst(a, o, s) {
 	let c = a.toJSON();
 	if (!isCompositeActionStructure(c) || !a.contents || !isYAMLMap(a.contents)) return [];

package/dist/core/ast/scanners/scan-workflow-ast.js

@@ -1,4 +1,3 @@
-import { isWorkflowStructure } from "../../schema/workflow/is-workflow-structure.js";
 import { parseActionReference } from "../../parsing/parse-action-reference.js";
 import { getLineNumberForKey } from "../utils/get-line-number.js";
 import { isYAMLMap } from "../guards/is-yaml-map.js";
@@ -7,19 +6,20 @@ import { isNode } from "../guards/is-node.js";
 import { isPair } from "../guards/is-pair.js";
 import { extractUsesFromSteps } from "../utils/extract-uses-from-steps.js";
 import { findMapPair } from "../utils/find-map-pair.js";
+import { isWorkflowStructure } from "../../schema/workflow/is-workflow-structure.js";
 function scanWorkflowAst(l, u, d) {
 	if (!isWorkflowStructure(l.toJSON()) || !l.contents || !isYAMLMap(l.contents)) return [];
 	let f = findMapPair(l.contents, "jobs");
 	if (!f?.value || !isYAMLMap(f.value)) return [];
 	let p = [];
-	for (let e of f.value.items) {
-		if (!isPair(e) || !e.value || !isNode(e.value) || !isYAMLMap(e.value)) continue;
-		let l = isScalar(e.key) ? String(e.key.value) : void 0, f = findMapPair(e.value, "uses");
+	for (let c of f.value.items) {
+		if (!isPair(c) || !c.value || !isNode(c.value) || !isYAMLMap(c.value)) continue;
+		let l = isScalar(c.key) ? String(c.key.value) : void 0, f = findMapPair(c.value, "uses");
 		if (f?.value && f.key && isScalar(f.value)) {
-			let e = parseActionReference(String(f.value.value), d, getLineNumberForKey(u, f.key));
-			e && (l && (e.job = l), p.push(e));
+			let s = parseActionReference(String(f.value.value), d, getLineNumberForKey(u, f.key));
+			s && (l && (s.job = l), p.push(s));
 		}
-		let m = findMapPair(e.value, "steps");
+		let m = findMapPair(c.value, "steps");
 		m?.value && p.push(...extractUsesFromSteps({
 			stepsNode: m.value,
 			filePath: d,

package/dist/core/fs/find-yaml-files-recursive.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Recursively finds all YAML files in a directory.
+ *
+ * @param directory - The absolute path to the directory to search.
+ * @returns A promise that resolves to an array of absolute paths to YAML files.
+ */
+export declare function findYamlFilesRecursive(directory: string): Promise<string[]>;

package/dist/core/fs/find-yaml-files-recursive.js

@@ -0,0 +1,20 @@
+import { isYamlFile } from "./is-yaml-file.js";
+import { lstat, readdir } from "node:fs/promises";
+import { join } from "node:path";
+async function findYamlFilesRecursive(i) {
+	let a = [], o = /* @__PURE__ */ new Set();
+	async function s(i) {
+		if ((await lstat(i)).isSymbolicLink() || o.has(i)) return;
+		o.add(i);
+		let c = (await readdir(i)).map(async (r) => {
+			try {
+				let o = join(i, r), c = await lstat(o);
+				if (c.isSymbolicLink()) return;
+				c.isDirectory() ? await s(o) : c.isFile() && isYamlFile(r) && a.push(o);
+			} catch {}
+		});
+		await Promise.all(c);
+	}
+	return await s(i), a;
+}
+export { findYamlFilesRecursive };

package/dist/core/index.d.ts

@@ -1,3 +1,4 @@
 export { scanGitHubActions } from './scan-github-actions';
 export { applyUpdates } from './ast/update/apply-updates';
 export { checkUpdates } from './api/check-updates';
+export { scanRecursive } from './scan-recursive';

package/dist/core/index.js

@@ -1,4 +1,5 @@
 import { applyUpdates } from "./ast/update/apply-updates.js";
 import { checkUpdates } from "./api/check-updates.js";
+import { scanRecursive } from "./scan-recursive.js";
 import { scanGitHubActions } from "./scan-github-actions.js";
-export { applyUpdates, checkUpdates, scanGitHubActions };
+export { applyUpdates, checkUpdates, scanGitHubActions, scanRecursive };

package/dist/core/scan-action-file.js

@@ -1,5 +1,5 @@
-import { readYamlDocument } from "./fs/read-yaml-document.js";
 import { scanCompositeActionAst } from "./ast/scanners/scan-composite-action-ast.js";
+import { readYamlDocument } from "./fs/read-yaml-document.js";
 async function scanActionFile(n) {
 	let { document: r, content: i } = await readYamlDocument(n);
 	return scanCompositeActionAst(r, i, n);

package/dist/core/scan-github-actions.js

@@ -1,7 +1,7 @@
 import { ACTIONS_DIRECTORY, GITHUB_DIRECTORY, WORKFLOWS_DIRECTORY } from "./constants.js";
+import { isYamlFile } from "./fs/is-yaml-file.js";
 import { scanWorkflowFile } from "./scan-workflow-file.js";
 import { scanActionFile } from "./scan-action-file.js";
-import { isYamlFile } from "./fs/is-yaml-file.js";
 import { readFile, readdir, stat } from "node:fs/promises";
 import { isAbsolute, join, relative, resolve } from "node:path";
 async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
@@ -15,7 +15,6 @@ async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
 		return s !== "" && !s.startsWith("..") && !isAbsolute(s);
 	}
 	let v = join(g, m);
-	if (!_(g, v)) throw Error("Invalid path: detected path traversal attempt");
 	function y(e) {
 		return e.includes("..") || e.includes("/") || e.includes("\\") ? (console.warn(`Skipping invalid name: ${e}`), !1) : !0;
 	}
@@ -33,11 +32,11 @@ async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
 			let e = (await readdir(x)).filter((e) => y(e) ? isYamlFile(e) : !1).map(async (e) => {
 				let o = join(x, e);
 				try {
-					let l = await scanWorkflowFile(o);
+					let c = await scanWorkflowFile(o);
 					return {
 						path: `${m}/${WORKFLOWS_DIRECTORY}/${e}`,
 						success: !0,
-						actions: l
+						actions: c
 					};
 				} catch {
 					return {
@@ -75,12 +74,12 @@ async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
 				let s = join(S, o);
 				try {
 					if (!(await stat(s)).isDirectory()) return null;
-					let c = join(s, "action.yml"), u = [];
+					let c = join(s, "action.yml"), l = [];
 					try {
-						u = await scanActionFile(c);
+						l = await scanActionFile(c);
 					} catch {
 						try {
-							c = join(s, "action.yaml"), u = await scanActionFile(c);
+							c = join(s, "action.yaml"), l = await scanActionFile(c);
 						} catch {
 							return null;
 						}
@@ -88,7 +87,7 @@ async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
 					return {
 						path: `${m}/${ACTIONS_DIRECTORY}/${o}`,
 						name: o,
-						actions: u
+						actions: l
 					};
 				} catch {
 					return null;
@@ -111,14 +110,14 @@ async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
 			}
 			async function c() {
 				if (s.length === 0) return;
-				let u = s.splice(0), d = await Promise.all(u.map(async (s) => {
+				let l = s.splice(0), d = await Promise.all(l.map(async (s) => {
 					try {
-						let c = join(s, "action.yml"), u = join(s, "action.yaml"), d = c;
+						let c = join(s, "action.yml"), l = join(s, "action.yaml"), d = c;
 						try {
 							if (!(await stat(c)).isFile()) throw Error("not a file");
 						} catch {
-							if (!(await stat(u)).isFile()) throw Error("not a file");
-							d = u;
+							if (!(await stat(l)).isFile()) throw Error("not a file");
+							d = l;
 						}
 						let f = await scanActionFile(d);
 						f.length > 0 && h.actions.push(...f);

package/dist/core/scan-recursive.d.ts

@@ -0,0 +1,10 @@
+import { ScanResult } from '../types/scan-result';
+/**
+ * Recursively scans a directory for all YAML files and classifies them as
+ * workflows or composite actions.
+ *
+ * @param rootPath - The root path of the repository.
+ * @param directory - The directory to scan recursively, relative to rootPath.
+ * @returns A promise that resolves to a ScanResult.
+ */
+export declare function scanRecursive(rootPath: string, directory: string): Promise<ScanResult>;

package/dist/core/scan-recursive.js

@@ -0,0 +1,46 @@
+import { isCompositeActionStructure } from "./schema/composite/is-composite-action-structure.js";
+import { scanCompositeActionAst } from "./ast/scanners/scan-composite-action-ast.js";
+import { isWorkflowStructure } from "./schema/workflow/is-workflow-structure.js";
+import { findYamlFilesRecursive } from "./fs/find-yaml-files-recursive.js";
+import { scanWorkflowAst } from "./ast/scanners/scan-workflow-ast.js";
+import { readYamlDocument } from "./fs/read-yaml-document.js";
+import { dirname, relative, resolve } from "node:path";
+async function scanRecursive(u, d) {
+	let f = {
+		compositeActions: /* @__PURE__ */ new Map(),
+		workflows: /* @__PURE__ */ new Map(),
+		actions: []
+	}, p = resolve(u), m = resolve(p, d), h;
+	try {
+		h = await findYamlFilesRecursive(m);
+	} catch {
+		return f;
+	}
+	let g = h.map(async (o) => {
+		let s = relative(p, o);
+		try {
+			let { document: c, content: l } = await readYamlDocument(o), u = c.toJSON();
+			if (isWorkflowStructure(u) && hasKey(u, "jobs")) return {
+				type: "workflow",
+				path: s,
+				actions: scanWorkflowAst(c, l, o)
+			};
+			if (isCompositeActionStructure(u) && hasKey(u, "runs")) return {
+				type: "action",
+				path: s,
+				actions: scanCompositeActionAst(c, l, o)
+			};
+		} catch {}
+		return null;
+	}), _ = await Promise.all(g);
+	for (let e of _) if (e) if (e.type === "workflow") f.workflows.set(e.path, e.actions), f.actions.push(...e.actions);
+	else {
+		let i = dirname(e.path), a = i === "." || i === "" ? e.path : i;
+		f.compositeActions.set(a, e.path), f.actions.push(...e.actions);
+	}
+	return f;
+}
+function hasKey(e, i) {
+	return typeof e == "object" && !!e && i in e;
+}
+export { scanRecursive };

package/dist/core/versions/find-compatible-tag.d.ts

@@ -0,0 +1,16 @@
+import { UpdateMode } from '../../types/update-mode';
+import { TagInfo } from '../../types/tag-info';
+/**
+ * Pick the newest compatible tag for the provided update mode.
+ *
+ * Compatibility rules:
+ *
+ * - `minor`: same major, greater than current.
+ * - `patch`: same major and minor, greater than current.
+ *
+ * @param tags - Available tags from GitHub API.
+ * @param currentVersion - Current action version.
+ * @param mode - Mode that limits the allowed update level.
+ * @returns Best compatible tag or null when no compatible candidate exists.
+ */
+export declare function findCompatibleTag(tags: TagInfo[], currentVersion: string | null, mode: Exclude<UpdateMode, 'major'>): TagInfo | null;

package/dist/core/versions/find-compatible-tag.js

@@ -0,0 +1,27 @@
+import { normalizeVersion } from "./normalize-version.js";
+import { isSemverLike } from "./is-semver-like.js";
+import semver from "semver";
+function findCompatibleTag(r, a, o) {
+	if (!a || !isSemverLike(a) || r.length === 0) return null;
+	let s = semver.valid(normalizeVersion(a));
+	if (!s) return null;
+	let c = semver.major(s), l = semver.minor(s), u = [];
+	for (let i of r) {
+		if (!isSemverLike(i.tag)) continue;
+		let r = semver.valid(normalizeVersion(i.tag));
+		r && semver.gt(r, s) && semver.major(r) === c && (o === "patch" && semver.minor(r) !== l || u.push({
+			tag: i,
+			parsed: r
+		}));
+	}
+	return u.length === 0 ? null : (u.sort((e, n) => {
+		let r = semver.rcompare(e.parsed, n.parsed);
+		if (r !== 0) return r;
+		let a = getSemverSpecificity(e.tag.tag);
+		return getSemverSpecificity(n.tag.tag) - a;
+	}), u[0].tag);
+}
+function getSemverSpecificity(e) {
+	return e.replace(/^v/u, "").split(".").length;
+}
+export { findCompatibleTag };

package/dist/core/versions/is-semver-like.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Check whether the value follows a semver-like tag pattern.
+ *
+ * Examples of accepted values: `v1`, `v1.2`, `1.2.3`.
+ *
+ * @param value - Raw value to validate.
+ * @returns True when value looks like a semver-like tag.
+ */
+export declare function isSemverLike(value: undefined | string | null): boolean;

package/dist/core/versions/is-semver-like.js

@@ -0,0 +1,4 @@
+function isSemverLike(e) {
+	return typeof e == "string" && /^v?\d+(?:\.\d+){0,2}$/u.test(e.trim());
+}
+export { isSemverLike };

package/dist/core/versions/normalize-version.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Normalize version string.
+ *
+ * Rules:
+ *
+ * - Remove `v` prefix before semver coercion.
+ * - Preserve SHA-like values as-is.
+ * - Return coerced semver when possible.
+ * - Return original value when coercion fails.
+ *
+ * @param version - Version string to normalize.
+ * @returns Normalized version string or null if input is empty.
+ */
+export declare function normalizeVersion(version: undefined | string | null): string | null;

package/dist/core/versions/normalize-version.js

@@ -0,0 +1,9 @@
+import semver from "semver";
+function normalizeVersion(t) {
+	if (!t) return null;
+	let n = t.replace(/^v/u, "");
+	if (/^[0-9a-f]{7,40}$/iu.test(n)) return t;
+	let r = semver.coerce(n);
+	return r ? r.version : t;
+}
+export { normalizeVersion };

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.10.1";
+const version = "1.12.0";
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.10.1",
+  "version": "1.12.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",

package/readme.md

@@ -132,12 +132,26 @@ npx actions-up --dry-run
 
 ### Custom Directory
 
-By default, Actions Up scans the `.github` directory. You can specify a different directory (e.g., for Gitea):
+By default, Actions Up scans `.github`.
+
+Use `--dir` to choose another directory, and pass it multiple times to scan several directories:
 
 ```bash
 npx actions-up --dir .gitea
+npx actions-up --dir .github --dir ./other/.github
+```
+
+### Recursive Scanning
+
+Use `--recursive` (`-r`) to scan YAML workflow/composite-action files recursively in the selected directories:
+
+```bash
+npx actions-up -r
+npx actions-up --dir ./gh-repo-defaults -r
 ```
 
+When `--recursive` is used without `--dir`, Actions Up scans from the current directory (`.`).
+
 ### Branch References
 
 By default, actions pinned to branch refs (e.g., `@main`, `@release/v1`) are skipped to avoid changing intentionally floating references. Skipped entries are listed in the output. To include them in update checks, pass `--include-branches`.
@@ -151,6 +165,10 @@ npx actions-up --mode minor
 npx actions-up --mode patch
 ```
 
+In `minor` and `patch` modes, Actions Up tries to find the newest compatible
+tag first (for example, from `@v4` in `minor` mode it will choose the latest
+`v4.x.y`). If no compatible version exists, that action is skipped.
+
 ## GitHub Actions Integration
 
 ### Automated PR Checks