npm - actions-up - Versions diffs - 1.11.0 → 1.12.0 - Mend

actions-up 1.11.0 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/dist/cli/index.js +84 -93
package/dist/cli/merge-scan-results.d.ts +8 -0
package/dist/cli/merge-scan-results.js +18 -0
package/dist/cli/normalize-update-mode.d.ts +8 -0
package/dist/cli/normalize-update-mode.js +6 -0
package/dist/cli/print-mode-warning.d.ts +16 -0
package/dist/cli/print-mode-warning.js +11 -0
package/dist/cli/print-skipped-warning.d.ts +14 -0
package/dist/cli/print-skipped-warning.js +10 -0
package/dist/cli/resolve-scan-directories.d.ts +27 -0
package/dist/cli/resolve-scan-directories.js +24 -0
package/dist/core/api/check-updates.d.ts +4 -1
package/dist/core/api/check-updates.js +79 -89
package/dist/core/api/get-compatible-update.d.ts +27 -0
package/dist/core/api/get-compatible-update.js +40 -0
package/dist/core/fs/find-yaml-files-recursive.js +1 -1
package/dist/core/interactive/prompt-update-selection.js +9 -9
package/dist/core/scan-github-actions.js +67 -68
package/dist/core/scan-recursive.js +12 -14
package/dist/core/versions/find-compatible-tag.d.ts +16 -0
package/dist/core/versions/find-compatible-tag.js +27 -0
package/dist/core/versions/is-semver-like.d.ts +9 -0
package/dist/core/versions/is-semver-like.js +4 -0
package/dist/core/versions/normalize-version.d.ts +14 -0
package/dist/core/versions/normalize-version.js +9 -0
package/dist/package.js +1 -1
package/package.json +1 -1
package/readme.md +7 -0

package/dist/cli/index.js CHANGED Viewed

@@ -1,143 +1,134 @@
 import { readInlineVersionComment } from "../core/versions/read-inline-version-comment.js";
-import { GITHUB_DIRECTORY } from "../core/constants.js";
 import { isSha } from "../core/versions/is-sha.js";
 import { promptUpdateSelection } from "../core/interactive/prompt-update-selection.js";
+import { getCompatibleUpdate } from "../core/api/get-compatible-update.js";
+import { createGitHubClient } from "../core/api/create-github-client.js";
+import { resolveScanDirectories } from "./resolve-scan-directories.js";
 import { getUpdateLevel } from "../core/versions/get-update-level.js";
 import { applyUpdates } from "../core/ast/update/apply-updates.js";
+import { printSkippedWarning } from "./print-skipped-warning.js";
+import { normalizeUpdateMode } from "./normalize-update-mode.js";
 import { shouldIgnore } from "../core/ignore/should-ignore.js";
 import { checkUpdates } from "../core/api/check-updates.js";
+import { mergeScanResults } from "./merge-scan-results.js";
+import { printModeWarning } from "./print-mode-warning.js";
 import { scanRecursive } from "../core/scan-recursive.js";
 import { scanGitHubActions } from "../core/scan-github-actions.js";
 import "../core/index.js";
 import { version } from "../package.js";
-import { relative, resolve } from "node:path";
 import { createSpinner } from "nanospinner";
 import "node:worker_threads";
 import pc from "picocolors";
 import cac from "cac";
 function run() {
 	let b = cac("actions-up");
-	b.help().version(version).option("--dir <directory>", "Custom directory name (default: .github)").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--include-branches", "Also check actions pinned to branches (default: false)").option("--min-age <days>", "Minimum age in days for updates (default: 0)", { default: 0 }).option("--mode <mode>", "Update mode: major, minor, or patch (default: major)", { default: "major" }).option("--recursive, -r", "Recursively scan directories for YAML files").option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (g) => {
+	b.help().version(version).option("--dir <directory>", "Directory to scan (repeatable). Default: .github, or . with --recursive").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--include-branches", "Also check actions pinned to branches (default: false)").option("--min-age <days>", "Minimum age in days for updates (default: 0)", { default: 0 }).option("--mode <mode>", "Update mode: major, minor, or patch (default: major)", { default: "major" }).option("--recursive, -r", "Recursively scan directories for YAML files").option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (v) => {
 		console.info(pc.cyan("\n🚀 Actions Up!\n"));
-		let y = createSpinner("Scanning GitHub Actions...").start(), b = [];
-		Array.isArray(g.dir) ? b.push(...g.dir) : typeof g.dir == "string" ? b.push(g.dir) : b.push(GITHUB_DIRECTORY);
-		let x = [...new Set(b.map((e) => {
-			let d = process.cwd();
-			return relative(d, resolve(d, e)) || ".";
-		}))];
+		let y = createSpinner("Scanning GitHub Actions...").start(), b = resolveScanDirectories({
+			recursive: v.recursive,
+			cwd: process.cwd(),
+			dir: v.dir
+		});
 		try {
-			let d = mergeScanResults(g.recursive ? await Promise.all(x.map((e) => scanRecursive(process.cwd(), e))) : await Promise.all(x.map((e) => scanGitHubActions(process.cwd(), e)))), _ = d.actions.length, v = d.workflows.size, b = d.compositeActions.size;
-			if (y.success(`Found ${pc.yellow(_)} actions in ${pc.yellow(v)} workflows and ${pc.yellow(b)} composite actions`), _ === 0) {
+			let m = mergeScanResults(v.recursive ? await Promise.all(b.map(({ root: t, dir: u }) => scanRecursive(t, u))) : await Promise.all(b.map(({ root: t, dir: u }) => scanGitHubActions(t, u)))), x = m.actions.length, S = m.workflows.size, C = m.compositeActions.size;
+			if (y.success(`Found ${pc.yellow(x)} actions in ${pc.yellow(S)} workflows and ${pc.yellow(C)} composite actions`), x === 0) {
 				console.info(pc.green("\n✨ No GitHub Actions found in this repository"));
 				return;
 			}
-			let S = d.actions, C = [];
-			Array.isArray(g.exclude) ? C.push(...g.exclude) : typeof g.exclude == "string" && C.push(g.exclude);
-			let w = C.flatMap((e) => e.split(",")).map((e) => e.trim()).filter(Boolean);
-			if (w.length > 0) {
-				let { parseExcludePatterns: e } = await import("../core/filters/parse-exclude-patterns.js"), d = e(w);
-				d.length > 0 && (S = S.filter((e) => {
-					let { name: f } = e;
-					for (let e of d) if (e.test(f)) return !1;
+			let w = m.actions, T = [];
+			Array.isArray(v.exclude) ? T.push(...v.exclude) : typeof v.exclude == "string" && T.push(v.exclude);
+			let E = T.flatMap((t) => t.split(",")).map((t) => t.trim()).filter(Boolean);
+			if (E.length > 0) {
+				let { parseExcludePatterns: t } = await import("../core/filters/parse-exclude-patterns.js"), u = t(E);
+				u.length > 0 && (w = w.filter((t) => {
+					let { name: d } = t;
+					for (let t of u) if (t.test(d)) return !1;
 					return !0;
 				}));
 			}
-			if (y = createSpinner("Checking for updates...").start(), S.length === 0) {
+			if (y = createSpinner("Checking for updates...").start(), w.length === 0) {
 				y.success("No actions to check after excludes"), console.info(pc.green("\n✨ Nothing to check after excludes\n"));
 				return;
 			}
-			let T = g.includeBranches ?? !1, E = await checkUpdates(S, process.env.GITHUB_TOKEN, { includeBranches: T }), D = [];
-			await Promise.all(E.map(async (e) => {
-				await shouldIgnore(e.action.file, e.action.line) || D.push(e);
+			let D = process.env.GITHUB_TOKEN, O = createGitHubClient(D), k = v.includeBranches ?? !1, A = await checkUpdates(w, D, {
+				client: O,
+				includeBranches: k
+			}), j = [];
+			await Promise.all(A.map(async (t) => {
+				await shouldIgnore(t.action.file, t.action.line) || j.push(t);
 			}));
-			let O = D.filter((e) => e.status === "skipped"), k = D.filter((e) => e.hasUpdate), A = g.minAge * 24 * 60 * 60 * 1e3, j = Date.now();
-			k = k.filter((e) => e.publishedAt ? j - e.publishedAt.getTime() >= A : !0);
-			let M = normalizeUpdateMode(g.mode), N = [];
-			if (M !== "major") {
-				let d = /* @__PURE__ */ new Map(), p = await Promise.all(k.map(async (p) => {
-					let m = p.currentVersion;
-					if (isSha(p.currentVersion)) {
-						let f = await readInlineVersionComment(p.action.file, p.action.line, d);
-						f && (m = f);
+			let M = j.filter((t) => t.status === "skipped"), N = j.filter((t) => t.hasUpdate), P = v.minAge * 24 * 60 * 60 * 1e3, F = Date.now();
+			N = N.filter((t) => t.publishedAt ? F - t.publishedAt.getTime() >= P : !0);
+			let I = normalizeUpdateMode(v.mode), L = [];
+			if (I !== "major") {
+				let d = /* @__PURE__ */ new Map(), p = /* @__PURE__ */ new Map(), m = /* @__PURE__ */ new Map(), h = await Promise.all(N.map(async (d) => {
+					let f = d.currentVersion;
+					if (isSha(d.currentVersion)) {
+						let u = await readInlineVersionComment(d.action.file, d.action.line, m);
+						u && (f = u);
 					}
-					let h = getUpdateLevel(m, p.latestVersion);
+					let p = getUpdateLevel(f, d.latestVersion);
 					return {
-						allowed: M === "minor" ? h === "minor" || h === "patch" || h === "none" : h === "patch" || h === "none",
-						update: p
+						effectiveCurrentVersion: f,
+						allowed: I === "minor" ? p === "minor" || p === "patch" || p === "none" : p === "patch" || p === "none",
+						update: d
 					};
-				})), m = [];
-				for (let e of p) e.allowed ? m.push(e.update) : N.push(e.update);
-				k = m;
+				})), g = [], _ = await Promise.all(h.map(async (t) => {
+					if (t.allowed) return { update: t.update };
+					let u = await getCompatibleUpdate(O, {
+						currentVersion: t.effectiveCurrentVersion,
+						actionName: t.update.action.name,
+						tagsCache: d,
+						shaCache: p,
+						mode: I
+					});
+					return u ? { update: {
+						...t.update,
+						latestVersion: u.version,
+						latestSha: u.sha,
+						isBreaking: !1,
+						hasUpdate: !0
+					} } : { blocked: t.update };
+				}));
+				for (let t of _) {
+					if (t.update) {
+						g.push(t.update);
+						continue;
+					}
+					L.push(t.blocked);
+				}
+				N = g;
 			}
-			let P = k.filter((e) => e.isBreaking);
-			if (k.length === 0) {
-				y.success("All actions are up to date!"), O.length > 0 && printSkippedWarning(O, T), N.length > 0 && printModeWarning(N, M), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
+			let R = N.filter((t) => t.isBreaking);
+			if (N.length === 0) {
+				y.success("All actions are up to date!"), M.length > 0 && printSkippedWarning(M, k), L.length > 0 && printModeWarning(L, I), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
 				return;
 			}
-			if (y.success(`Found ${pc.yellow(k.length)} updates available${P.length > 0 ? ` (${pc.redBright(P.length)} breaking)` : ""}`), O.length > 0 && printSkippedWarning(O, T), N.length > 0 && printModeWarning(N, M), g.dryRun) {
+			if (y.success(`Found ${pc.yellow(N.length)} updates available${R.length > 0 ? ` (${pc.redBright(R.length)} breaking)` : ""}`), M.length > 0 && printSkippedWarning(M, k), L.length > 0 && printModeWarning(L, I), v.dryRun) {
 				console.info(pc.yellow("\n📋 Dry Run - No changes will be made\n"));
-				for (let e of k) console.info(`${pc.cyan(e.action.file ?? "unknown")}:\n${e.action.name}: ${pc.redBright(e.currentVersion)} → ${pc.green(e.latestVersion)} ${e.latestSha ? pc.gray(`(${e.latestSha.slice(0, 7)})`) : ""}\n`);
-				console.info(pc.gray(`\n${k.length} actions would be updated\n`));
+				for (let t of N) console.info(`${pc.cyan(t.action.file ?? "unknown")}:\n${t.action.name}: ${pc.redBright(t.currentVersion)} → ${pc.green(t.latestVersion)} ${t.latestSha ? pc.gray(`(${t.latestSha.slice(0, 7)})`) : ""}\n`);
+				console.info(pc.gray(`\n${N.length} actions would be updated\n`));
 				return;
 			}
-			if (g.yes) {
-				let e = k.filter((e) => e.latestSha);
-				if (e.length === 0) {
+			if (v.yes) {
+				let t = N.filter((t) => t.latestSha);
+				if (t.length === 0) {
 					console.info(pc.yellow("\n⚠️ No actions with SHA available for update\n"));
 					return;
 				}
-				console.info(pc.yellow(`\n🔄 Updating ${e.length} actions...\n`)), await applyUpdates(e), console.info(pc.green("\n✓ Updates applied successfully!"));
+				console.info(pc.yellow(`\n🔄 Updating ${t.length} actions...\n`)), await applyUpdates(t), console.info(pc.green("\n✓ Updates applied successfully!"));
 			} else {
-				(O.length > 0 || N.length > 0) && console.info("");
-				let e = await promptUpdateSelection(k, { showAge: g.minAge > 0 });
-				if (!e || e.length === 0) {
+				(M.length > 0 || L.length > 0) && console.info("");
+				let t = await promptUpdateSelection(N, { showAge: v.minAge > 0 });
+				if (!t || t.length === 0) {
 					console.info(pc.gray("\nNo updates applied"));
 					return;
 				}
-				console.info(pc.yellow(`\n🔄 Updating ${e.length} selected actions...\n`)), await applyUpdates(e), console.info(pc.green("\n✓ Updates applied successfully!"));
+				console.info(pc.yellow(`\n🔄 Updating ${t.length} selected actions...\n`)), await applyUpdates(t), console.info(pc.green("\n✓ Updates applied successfully!"));
 			}
-		} catch (e) {
-			y.error("Failed"), e instanceof Error && e.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(e.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), e instanceof Error ? e.message : String(e)), process.exit(1);
+		} catch (t) {
+			y.error("Failed"), t instanceof Error && t.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(t.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), t instanceof Error ? t.message : String(t)), process.exit(1);
 		}
 	}), b.parse();
 }
-function mergeScanResults(e) {
-	let d = {
-		compositeActions: /* @__PURE__ */ new Map(),
-		workflows: /* @__PURE__ */ new Map(),
-		actions: []
-	};
-	for (let f of e) {
-		for (let [e, p] of f.workflows) d.workflows.set(e, p);
-		for (let [, e] of f.compositeActions) d.compositeActions.set(e, e);
-		d.actions.push(...f.actions);
-	}
-	let f = /* @__PURE__ */ new Set();
-	return d.actions = d.actions.filter((e) => {
-		let d = `${e.file}:${e.line}:${e.name}:${e.version}`;
-		return f.has(d) ? !1 : (f.add(d), !0);
-	}), d;
-}
-function printModeWarning(e, d) {
-	if (e.length === 0) return;
-	let f = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", p = d === "minor" ? "major" : "major/minor";
-	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${f} due to ${p} updates`));
-	for (let d of e) {
-		let e = d.action.uses ?? `${d.action.name}@${d.currentVersion ?? "unknown"}`;
-		console.info(pc.gray(`   • ${e}`));
-	}
-}
-function printSkippedWarning(e, d) {
-	let f = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", p = d ? "" : " (use --include-branches to check them)";
-	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${f} pinned to branches${p}`));
-	for (let d of e) {
-		let e = d.action.uses ?? `${d.action.name}@${d.currentVersion ?? "unknown"}`;
-		console.info(pc.gray(`   • ${e}`));
-	}
-}
-function normalizeUpdateMode(e) {
-	let d = (e ?? "major").toLowerCase();
-	if (d === "major" || d === "minor" || d === "patch") return d;
-	throw Error(`Invalid mode "${e}". Expected "major", "minor", or "patch".`);
-}
 export { run };

package/dist/cli/merge-scan-results.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { ScanResult } from '../types/scan-result';
+/**
+ * Merge multiple scan results into one.
+ *
+ * @param results - Array of scan results.
+ * @returns Merged scan result.
+ */
+export declare function mergeScanResults(results: ScanResult[]): ScanResult;

package/dist/cli/merge-scan-results.js ADDED Viewed

@@ -0,0 +1,18 @@
+function mergeScanResults(e) {
+	let t = {
+		compositeActions: /* @__PURE__ */ new Map(),
+		workflows: /* @__PURE__ */ new Map(),
+		actions: []
+	};
+	for (let [n, r] of e.entries()) {
+		for (let [e, i] of r.workflows) t.workflows.set(`${n}:${e}`, i);
+		for (let [, e] of r.compositeActions) t.compositeActions.set(`${n}:${e}`, e);
+		t.actions.push(...r.actions);
+	}
+	let n = /* @__PURE__ */ new Set();
+	return t.actions = t.actions.filter((e) => {
+		let t = `${e.file}:${e.line}:${e.name}:${e.version}`;
+		return n.has(t) ? !1 : (n.add(t), !0);
+	}), t;
+}
+export { mergeScanResults };

package/dist/cli/normalize-update-mode.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { UpdateMode } from '../types/update-mode';
+/**
+ * Normalizes the update mode option.
+ *
+ * @param mode - Raw mode option.
+ * @returns Normalized update mode.
+ */
+export declare function normalizeUpdateMode(mode: undefined | string): UpdateMode;

package/dist/cli/normalize-update-mode.js ADDED Viewed

@@ -0,0 +1,6 @@
+function normalizeUpdateMode(e) {
+	let t = (e ?? "major").toLowerCase();
+	if (t === "major" || t === "minor" || t === "patch") return t;
+	throw Error(`Invalid mode "${e}". Expected "major", "minor", or "patch".`);
+}
+export { normalizeUpdateMode };

package/dist/cli/print-mode-warning.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import { UpdateMode } from '../types/update-mode';
+/**
+ * Prints a warning message for actions that were skipped due to update mode
+ * restrictions.
+ *
+ * @param blocked - Array of blocked actions with their current versions.
+ * @param mode - The current update mode (patch/minor/major).
+ */
+export declare function printModeWarning(blocked: {
+    action: {
+        version?: string | null;
+        uses?: string;
+        name: string;
+    };
+    currentVersion: string | null;
+}[], mode: UpdateMode): void;

package/dist/cli/print-mode-warning.js ADDED Viewed

@@ -0,0 +1,11 @@
+import pc from "picocolors";
+function printModeWarning(t, n) {
+	if (t.length === 0) return;
+	let r = new Intl.PluralRules("en-US", { type: "cardinal" }).select(t.length) === "one" ? "action" : "actions", i = n === "minor" ? "major" : "major/minor";
+	console.info(pc.yellow(`\n⚠️  Skipped ${t.length} ${r} due to ${i} updates`));
+	for (let n of t) {
+		let t = n.action.uses ?? `${n.action.name}@${n.currentVersion ?? "unknown"}`;
+		console.info(pc.gray(`   • ${t}`));
+	}
+}
+export { printModeWarning };

package/dist/cli/print-skipped-warning.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Prints a warning message for actions that were skipped during scanning.
+ *
+ * @param skipped - Array of skipped actions with their current versions.
+ * @param includeBranches - Whether branch-pinned actions are being checked.
+ */
+export declare function printSkippedWarning(skipped: {
+    action: {
+        version?: string | null;
+        uses?: string;
+        name: string;
+    };
+    currentVersion: string | null;
+}[], includeBranches: boolean): void;

package/dist/cli/print-skipped-warning.js ADDED Viewed

@@ -0,0 +1,10 @@
+import pc from "picocolors";
+function printSkippedWarning(t, n) {
+	let r = new Intl.PluralRules("en-US", { type: "cardinal" }).select(t.length) === "one" ? "action" : "actions", i = n ? "" : " (use --include-branches to check them)";
+	console.info(pc.yellow(`\n⚠️  Skipped ${t.length} ${r} pinned to branches${i}`));
+	for (let n of t) {
+		let t = n.action.uses ?? `${n.action.name}@${n.currentVersion ?? "unknown"}`;
+		console.info(pc.gray(`   • ${t}`));
+	}
+}
+export { printSkippedWarning };

package/dist/cli/resolve-scan-directories.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/** Options for resolving scan directories from CLI flags. */
+interface ResolveScanDirectoriesOptions {
+    dir?: string[] | string;
+    recursive?: boolean;
+    cwd: string;
+}
+/** Resolved directory with root and relative directory. */
+interface ResolvedDirectory {
+    root: string;
+    dir: string;
+}
+/**
+ * Resolve directories to scan from CLI options.
+ *
+ * Defaults:
+ *
+ * - Non-recursive mode: `.github`
+ * - Recursive mode without --dir: `.`.
+ *
+ * @param options - CLI options used to compute scan directories.
+ * @param options.cwd - Current working directory.
+ * @param options.dir - Optional directory flag value(s).
+ * @param options.recursive - Whether recursive mode is enabled.
+ * @returns Unique resolved directories.
+ */
+export declare function resolveScanDirectories(options: ResolveScanDirectoriesOptions): ResolvedDirectory[];
+export {};

package/dist/cli/resolve-scan-directories.js ADDED Viewed

@@ -0,0 +1,24 @@
+import { GITHUB_DIRECTORY } from "../core/constants.js";
+import { basename, dirname, isAbsolute, relative, resolve } from "node:path";
+function resolveScanDirectories(o) {
+	let { recursive: s, cwd: c, dir: l } = o, u = [];
+	Array.isArray(l) ? u.push(...l) : typeof l == "string" ? u.push(l) : s ? u.push(".") : u.push(GITHUB_DIRECTORY);
+	let d = /* @__PURE__ */ new Set(), f = [];
+	for (let e of u) {
+		let o = resolve(c, e), l = relative(c, o), u = l.startsWith("..") || isAbsolute(l) || resolve(c, l) !== o, p;
+		p = s ? {
+			root: o,
+			dir: "."
+		} : u ? {
+			dir: basename(o),
+			root: dirname(o)
+		} : {
+			dir: l || ".github",
+			root: c
+		};
+		let m = `${p.root}\0${p.dir}`;
+		d.has(m) || (d.add(m), f.push(p));
+	}
+	return f;
+}
+export { resolveScanDirectories };

package/dist/core/api/check-updates.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { GitHubClient } from '../../types/github-client';
 import { GitHubAction } from '../../types/github-action';
 import { ActionUpdate } from '../../types/action-update';
 /**
@@ -5,9 +6,11 @@ import { ActionUpdate } from '../../types/action-update';
  *
  * @param actions - Array of GitHub Actions to check.
  * @param token - Optional GitHub token for authentication.
- * @param options - Additional options (e.g., include branch refs).
+ * @param options - Additional options (e.g., include branch refs, shared
+ *   client).
  * @returns Array of update information.
  */
 export declare function checkUpdates(actions: GitHubAction[], token?: string, options?: {
     includeBranches?: boolean;
+    client?: GitHubClient;
 }): Promise<ActionUpdate[]>;

package/dist/core/api/check-updates.js CHANGED Viewed

@@ -1,7 +1,9 @@
+import { normalizeVersion } from "../versions/normalize-version.js";
+import { isSemverLike } from "../versions/is-semver-like.js";
 import { createGitHubClient } from "./create-github-client.js";
 import semver from "semver";
-async function checkUpdates(n, i, c) {
-	let l = createGitHubClient(i), u = c?.includeBranches ?? !1, d = n.filter((e) => e.type === "external" || e.type === "reusable-workflow");
+async function checkUpdates(i, o, c) {
+	let l = c?.client ?? createGitHubClient(o), u = c?.includeBranches ?? !1, d = i.filter((e) => e.type === "external" || e.type === "reusable-workflow");
 	if (d.length === 0) return [];
 	let f = /* @__PURE__ */ new Map();
 	for (let e of d) {
@@ -11,135 +13,135 @@ async function checkUpdates(n, i, c) {
 	let p = {
 		rateLimitError: null,
 		rateLimitHit: !1
-	}, m = await [...f.keys()].reduce((e, n) => e.then(async (e) => {
-		if (p.rateLimitHit) return [...e, {
+	}, m = await [...f.keys()].reduce((n, i) => n.then(async (n) => {
+		if (p.rateLimitHit) return [...n, {
 			publishedAt: null,
 			version: null,
-			actionName: n,
+			actionName: i,
 			sha: null
 		}];
-		let r = n.split("/");
-		if (r.length < 2) return [...e, {
+		let a = i.split("/");
+		if (a.length < 2) return [...n, {
 			publishedAt: null,
 			version: null,
-			actionName: n,
+			actionName: i,
 			sha: null
 		}];
-		let [i, c] = r;
-		if (!i || !c) return [...e, {
+		let [o, c] = a;
+		if (!o || !c) return [...n, {
 			publishedAt: null,
 			version: null,
-			actionName: n,
+			actionName: i,
 			sha: null
 		}];
 		try {
-			let r = f.get(n)[0]?.version;
-			if (r && !isSha(r) && !isSemverLike(r) && await l.getRefType(i, c, r) === "branch" && !u) return [...e, {
+			let a = f.get(i)[0]?.version;
+			if (a && !isSha(a) && !isSemverLike(a) && await l.getRefType(o, c, a) === "branch" && !u) return [...n, {
 				skipReason: "branch",
 				status: "skipped",
 				publishedAt: null,
 				version: null,
-				actionName: n,
+				actionName: i,
 				sha: null
 			}];
-			let d = await l.getLatestRelease(i, c);
+			let d = await l.getLatestRelease(o, c);
 			if (!d) {
-				let e = await l.getAllReleases(i, c, 1);
+				let e = await l.getAllReleases(o, c, 1);
 				d = e.find((e) => !e.isPrerelease) ?? e[0] ?? null;
 			}
 			if (d) {
-				let { publishedAt: r, version: o, sha: u } = d, f = !1;
+				let { publishedAt: a, version: s, sha: u } = d, f = !1;
 				{
-					let e = normalizeVersion(o), n = !!(o && o.trim() !== ""), r = n && /^v?\d+$/u.test(o.trim()), i = semver.valid(e);
-					f = !n || r || !i || !isSemverLike(o);
+					let n = normalizeVersion(s), i = !!(s && s.trim() !== ""), a = i && /^v?\d+$/u.test(s.trim()), o = semver.valid(n);
+					f = !i || a || !o || !isSemverLike(s);
 				}
 				if (f) {
-					let r = await l.getAllTags(i, c, 30);
-					if (r.length > 0) {
-						let u = r.filter((e) => isSemverLike(e.tag)).map((e) => ({
-							v: semver.valid(normalizeVersion(e.tag)),
-							raw: e
+					let a = await l.getAllTags(o, c, 30);
+					if (a.length > 0) {
+						let u = a.filter((e) => isSemverLike(e.tag)).map((t) => ({
+							v: semver.valid(normalizeVersion(t.tag)),
+							raw: t
 						}));
 						if (u.length > 0) {
-							u.sort((e, n) => {
-								let r = semver.rcompare(e.v, n.v);
-								if (r !== 0) return r;
+							u.sort((e, t) => {
+								let n = semver.rcompare(e.v, t.v);
+								if (n !== 0) return n;
 								let i = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
-								return (/\d+\.\d+/u.test(n.raw.tag) ? 1 : 0) - i;
+								return (/\d+\.\d+/u.test(t.raw.tag) ? 1 : 0) - i;
 							});
-							let r = u[0].raw, s = semver.valid(normalizeVersion(o) ?? void 0);
-							if (!s || semver.gt(u[0].v, s) || semver.eq(u[0].v, s) && /\d+\.\d+/u.test(r.tag)) {
-								let t = r.tag, a = r.sha?.length ? r.sha : null;
-								if (!a && t) try {
-									a = await l.getTagSha(i, c, t);
+							let t = u[0].raw, a = semver.valid(normalizeVersion(s) ?? void 0);
+							if (!a || semver.gt(u[0].v, a) || semver.eq(u[0].v, a) && /\d+\.\d+/u.test(t.tag)) {
+								let e = t.tag, r = t.sha?.length ? t.sha : null;
+								if (!r && e) try {
+									r = await l.getTagSha(o, c, e);
 								} catch {}
-								return [...e, {
-									version: t,
+								return [...n, {
+									version: e,
 									publishedAt: null,
-									sha: a,
-									actionName: n
+									sha: r,
+									actionName: i
 								}];
 							}
 						}
 					}
 				}
-				if (!u && o) try {
-					u = await l.getTagSha(i, c, o);
+				if (!u && s) try {
+					u = await l.getTagSha(o, c, s);
 				} catch {}
-				return [...e, {
+				return [...n, {
 					status: "ok",
-					publishedAt: r,
-					actionName: n,
-					version: o,
+					publishedAt: a,
+					actionName: i,
+					version: s,
 					sha: u
 				}];
 			}
-			let p = await l.getAllTags(i, c, 30);
+			let p = await l.getAllTags(o, c, 30);
 			if (p.length > 0) {
-				let r = p.filter((e) => isSemverLike(e.tag)).map((e) => ({
-					v: semver.valid(normalizeVersion(e.tag)),
-					raw: e
-				})), o;
-				r.length > 0 ? (r.sort((e, n) => {
-					let r = semver.rcompare(e.v, n.v);
-					if (r !== 0) return r;
+				let a = p.filter((e) => isSemverLike(e.tag)).map((t) => ({
+					v: semver.valid(normalizeVersion(t.tag)),
+					raw: t
+				})), s;
+				a.length > 0 ? (a.sort((e, t) => {
+					let n = semver.rcompare(e.v, t.v);
+					if (n !== 0) return n;
 					let i = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
-					return (/\d+\.\d+/u.test(n.raw.tag) ? 1 : 0) - i;
-				}), o = r[0].raw) : o = p[0];
-				let u = o.tag, d = o.sha?.length ? o.sha : null;
+					return (/\d+\.\d+/u.test(t.raw.tag) ? 1 : 0) - i;
+				}), s = a[0].raw) : s = p[0];
+				let u = s.tag, d = s.sha?.length ? s.sha : null;
 				if (!d && u) try {
-					d = await l.getTagSha(i, c, u);
+					d = await l.getTagSha(o, c, u);
 				} catch {}
-				return [...e, {
+				return [...n, {
 					status: "ok",
 					publishedAt: null,
-					actionName: n,
+					actionName: i,
 					version: u,
 					sha: d
 				}];
 			}
-			return [...e, {
+			return [...n, {
 				publishedAt: null,
 				version: null,
-				actionName: n,
+				actionName: i,
 				sha: null
 			}];
-		} catch (t) {
-			return t instanceof Error && t.name === "GitHubRateLimitError" ? (p.rateLimitHit = !0, p.rateLimitError = t, [...e, {
+		} catch (e) {
+			return e instanceof Error && e.name === "GitHubRateLimitError" ? (p.rateLimitHit = !0, p.rateLimitError = e, [...n, {
 				publishedAt: null,
 				version: null,
-				actionName: n,
+				actionName: i,
 				sha: null
-			}]) : (console.warn(`Failed to check ${n}:`, t), [...e, {
+			}]) : (console.warn(`Failed to check ${i}:`, e), [...n, {
 				publishedAt: null,
 				version: null,
-				actionName: n,
+				actionName: i,
 				sha: null
 			}]);
 		}
 	}), Promise.resolve([]));
 	if (p.rateLimitError) {
-		let e = !!(i ?? process.env.GITHUB_TOKEN), t = `${p.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits"}`, n = Error(t);
+		let e = !!(o ?? process.env.GITHUB_TOKEN), t = `${p.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits"}`, n = Error(t);
 		throw n.name = "GitHubRateLimitError", n;
 	}
 	let h = /* @__PURE__ */ new Map();
@@ -169,39 +171,39 @@ async function checkUpdates(n, i, c) {
 	}
 	return g;
 }
-function createUpdate(e, n, r = {}) {
-	let { version: s, sha: c, publishedAt: l } = n, u = e.version ?? "unknown", d = normalizeVersion(u), f = s ? normalizeVersion(s) : null, p = r.status ?? "ok", m = r.skipReason, h = !1, g = !1;
+function createUpdate(t, n, i = {}) {
+	let { version: a, sha: c, publishedAt: l } = n, u = t.version ?? "unknown", d = normalizeVersion(u), f = a ? normalizeVersion(a) : null, p = i.status ?? "ok", m = i.skipReason, h = !1, g = !1;
 	if (p === "skipped") return {
 		currentVersion: u,
 		isBreaking: !1,
 		hasUpdate: !1,
-		latestVersion: s,
+		latestVersion: a,
 		publishedAt: l,
 		skipReason: m,
 		latestSha: c,
-		action: e,
+		action: t,
 		status: p
 	};
 	if (d && isSha(d)) c ? h = !compareSha(d, c) : f && (h = !0);
 	else if (d && f) {
-		let n = semver.valid(d), r = semver.valid(f);
-		if (n && r) {
-			if (h = semver.lt(n, r), h) {
-				let e = semver.major(n);
-				g = semver.major(r) > e;
+		let e = semver.valid(d), n = semver.valid(f);
+		if (e && n) {
+			if (h = semver.lt(e, n), h) {
+				let t = semver.major(e);
+				g = semver.major(n) > t;
 			}
-			!h && semver.eq(n, r) && !isSha(e.version) && c && (h = !0, g = !1);
+			!h && semver.eq(e, n) && !isSha(t.version) && c && (h = !0, g = !1);
 		} else d !== f && (h = !0);
 	}
 	return {
 		currentVersion: u,
-		latestVersion: s,
+		latestVersion: a,
 		publishedAt: l,
 		isBreaking: g,
 		skipReason: m,
 		latestSha: c,
 		hasUpdate: h,
-		action: e,
+		action: t,
 		status: p
 	};
 }
@@ -209,21 +211,9 @@ function compareSha(e, t) {
 	let n = e.replace(/^v/u, ""), r = t.replace(/^v/u, ""), i = Math.min(n.length, r.length);
 	return i < 7 ? !1 : n.slice(0, Math.max(0, i)).toLowerCase() === r.slice(0, Math.max(0, i)).toLowerCase();
 }
-function normalizeVersion(e) {
-	if (!e) return null;
-	let n = e.replace(/^v/u, "");
-	if (/^[0-9a-f]{7,40}$/iu.test(n)) return e;
-	let r = semver.coerce(n);
-	return r ? r.version : e;
-}
 function isSha(e) {
 	if (!e) return !1;
 	let t = e.replace(/^v/u, "");
 	return /^[0-9a-f]{7,40}$/iu.test(t);
 }
-function isSemverLike(e) {
-	if (!e) return !1;
-	let t = e.trim();
-	return /^v?\d+(?:\.\d+){0,2}$/u.test(t);
-}
 export { checkUpdates };

package/dist/core/api/get-compatible-update.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import { GitHubClient } from '../../types/github-client';
+import { UpdateMode } from '../../types/update-mode';
+import { TagInfo } from '../../types/tag-info';
+interface GetCompatibleUpdateParameters {
+    /** Optional in-memory cache for resolved tag SHAs. */
+    shaCache?: Map<string, string | null>;
+    /** Update mode that limits which tag can be selected. */
+    mode: Exclude<UpdateMode, 'major'>;
+    /** Optional in-memory cache for action tags. */
+    tagsCache?: Map<string, TagInfo[]>;
+    /** Current action version used as compatibility baseline. */
+    currentVersion: string | null;
+    /** Action name in `owner/repo` format (path suffix is allowed). */
+    actionName: string;
+}
+/**
+ * Resolve the newest compatible update for an action.
+ *
+ * @param client - GitHub client instance.
+ * @param parameters - Lookup parameters.
+ * @returns Compatible target version and SHA, or null when none found.
+ */
+export declare function getCompatibleUpdate(client: GitHubClient, parameters: GetCompatibleUpdateParameters): Promise<{
+    sha: string | null;
+    version: string;
+} | null>;
+export {};

package/dist/core/api/get-compatible-update.js ADDED Viewed

@@ -0,0 +1,40 @@
+import { isSemverLike } from "../versions/is-semver-like.js";
+import { findCompatibleTag } from "../versions/find-compatible-tag.js";
+async function getCompatibleUpdate(n, r) {
+	let { currentVersion: i, actionName: a, mode: o } = r;
+	if (!i || !isSemverLike(i)) return null;
+	let s = a.split("/");
+	if (s.length < 2) return null;
+	let [c, l] = s;
+	if (!c || !l) return null;
+	let u = r.tagsCache ?? /* @__PURE__ */ new Map(), d = r.shaCache ?? /* @__PURE__ */ new Map(), f = u.get(a);
+	if (!f) {
+		try {
+			f = await n.getAllTags(c, l, 100);
+		} catch {
+			return null;
+		}
+		u.set(a, f);
+	}
+	let p = findCompatibleTag(f, i, o);
+	if (!p) return null;
+	let m = p.tag, h = p.sha?.length ? p.sha : null;
+	if (!h) {
+		let e = `${a}@${m}`;
+		if (d.has(e)) return {
+			sha: d.get(e) ?? null,
+			version: m
+		};
+		try {
+			h = await n.getTagSha(c, l, m);
+		} catch {
+			h = null;
+		}
+		d.set(e, h);
+	}
+	return {
+		version: m,
+		sha: h
+	};
+}
+export { getCompatibleUpdate };

package/dist/core/fs/find-yaml-files-recursive.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { isYamlFile } from "./is-yaml-file.js";
-import { join } from "node:path";
 import { lstat, readdir } from "node:fs/promises";
+import { join } from "node:path";
 async function findYamlFilesRecursive(i) {
 	let a = [], o = /* @__PURE__ */ new Set();
 	async function s(i) {

package/dist/core/interactive/prompt-update-selection.js CHANGED Viewed

@@ -4,10 +4,10 @@ import { GITHUB_DIRECTORY } from "../constants.js";
 import { isSha } from "../versions/is-sha.js";
 import { stripAnsi } from "./strip-ansi.js";
 import { padString } from "./pad-string.js";
-import path from "node:path";
 import "node:worker_threads";
 import pc from "picocolors";
 import enquirer from "enquirer";
+import path from "node:path";
 var MIN_ACTION_WIDTH = 40, MIN_JOB_WIDTH = 4, MIN_CURRENT_WIDTH = 16, MAX_VERSION_WIDTH = 7;
 async function promptUpdateSelection(g, v = {}) {
 	let { showAge: y = !1 } = v;
@@ -41,8 +41,8 @@ async function promptUpdateSelection(g, v = {}) {
 		};
 	})), C = [], w = stripAnsi("Action").length, T = stripAnsi("Current").length, E = stripAnsi("Job").length, D = 0, O = !1;
 	for (let [t, a] of b.entries()) {
-		let o = a.action.name, l = S[t], d = l.display, f = a.action.job ?? "–";
-		if (w = Math.max(w, o.length), T = Math.max(T, stripAnsi(d).length, l.versionForPadding && l.shortSha ? stripAnsi(`${padString(l.versionForPadding, D + 1)}${pc.gray(`(${l.shortSha})`)}`).length : 0), E = Math.max(E, f.length), a.latestVersion) {
+		let o = a.action.name, u = S[t], d = u.display, f = a.action.job ?? "–";
+		if (w = Math.max(w, o.length), T = Math.max(T, stripAnsi(d).length, u.versionForPadding && u.shortSha ? stripAnsi(`${padString(u.versionForPadding, D + 1)}${pc.gray(`(${u.shortSha})`)}`).length : 0), E = Math.max(E, f.length), a.latestVersion) {
 			let o = formatVersion(a.latestVersion, S[t]?.effectiveForDiff ?? a.currentVersion);
 			D = Math.max(D, stripAnsi(o).length);
 		}
@@ -56,7 +56,7 @@ async function promptUpdateSelection(g, v = {}) {
 			console.warn(`Unexpected missing group for file: ${a}`);
 			continue;
 		}
-		let s = [], l = o;
+		let s = [], u = o;
 		s.push({
 			current: "Current",
 			action: "Action",
@@ -65,10 +65,10 @@ async function promptUpdateSelection(g, v = {}) {
 			job: "Job",
 			age: "Age"
 		});
-		for (let { update: t, index: a } of l) {
-			let o = !!t.latestSha, l = S[a], d = l.display;
-			l.versionForPadding && l.shortSha && (d = `${padString(l.versionForPadding, M + 1)}${pc.gray(`(${l.shortSha})`)}`);
-			let f = l.effectiveForDiff ?? t.currentVersion, p = formatVersion(t.latestVersion, f), m = t.action.name;
+		for (let { update: t, index: a } of u) {
+			let o = !!t.latestSha, u = S[a], d = u.display;
+			u.versionForPadding && u.shortSha && (d = `${padString(u.versionForPadding, M + 1)}${pc.gray(`(${u.shortSha})`)}`);
+			let f = u.effectiveForDiff ?? t.currentVersion, p = formatVersion(t.latestVersion, f), m = t.action.name;
 			if (t.latestSha) {
 				let i = t.latestSha.slice(0, 7);
 				p = `${padString(p, M + 1)}${pc.gray(`(${i})`)}`;
@@ -101,7 +101,7 @@ async function promptUpdateSelection(g, v = {}) {
 				name: ""
 			});
 			else {
-				let { update: i, index: a } = l[t - 1], s = !!i.latestSha, c = s && !i.isBreaking;
+				let { update: i, index: a } = u[t - 1], s = !!i.latestSha, c = s && !i.isBreaking;
 				_.push({
 					message: o,
 					value: String(a),

package/dist/core/scan-github-actions.js CHANGED Viewed

@@ -2,27 +2,26 @@ import { ACTIONS_DIRECTORY, GITHUB_DIRECTORY, WORKFLOWS_DIRECTORY } from "./cons
 import { isYamlFile } from "./fs/is-yaml-file.js";
 import { scanWorkflowFile } from "./scan-workflow-file.js";
 import { scanActionFile } from "./scan-action-file.js";
-import { isAbsolute, join, relative, resolve } from "node:path";
 import { readFile, readdir, stat } from "node:fs/promises";
-async function scanGitHubActions(p = process.cwd(), m = GITHUB_DIRECTORY) {
+import { isAbsolute, join, relative, resolve } from "node:path";
+async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
 	let h = {
 		compositeActions: /* @__PURE__ */ new Map(),
 		workflows: /* @__PURE__ */ new Map(),
 		actions: []
-	}, g = resolve(p);
-	function _(e, a) {
-		let o = relative(e, a);
-		return o !== "" && !o.startsWith("..") && !isAbsolute(o);
+	}, g = resolve(d);
+	function _(e, o) {
+		let s = relative(e, o);
+		return s !== "" && !s.startsWith("..") && !isAbsolute(s);
 	}
 	let v = join(g, m);
-	if (!_(g, v)) throw Error("Invalid path: detected path traversal attempt");
 	function y(e) {
 		return e.includes("..") || e.includes("/") || e.includes("\\") ? (console.warn(`Skipping invalid name: ${e}`), !1) : !0;
 	}
 	async function b(e) {
 		try {
-			let a = await stat(e);
-			return typeof a.isFile == "function" ? a.isFile() : !1;
+			let o = await stat(e);
+			return typeof o.isFile == "function" ? o.isFile() : !1;
 		} catch {
 			return !1;
 		}
@@ -31,13 +30,13 @@ async function scanGitHubActions(p = process.cwd(), m = GITHUB_DIRECTORY) {
 	try {
 		if ((await stat(x)).isDirectory()) {
 			let e = (await readdir(x)).filter((e) => y(e) ? isYamlFile(e) : !1).map(async (e) => {
-				let a = join(x, e);
+				let o = join(x, e);
 				try {
-					let s = await scanWorkflowFile(a);
+					let c = await scanWorkflowFile(o);
 					return {
 						path: `${m}/${WORKFLOWS_DIRECTORY}/${e}`,
 						success: !0,
-						actions: s
+						actions: c
 					};
 				} catch {
 					return {
@@ -46,111 +45,111 @@ async function scanGitHubActions(p = process.cwd(), m = GITHUB_DIRECTORY) {
 						actions: []
 					};
 				}
-			}), a = await Promise.all(e);
-			for (let e of a) e.success && e.path && (e.actions.length > 0 ? (h.workflows.set(e.path, e.actions), h.actions.push(...e.actions)) : h.workflows.set(e.path, []));
+			}), o = await Promise.all(e);
+			for (let e of o) e.success && e.path && (e.actions.length > 0 ? (h.workflows.set(e.path, e.actions), h.actions.push(...e.actions)) : h.workflows.set(e.path, []));
 		}
 	} catch {}
 	try {
-		let e = join(g, "action.yml"), a = join(g, "action.yaml"), o = null, s = [];
+		let e = join(g, "action.yml"), o = join(g, "action.yaml"), s = null, c = [];
 		if (await b(e)) try {
-			s = await scanActionFile(e), o = e;
+			c = await scanActionFile(e), s = e;
 		} catch {
-			o = null;
+			s = null;
 		}
-		if (!o && await b(a)) try {
-			s = await scanActionFile(a), o = a;
+		if (!s && await b(o)) try {
+			c = await scanActionFile(o), s = o;
 		} catch {
-			o = null;
+			s = null;
 		}
-		if (o) {
-			let e = relative(g, o);
-			h.compositeActions.set(e, e), s.length > 0 && h.actions.push(...s);
+		if (s) {
+			let e = relative(g, s);
+			h.compositeActions.set(e, e), c.length > 0 && h.actions.push(...c);
 		}
 	} catch {}
 	let S = join(v, ACTIONS_DIRECTORY);
 	try {
 		if ((await stat(S)).isDirectory()) {
-			let a = (await readdir(S)).map(async (a) => {
-				if (!y(a)) return null;
-				let o = join(S, a);
+			let o = (await readdir(S)).map(async (o) => {
+				if (!y(o)) return null;
+				let s = join(S, o);
 				try {
-					if (!(await stat(o)).isDirectory()) return null;
-					let s = join(o, "action.yml"), c = [];
+					if (!(await stat(s)).isDirectory()) return null;
+					let c = join(s, "action.yml"), l = [];
 					try {
-						c = await scanActionFile(s);
+						l = await scanActionFile(c);
 					} catch {
 						try {
-							s = join(o, "action.yaml"), c = await scanActionFile(s);
+							c = join(s, "action.yaml"), l = await scanActionFile(c);
 						} catch {
 							return null;
 						}
 					}
 					return {
-						path: `${m}/${ACTIONS_DIRECTORY}/${a}`,
-						name: a,
-						actions: c
+						path: `${m}/${ACTIONS_DIRECTORY}/${o}`,
+						name: o,
+						actions: l
 					};
 				} catch {
 					return null;
 				}
-			}), o = await Promise.all(a);
-			for (let e of o) e && (h.compositeActions.set(e.name, e.path), h.actions.push(...e.actions));
+			}), s = await Promise.all(o);
+			for (let e of s) e && (h.compositeActions.set(e.name, e.path), h.actions.push(...e.actions));
 		}
 	} catch {}
 	try {
 		let e = await getCurrentRepoSlug(g);
 		if (e) {
 			if (process.env.ACTIONS_UP_TEST_THROW === "1") throw Error("test");
-			let a = /* @__PURE__ */ new Set(), o = [];
-			for (let s of h.actions) {
-				if (s.type !== "external") continue;
-				let c = s.name.split("/");
-				if (c.length < 3 || `${c[0]}/${c[1]}` !== e) continue;
-				let l = join(g, ...c.slice(2));
-				_(g, l) && (a.has(l) || (a.add(l), o.push(l)));
+			let o = /* @__PURE__ */ new Set(), s = [];
+			for (let c of h.actions) {
+				if (c.type !== "external") continue;
+				let l = c.name.split("/");
+				if (l.length < 3 || `${l[0]}/${l[1]}` !== e) continue;
+				let u = join(g, ...l.slice(2));
+				_(g, u) && (o.has(u) || (o.add(u), s.push(u)));
 			}
-			async function s() {
-				if (o.length === 0) return;
-				let c = o.splice(0), u = await Promise.all(c.map(async (o) => {
+			async function c() {
+				if (s.length === 0) return;
+				let l = s.splice(0), d = await Promise.all(l.map(async (s) => {
 					try {
-						let s = join(o, "action.yml"), c = join(o, "action.yaml"), u = s;
+						let c = join(s, "action.yml"), l = join(s, "action.yaml"), d = c;
 						try {
-							if (!(await stat(s)).isFile()) throw Error("not a file");
-						} catch {
 							if (!(await stat(c)).isFile()) throw Error("not a file");
-							u = c;
+						} catch {
+							if (!(await stat(l)).isFile()) throw Error("not a file");
+							d = l;
 						}
-						let d = await scanActionFile(u);
-						d.length > 0 && h.actions.push(...d);
-						let f = [];
-						for (let o of d) {
-							if (o.type !== "external") continue;
-							let s = o.name.split("/");
-							if (s.length < 3 || `${s[0]}/${s[1]}` !== e) continue;
-							let c = join(g, ...s.slice(2));
-							_(g, c) && (a.has(c) || (a.add(c), f.push(c)));
+						let f = await scanActionFile(d);
+						f.length > 0 && h.actions.push(...f);
+						let p = [];
+						for (let s of f) {
+							if (s.type !== "external") continue;
+							let c = s.name.split("/");
+							if (c.length < 3 || `${c[0]}/${c[1]}` !== e) continue;
+							let l = join(g, ...c.slice(2));
+							_(g, l) && (o.has(l) || (o.add(l), p.push(l)));
 						}
-						return f;
+						return p;
 					} catch {
 						return [];
 					}
 				}));
-				for (let e of u) for (let a of e) o.push(a);
-				await s();
+				for (let e of d) for (let o of e) s.push(o);
+				await c();
 			}
-			await s();
+			await c();
 		}
 	} catch {}
 	return h;
 }
 async function getCurrentRepoSlug(e) {
-	let a = process.env.GITHUB_REPOSITORY;
-	if (a && /^[^\s/]+\/[^\s/]+$/u.test(a)) return a;
+	let o = process.env.GITHUB_REPOSITORY;
+	if (o && /^[^\s/]+\/[^\s/]+$/u.test(o)) return o;
 	try {
-		let a = await readFile(join(e, ".git", "config"), "utf8"), o = a.match(/\[remote "origin"\][\s\S]*?url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim();
-		if (o ||= a.match(/url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim(), !o) return null;
-		let s = o.match(/github\.com[/:](?<owner>[^/]+)\/(?<repo>[^./]+)(?:\.git)?$/u);
-		if (s?.groups) return `${s.groups.owner}/${s.groups.repo}`;
+		let o = await readFile(join(e, ".git", "config"), "utf8"), s = o.match(/\[remote "origin"\][\s\S]*?url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim();
+		if (s ||= o.match(/url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim(), !s) return null;
+		let c = s.match(/github\.com[/:](?<owner>[^/]+)\/(?<repo>[^./]+)(?:\.git)?$/u);
+		if (c?.groups) return `${c.groups.owner}/${c.groups.repo}`;
 	} catch {}
 	return null;
 }

package/dist/core/scan-recursive.js CHANGED Viewed

@@ -4,22 +4,20 @@ import { isWorkflowStructure } from "./schema/workflow/is-workflow-structure.js"
 import { findYamlFilesRecursive } from "./fs/find-yaml-files-recursive.js";
 import { scanWorkflowAst } from "./ast/scanners/scan-workflow-ast.js";
 import { readYamlDocument } from "./fs/read-yaml-document.js";
-import { dirname, isAbsolute, relative, resolve } from "node:path";
-async function scanRecursive(d, f) {
-	let p = {
+import { dirname, relative, resolve } from "node:path";
+async function scanRecursive(u, d) {
+	let f = {
 		compositeActions: /* @__PURE__ */ new Map(),
 		workflows: /* @__PURE__ */ new Map(),
 		actions: []
-	}, m = resolve(d), h = resolve(m, f), g = relative(m, h);
-	if (g !== "" && (g.startsWith("..") || isAbsolute(g))) throw Error("Invalid path: detected path traversal attempt");
-	let _;
+	}, p = resolve(u), m = resolve(p, d), h;
 	try {
-		_ = await findYamlFilesRecursive(h);
+		h = await findYamlFilesRecursive(m);
 	} catch {
-		return p;
+		return f;
 	}
-	let v = _.map(async (o) => {
-		let s = relative(m, o);
+	let g = h.map(async (o) => {
+		let s = relative(p, o);
 		try {
 			let { document: c, content: l } = await readYamlDocument(o), u = c.toJSON();
 			if (isWorkflowStructure(u) && hasKey(u, "jobs")) return {
@@ -34,13 +32,13 @@ async function scanRecursive(d, f) {
 			};
 		} catch {}
 		return null;
-	}), y = await Promise.all(v);
-	for (let e of y) if (e) if (e.type === "workflow") p.workflows.set(e.path, e.actions), p.actions.push(...e.actions);
+	}), _ = await Promise.all(g);
+	for (let e of _) if (e) if (e.type === "workflow") f.workflows.set(e.path, e.actions), f.actions.push(...e.actions);
 	else {
 		let i = dirname(e.path), a = i === "." || i === "" ? e.path : i;
-		p.compositeActions.set(a, e.path), p.actions.push(...e.actions);
+		f.compositeActions.set(a, e.path), f.actions.push(...e.actions);
 	}
-	return p;
+	return f;
 }
 function hasKey(e, i) {
 	return typeof e == "object" && !!e && i in e;

package/dist/core/versions/find-compatible-tag.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import { UpdateMode } from '../../types/update-mode';
+import { TagInfo } from '../../types/tag-info';
+/**
+ * Pick the newest compatible tag for the provided update mode.
+ *
+ * Compatibility rules:
+ *
+ * - `minor`: same major, greater than current.
+ * - `patch`: same major and minor, greater than current.
+ *
+ * @param tags - Available tags from GitHub API.
+ * @param currentVersion - Current action version.
+ * @param mode - Mode that limits the allowed update level.
+ * @returns Best compatible tag or null when no compatible candidate exists.
+ */
+export declare function findCompatibleTag(tags: TagInfo[], currentVersion: string | null, mode: Exclude<UpdateMode, 'major'>): TagInfo | null;

package/dist/core/versions/find-compatible-tag.js ADDED Viewed

@@ -0,0 +1,27 @@
+import { normalizeVersion } from "./normalize-version.js";
+import { isSemverLike } from "./is-semver-like.js";
+import semver from "semver";
+function findCompatibleTag(r, a, o) {
+	if (!a || !isSemverLike(a) || r.length === 0) return null;
+	let s = semver.valid(normalizeVersion(a));
+	if (!s) return null;
+	let c = semver.major(s), l = semver.minor(s), u = [];
+	for (let i of r) {
+		if (!isSemverLike(i.tag)) continue;
+		let r = semver.valid(normalizeVersion(i.tag));
+		r && semver.gt(r, s) && semver.major(r) === c && (o === "patch" && semver.minor(r) !== l || u.push({
+			tag: i,
+			parsed: r
+		}));
+	}
+	return u.length === 0 ? null : (u.sort((e, n) => {
+		let r = semver.rcompare(e.parsed, n.parsed);
+		if (r !== 0) return r;
+		let a = getSemverSpecificity(e.tag.tag);
+		return getSemverSpecificity(n.tag.tag) - a;
+	}), u[0].tag);
+}
+function getSemverSpecificity(e) {
+	return e.replace(/^v/u, "").split(".").length;
+}
+export { findCompatibleTag };

package/dist/core/versions/is-semver-like.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Check whether the value follows a semver-like tag pattern.
+ *
+ * Examples of accepted values: `v1`, `v1.2`, `1.2.3`.
+ *
+ * @param value - Raw value to validate.
+ * @returns True when value looks like a semver-like tag.
+ */
+export declare function isSemverLike(value: undefined | string | null): boolean;

package/dist/core/versions/is-semver-like.js ADDED Viewed

@@ -0,0 +1,4 @@
+function isSemverLike(e) {
+	return typeof e == "string" && /^v?\d+(?:\.\d+){0,2}$/u.test(e.trim());
+}
+export { isSemverLike };

package/dist/core/versions/normalize-version.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Normalize version string.
+ *
+ * Rules:
+ *
+ * - Remove `v` prefix before semver coercion.
+ * - Preserve SHA-like values as-is.
+ * - Return coerced semver when possible.
+ * - Return original value when coercion fails.
+ *
+ * @param version - Version string to normalize.
+ * @returns Normalized version string or null if input is empty.
+ */
+export declare function normalizeVersion(version: undefined | string | null): string | null;

package/dist/core/versions/normalize-version.js ADDED Viewed

@@ -0,0 +1,9 @@
+import semver from "semver";
+function normalizeVersion(t) {
+	if (!t) return null;
+	let n = t.replace(/^v/u, "");
+	if (/^[0-9a-f]{7,40}$/iu.test(n)) return t;
+	let r = semver.coerce(n);
+	return r ? r.version : t;
+}
+export { normalizeVersion };

package/dist/package.js CHANGED Viewed

@@ -1,2 +1,2 @@
-const version = "1.11.0";
+const version = "1.12.0";
 export { version };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.11.0",
+  "version": "1.12.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",

package/readme.md CHANGED Viewed

@@ -146,9 +146,12 @@ npx actions-up --dir .github --dir ./other/.github
 Use `--recursive` (`-r`) to scan YAML workflow/composite-action files recursively in the selected directories:
 ```bash
+npx actions-up -r
 npx actions-up --dir ./gh-repo-defaults -r
 ```
+When `--recursive` is used without `--dir`, Actions Up scans from the current directory (`.`).
 ### Branch References
 By default, actions pinned to branch refs (e.g., `@main`, `@release/v1`) are skipped to avoid changing intentionally floating references. Skipped entries are listed in the output. To include them in update checks, pass `--include-branches`.
@@ -162,6 +165,10 @@ npx actions-up --mode minor
 npx actions-up --mode patch
 ```
+In `minor` and `patch` modes, Actions Up tries to find the newest compatible
+tag first (for example, from `@v4` in `minor` mode it will choose the latest
+`v4.x.y`). If no compatible version exists, that action is skipped.
 ## GitHub Actions Integration
 ### Automated PR Checks