actions-up 1.11.0 → 1.12.1

package/dist/core/scan-github-actions.js

@@ -2,27 +2,26 @@ import { ACTIONS_DIRECTORY, GITHUB_DIRECTORY, WORKFLOWS_DIRECTORY } from "./cons
 import { isYamlFile } from "./fs/is-yaml-file.js";
 import { scanWorkflowFile } from "./scan-workflow-file.js";
 import { scanActionFile } from "./scan-action-file.js";
-import { isAbsolute, join, relative, resolve } from "node:path";
 import { readFile, readdir, stat } from "node:fs/promises";
-async function scanGitHubActions(p = process.cwd(), m = GITHUB_DIRECTORY) {
+import { isAbsolute, join, relative, resolve } from "node:path";
+async function scanGitHubActions(d = process.cwd(), m = GITHUB_DIRECTORY) {
 	let h = {
 		compositeActions: /* @__PURE__ */ new Map(),
 		workflows: /* @__PURE__ */ new Map(),
 		actions: []
-	}, g = resolve(p);
-	function _(e, a) {
-		let o = relative(e, a);
-		return o !== "" && !o.startsWith("..") && !isAbsolute(o);
+	}, g = resolve(d);
+	function _(e, o) {
+		let s = relative(e, o);
+		return s !== "" && !s.startsWith("..") && !isAbsolute(s);
 	}
 	let v = join(g, m);
-	if (!_(g, v)) throw Error("Invalid path: detected path traversal attempt");
 	function y(e) {
 		return e.includes("..") || e.includes("/") || e.includes("\\") ? (console.warn(`Skipping invalid name: ${e}`), !1) : !0;
 	}
 	async function b(e) {
 		try {
-			let a = await stat(e);
-			return typeof a.isFile == "function" ? a.isFile() : !1;
+			let o = await stat(e);
+			return typeof o.isFile == "function" ? o.isFile() : !1;
 		} catch {
 			return !1;
 		}
@@ -31,13 +30,13 @@ async function scanGitHubActions(p = process.cwd(), m = GITHUB_DIRECTORY) {
 	try {
 		if ((await stat(x)).isDirectory()) {
 			let e = (await readdir(x)).filter((e) => y(e) ? isYamlFile(e) : !1).map(async (e) => {
-				let a = join(x, e);
+				let o = join(x, e);
 				try {
-					let s = await scanWorkflowFile(a);
+					let c = await scanWorkflowFile(o);
 					return {
 						path: `${m}/${WORKFLOWS_DIRECTORY}/${e}`,
 						success: !0,
-						actions: s
+						actions: c
 					};
 				} catch {
 					return {
@@ -46,111 +45,111 @@ async function scanGitHubActions(p = process.cwd(), m = GITHUB_DIRECTORY) {
 						actions: []
 					};
 				}
-			}), a = await Promise.all(e);
-			for (let e of a) e.success && e.path && (e.actions.length > 0 ? (h.workflows.set(e.path, e.actions), h.actions.push(...e.actions)) : h.workflows.set(e.path, []));
+			}), o = await Promise.all(e);
+			for (let e of o) e.success && e.path && (e.actions.length > 0 ? (h.workflows.set(e.path, e.actions), h.actions.push(...e.actions)) : h.workflows.set(e.path, []));
 		}
 	} catch {}
 	try {
-		let e = join(g, "action.yml"), a = join(g, "action.yaml"), o = null, s = [];
+		let e = join(g, "action.yml"), o = join(g, "action.yaml"), s = null, c = [];
 		if (await b(e)) try {
-			s = await scanActionFile(e), o = e;
+			c = await scanActionFile(e), s = e;
 		} catch {
-			o = null;
+			s = null;
 		}
-		if (!o && await b(a)) try {
-			s = await scanActionFile(a), o = a;
+		if (!s && await b(o)) try {
+			c = await scanActionFile(o), s = o;
 		} catch {
-			o = null;
+			s = null;
 		}
-		if (o) {
-			let e = relative(g, o);
-			h.compositeActions.set(e, e), s.length > 0 && h.actions.push(...s);
+		if (s) {
+			let e = relative(g, s);
+			h.compositeActions.set(e, e), c.length > 0 && h.actions.push(...c);
 		}
 	} catch {}
 	let S = join(v, ACTIONS_DIRECTORY);
 	try {
 		if ((await stat(S)).isDirectory()) {
-			let a = (await readdir(S)).map(async (a) => {
-				if (!y(a)) return null;
-				let o = join(S, a);
+			let o = (await readdir(S)).map(async (o) => {
+				if (!y(o)) return null;
+				let s = join(S, o);
 				try {
-					if (!(await stat(o)).isDirectory()) return null;
-					let s = join(o, "action.yml"), c = [];
+					if (!(await stat(s)).isDirectory()) return null;
+					let c = join(s, "action.yml"), l = [];
 					try {
-						c = await scanActionFile(s);
+						l = await scanActionFile(c);
 					} catch {
 						try {
-							s = join(o, "action.yaml"), c = await scanActionFile(s);
+							c = join(s, "action.yaml"), l = await scanActionFile(c);
 						} catch {
 							return null;
 						}
 					}
 					return {
-						path: `${m}/${ACTIONS_DIRECTORY}/${a}`,
-						name: a,
-						actions: c
+						path: `${m}/${ACTIONS_DIRECTORY}/${o}`,
+						name: o,
+						actions: l
 					};
 				} catch {
 					return null;
 				}
-			}), o = await Promise.all(a);
-			for (let e of o) e && (h.compositeActions.set(e.name, e.path), h.actions.push(...e.actions));
+			}), s = await Promise.all(o);
+			for (let e of s) e && (h.compositeActions.set(e.name, e.path), h.actions.push(...e.actions));
 		}
 	} catch {}
 	try {
 		let e = await getCurrentRepoSlug(g);
 		if (e) {
 			if (process.env.ACTIONS_UP_TEST_THROW === "1") throw Error("test");
-			let a = /* @__PURE__ */ new Set(), o = [];
-			for (let s of h.actions) {
-				if (s.type !== "external") continue;
-				let c = s.name.split("/");
-				if (c.length < 3 || `${c[0]}/${c[1]}` !== e) continue;
-				let l = join(g, ...c.slice(2));
-				_(g, l) && (a.has(l) || (a.add(l), o.push(l)));
+			let o = /* @__PURE__ */ new Set(), s = [];
+			for (let c of h.actions) {
+				if (c.type !== "external") continue;
+				let l = c.name.split("/");
+				if (l.length < 3 || `${l[0]}/${l[1]}` !== e) continue;
+				let u = join(g, ...l.slice(2));
+				_(g, u) && (o.has(u) || (o.add(u), s.push(u)));
 			}
-			async function s() {
-				if (o.length === 0) return;
-				let c = o.splice(0), u = await Promise.all(c.map(async (o) => {
+			async function c() {
+				if (s.length === 0) return;
+				let l = s.splice(0), d = await Promise.all(l.map(async (s) => {
 					try {
-						let s = join(o, "action.yml"), c = join(o, "action.yaml"), u = s;
+						let c = join(s, "action.yml"), l = join(s, "action.yaml"), d = c;
 						try {
-							if (!(await stat(s)).isFile()) throw Error("not a file");
-						} catch {
 							if (!(await stat(c)).isFile()) throw Error("not a file");
-							u = c;
+						} catch {
+							if (!(await stat(l)).isFile()) throw Error("not a file");
+							d = l;
 						}
-						let d = await scanActionFile(u);
-						d.length > 0 && h.actions.push(...d);
-						let f = [];
-						for (let o of d) {
-							if (o.type !== "external") continue;
-							let s = o.name.split("/");
-							if (s.length < 3 || `${s[0]}/${s[1]}` !== e) continue;
-							let c = join(g, ...s.slice(2));
-							_(g, c) && (a.has(c) || (a.add(c), f.push(c)));
+						let f = await scanActionFile(d);
+						f.length > 0 && h.actions.push(...f);
+						let p = [];
+						for (let s of f) {
+							if (s.type !== "external") continue;
+							let c = s.name.split("/");
+							if (c.length < 3 || `${c[0]}/${c[1]}` !== e) continue;
+							let l = join(g, ...c.slice(2));
+							_(g, l) && (o.has(l) || (o.add(l), p.push(l)));
 						}
-						return f;
+						return p;
 					} catch {
 						return [];
 					}
 				}));
-				for (let e of u) for (let a of e) o.push(a);
-				await s();
+				for (let e of d) for (let o of e) s.push(o);
+				await c();
 			}
-			await s();
+			await c();
 		}
 	} catch {}
 	return h;
 }
 async function getCurrentRepoSlug(e) {
-	let a = process.env.GITHUB_REPOSITORY;
-	if (a && /^[^\s/]+\/[^\s/]+$/u.test(a)) return a;
+	let o = process.env.GITHUB_REPOSITORY;
+	if (o && /^[^\s/]+\/[^\s/]+$/u.test(o)) return o;
 	try {
-		let a = await readFile(join(e, ".git", "config"), "utf8"), o = a.match(/\[remote "origin"\][\s\S]*?url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim();
-		if (o ||= a.match(/url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim(), !o) return null;
-		let s = o.match(/github\.com[/:](?<owner>[^/]+)\/(?<repo>[^./]+)(?:\.git)?$/u);
-		if (s?.groups) return `${s.groups.owner}/${s.groups.repo}`;
+		let o = await readFile(join(e, ".git", "config"), "utf8"), s = o.match(/\[remote "origin"\][\s\S]*?url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim();
+		if (s ||= o.match(/url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim(), !s) return null;
+		let c = s.match(/github\.com[/:](?<owner>[^/]+)\/(?<repo>[^./]+)(?:\.git)?$/u);
+		if (c?.groups) return `${c.groups.owner}/${c.groups.repo}`;
 	} catch {}
 	return null;
 }

package/dist/core/scan-recursive.js

@@ -4,22 +4,20 @@ import { isWorkflowStructure } from "./schema/workflow/is-workflow-structure.js"
 import { findYamlFilesRecursive } from "./fs/find-yaml-files-recursive.js";
 import { scanWorkflowAst } from "./ast/scanners/scan-workflow-ast.js";
 import { readYamlDocument } from "./fs/read-yaml-document.js";
-import { dirname, isAbsolute, relative, resolve } from "node:path";
-async function scanRecursive(d, f) {
-	let p = {
+import { dirname, relative, resolve } from "node:path";
+async function scanRecursive(u, d) {
+	let f = {
 		compositeActions: /* @__PURE__ */ new Map(),
 		workflows: /* @__PURE__ */ new Map(),
 		actions: []
-	}, m = resolve(d), h = resolve(m, f), g = relative(m, h);
-	if (g !== "" && (g.startsWith("..") || isAbsolute(g))) throw Error("Invalid path: detected path traversal attempt");
-	let _;
+	}, p = resolve(u), m = resolve(p, d), h;
 	try {
-		_ = await findYamlFilesRecursive(h);
+		h = await findYamlFilesRecursive(m);
 	} catch {
-		return p;
+		return f;
 	}
-	let v = _.map(async (o) => {
-		let s = relative(m, o);
+	let g = h.map(async (o) => {
+		let s = relative(p, o);
 		try {
 			let { document: c, content: l } = await readYamlDocument(o), u = c.toJSON();
 			if (isWorkflowStructure(u) && hasKey(u, "jobs")) return {
@@ -34,13 +32,13 @@ async function scanRecursive(d, f) {
 			};
 		} catch {}
 		return null;
-	}), y = await Promise.all(v);
-	for (let e of y) if (e) if (e.type === "workflow") p.workflows.set(e.path, e.actions), p.actions.push(...e.actions);
+	}), _ = await Promise.all(g);
+	for (let e of _) if (e) if (e.type === "workflow") f.workflows.set(e.path, e.actions), f.actions.push(...e.actions);
 	else {
 		let i = dirname(e.path), a = i === "." || i === "" ? e.path : i;
-		p.compositeActions.set(a, e.path), p.actions.push(...e.actions);
+		f.compositeActions.set(a, e.path), f.actions.push(...e.actions);
 	}
-	return p;
+	return f;
 }
 function hasKey(e, i) {
 	return typeof e == "object" && !!e && i in e;

package/dist/core/versions/find-compatible-tag.d.ts

@@ -0,0 +1,16 @@
+import { UpdateMode } from '../../types/update-mode';
+import { TagInfo } from '../../types/tag-info';
+/**
+ * Pick the newest compatible tag for the provided update mode.
+ *
+ * Compatibility rules:
+ *
+ * - `minor`: same major, greater than current.
+ * - `patch`: same major and minor, greater than current.
+ *
+ * @param tags - Available tags from GitHub API.
+ * @param currentVersion - Current action version.
+ * @param mode - Mode that limits the allowed update level.
+ * @returns Best compatible tag or null when no compatible candidate exists.
+ */
+export declare function findCompatibleTag(tags: TagInfo[], currentVersion: string | null, mode: Exclude<UpdateMode, 'major'>): TagInfo | null;

package/dist/core/versions/find-compatible-tag.js

@@ -0,0 +1,27 @@
+import { normalizeVersion } from "./normalize-version.js";
+import { isSemverLike } from "./is-semver-like.js";
+import semver from "semver";
+function findCompatibleTag(r, a, o) {
+	if (!a || !isSemverLike(a) || r.length === 0) return null;
+	let s = semver.valid(normalizeVersion(a));
+	if (!s) return null;
+	let c = semver.major(s), l = semver.minor(s), u = [];
+	for (let i of r) {
+		if (!isSemverLike(i.tag)) continue;
+		let r = semver.valid(normalizeVersion(i.tag));
+		r && semver.gt(r, s) && semver.major(r) === c && (o === "patch" && semver.minor(r) !== l || u.push({
+			tag: i,
+			parsed: r
+		}));
+	}
+	return u.length === 0 ? null : (u.sort((e, n) => {
+		let r = semver.rcompare(e.parsed, n.parsed);
+		if (r !== 0) return r;
+		let a = getSemverSpecificity(e.tag.tag);
+		return getSemverSpecificity(n.tag.tag) - a;
+	}), u[0].tag);
+}
+function getSemverSpecificity(e) {
+	return e.replace(/^v/u, "").split(".").length;
+}
+export { findCompatibleTag };

package/dist/core/versions/get-update-level.d.ts

@@ -1,4 +1,6 @@
-/** Update level for a version change. */
+/**
+ * Update level for a version change.
+ */
 type UpdateLevel = 'unknown' | 'major' | 'minor' | 'patch' | 'none';
 /**
  * Determine the update level between two version strings.

package/dist/core/versions/is-semver-like.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Check whether the value follows a semver-like tag pattern.
+ *
+ * Examples of accepted values: `v1`, `v1.2`, `1.2.3`.
+ *
+ * @param value - Raw value to validate.
+ * @returns True when value looks like a semver-like tag.
+ */
+export declare function isSemverLike(value: undefined | string | null): boolean;

package/dist/core/versions/is-semver-like.js

@@ -0,0 +1,4 @@
+function isSemverLike(e) {
+	return typeof e == "string" && /^v?\d+(?:\.\d+){0,2}$/u.test(e.trim());
+}
+export { isSemverLike };

package/dist/core/versions/normalize-version.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Normalize version string.
+ *
+ * Rules:
+ *
+ * - Remove `v` prefix before semver coercion.
+ * - Preserve SHA-like values as-is.
+ * - Return coerced semver when possible.
+ * - Return original value when coercion fails.
+ *
+ * @param version - Version string to normalize.
+ * @returns Normalized version string or null if input is empty.
+ */
+export declare function normalizeVersion(version: undefined | string | null): string | null;

package/dist/core/versions/normalize-version.js

@@ -0,0 +1,9 @@
+import semver from "semver";
+function normalizeVersion(t) {
+	if (!t) return null;
+	let n = t.replace(/^v/u, "");
+	if (/^[0-9a-f]{7,40}$/iu.test(n)) return t;
+	let r = semver.coerce(n);
+	return r ? r.version : t;
+}
+export { normalizeVersion };

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.11.0";
+const version = "1.12.1";
 export { version };

package/dist/types/action-update.d.ts

@@ -1,30 +1,50 @@
 import { GitHubAction } from './github-action';
-/** Update information for a GitHub Action. */
+/**
+ * Update information for a GitHub Action.
+ */
 export interface ActionUpdate {
-  /** Reason for skipping the update check. */
+  /**
+   * Reason for skipping the update check.
+   */
   skipReason?: 'unknown' | 'branch'
 
-  /** Current version string. */
+  /**
+   * Current version string.
+   */
   currentVersion: string | null
 
-  /** Latest available version. */
+  /**
+   * Latest available version.
+   */
   latestVersion: string | null
 
-  /** Status of the check for this action. */
+  /**
+   * Status of the check for this action.
+   */
   status?: 'skipped' | 'ok'
 
-  /** SHA hash of the latest version. */
+  /**
+   * SHA hash of the latest version.
+   */
   latestSha: string | null
 
-  /** Publication date of the latest version (null if unknown). */
+  /**
+   * Publication date of the latest version (null if unknown).
+   */
   publishedAt: Date | null
 
-  /** The original action from scanning. */
+  /**
+   * The original action from scanning.
+   */
   action: GitHubAction
 
-  /** Whether this is a major version change. */
+  /**
+   * Whether this is a major version change.
+   */
   isBreaking: boolean
 
-  /** Whether an update is available. */
+  /**
+   * Whether an update is available.
+   */
   hasUpdate: boolean
 }

package/dist/types/composite-action-runs.d.ts

@@ -1,12 +1,20 @@
 import { CompositeActionStep } from './composite-action-step';
-/** Represents the runs configuration for a composite action. */
+/**
+ * Represents the runs configuration for a composite action.
+ */
 export interface CompositeActionRuns {
-  /** Array of steps to execute. */
+  /**
+   * Array of steps to execute.
+   */
   steps?: CompositeActionStep[]
 
-  /** Allow additional properties. */
+  /**
+   * Allow additional properties.
+   */
   [key: string]: unknown
 
-  /** Must be 'composite' for composite actions. */
+  /**
+   * Must be 'composite' for composite actions.
+   */
   using?: string
 }

package/dist/types/composite-action-step.d.ts

@@ -1,23 +1,39 @@
-/** Represents a step in a composite GitHub Action. */
+/**
+ * Represents a step in a composite GitHub Action.
+ */
 export interface CompositeActionStep {
-  /** Environment variables for this step. */
+  /**
+   * Environment variables for this step.
+   */
   env?: Record<string, unknown>
 
-  /** Working directory for the step. */
+  /**
+   * Working directory for the step.
+   */
   'working-directory'?: string
 
-  /** Allow additional properties. */
+  /**
+   * Allow additional properties.
+   */
   [key: string]: unknown
 
-  /** Shell to use for the run command. */
+  /**
+   * Shell to use for the run command.
+   */
   shell?: string
 
-  /** Action to use for this step. */
+  /**
+   * Action to use for this step.
+   */
   uses?: string
 
-  /** Display name for this step. */
+  /**
+   * Display name for this step.
+   */
   name?: string
 
-  /** Shell command to run for this step. */
+  /**
+   * Shell command to run for this step.
+   */
   run?: string
 }

package/dist/types/composite-action-structure.d.ts

@@ -1,21 +1,35 @@
 import { CompositeActionRuns } from './composite-action-runs';
-/** Represents the structure of a composite GitHub Action file. */
+/**
+ * Represents the structure of a composite GitHub Action file.
+ */
 export interface CompositeActionStructure {
-  /** Output values from the action. */
+  /**
+   * Output values from the action.
+   */
   outputs?: Record<string, unknown>
 
-  /** Input parameters for the action. */
+  /**
+   * Input parameters for the action.
+   */
   inputs?: Record<string, unknown>
 
-  /** Runs configuration for composite actions. */
+  /**
+   * Runs configuration for composite actions.
+   */
   runs?: CompositeActionRuns
 
-  /** Allow additional properties. */
+  /**
+   * Allow additional properties.
+   */
   [key: string]: unknown
 
-  /** Description of what the action does. */
+  /**
+   * Description of what the action does.
+   */
   description?: string
 
-  /** Display name of the action. */
+  /**
+   * Display name of the action.
+   */
   name?: string
 }

package/dist/types/github-action.d.ts

@@ -1,26 +1,44 @@
-/** Represents a GitHub Action used in workflows or composite actions. */
+/**
+ * Represents a GitHub Action used in workflows or composite actions.
+ */
 export interface GitHubAction {
-  /** Type of the GitHub Action. */
+  /**
+   * Type of the GitHub Action.
+   */
   type: 'reusable-workflow' | 'composite' | 'external' | 'docker' | 'local'
 
-  /** Version or tag of the action (e.g., 'v1', 'main', commit SHA). */
+  /**
+   * Version or tag of the action (e.g., 'v1', 'main', commit SHA).
+   */
   version?: string | null
 
-  /** Line number where the action is used in the file. */
+  /**
+   * Line number where the action is used in the file.
+   */
   line?: number
 
-  /** Path to the file where this action is used. */
+  /**
+   * Path to the file where this action is used.
+   */
   file?: string
 
-  /** Original `uses` string from workflow, if available. */
+  /**
+   * Original `uses` string from workflow, if available.
+   */
   uses?: string
 
-  /** Name of the job where this action is used (for workflows). */
+  /**
+   * Name of the job where this action is used (for workflows).
+   */
   job?: string
 
-  /** Full name of the action (e.g., 'actions/checkout'). */
+  /**
+   * Full name of the action (e.g., 'actions/checkout').
+   */
   name: string
 
-  /** Original `ref` string from workflow, if available. */
+  /**
+   * Original `ref` string from workflow, if available.
+   */
   ref?: string
 }

package/dist/types/github-client-context.d.ts

@@ -6,27 +6,43 @@ import { TagInfo } from './tag-info';
  * number of API requests during a single run.
  */
 export interface GitHubClientContext {
-  /** Lightweight caches keyed by owner/repo (+ extra payload). */
+  /**
+   * Lightweight caches keyed by owner/repo (+ extra payload).
+   */
   caches: {
-    /** Cache of reference type detections (branch/tag/null). */
+    /**
+     * Cache of reference type detections (branch/tag/null).
+     */
     refType: Map<string, 'branch' | 'tag' | null>
 
-    /** Cache of resolved tag metadata (message/date/SHA). */
+    /**
+     * Cache of resolved tag metadata (message/date/SHA).
+     */
     tagInfo: Map<string, TagInfo | null>
 
-    /** Cache of resolved tag commit SHAs. */
+    /**
+     * Cache of resolved tag commit SHAs.
+     */
     tagSha: Map<string, string | null>
   }
 
-  /** Remaining requests available per current rate-limit window. */
+  /**
+   * Remaining requests available per current rate-limit window.
+   */
   rateLimitRemaining: number
 
-  /** GitHub token, if available. */
+  /**
+   * GitHub token, if available.
+   */
   token: undefined | string
 
-  /** Scheduled time when rate limit resets. */
+  /**
+   * Scheduled time when rate limit resets.
+   */
   rateLimitReset: Date
 
-  /** GitHub REST API base URL. */
+  /**
+   * GitHub REST API base URL.
+   */
   baseUrl: string
 }