actions-up 1.11.0 → 1.12.1

package/dist/types/github-client.d.ts

@@ -8,35 +8,51 @@ import { TagInfo } from './tag-info';
  * normalized, serializable data structures.
  */
 export interface GitHubClient {
-  /** Detect whether a reference is a tag or a branch (or unknown). */
+  /**
+   * Detect whether a reference is a tag or a branch (or unknown).
+   */
   getRefType(
     owner: string,
     repo: string,
     reference: string,
   ): Promise<'branch' | 'tag' | null>
 
-  /** List releases with minimal enrichment. */
+  /**
+   * List releases with minimal enrichment.
+   */
   getAllReleases(
     owner: string,
     repo: string,
     limit?: number,
   ): Promise<ReleaseInfo[]>
 
-  /** Fetch tag metadata (message/date) and the resolved commit SHA. */
+  /**
+   * Fetch tag metadata (message/date) and the resolved commit SHA.
+   */
   getTagInfo(owner: string, repo: string, tag: string): Promise<TagInfo | null>
 
-  /** Resolve commit SHA for a tag without fetching commit data. */
+  /**
+   * Resolve commit SHA for a tag without fetching commit data.
+   */
   getTagSha(owner: string, repo: string, tag: string): Promise<string | null>
 
-  /** List repository tags (name + commit SHA). */
+  /**
+   * List repository tags (name + commit SHA).
+   */
   getAllTags(owner: string, repo: string, limit?: number): Promise<TagInfo[]>
 
-  /** Fetch the latest release or null when no latest release exists. */
+  /**
+   * Fetch the latest release or null when no latest release exists.
+   */
   getLatestRelease(owner: string, repo: string): Promise<ReleaseInfo | null>
 
-  /** Current rate limit snapshot. */
+  /**
+   * Current rate limit snapshot.
+   */
   getRateLimitStatus(): { remaining: number; resetAt: Date }
 
-  /** True when remaining requests are below a threshold. */
+  /**
+   * True when remaining requests are below a threshold.
+   */
   shouldWaitForRateLimit(threshold?: number): boolean
 }

package/dist/types/release-info.d.ts

@@ -1,23 +1,39 @@
-/** Normalized release information used across the tool. */
+/**
+ * Normalized release information used across the tool.
+ */
 export interface ReleaseInfo {
-  /** Release description (body) or null when absent. */
+  /**
+   * Release description (body) or null when absent.
+   */
   description: string | null
 
-  /** True when the release is marked as prerelease. */
+  /**
+   * True when the release is marked as prerelease.
+   */
   isPrerelease: boolean
 
-  /** Commit SHA associated with the release tag (may be null). */
+  /**
+   * Commit SHA associated with the release tag when known (may be provisional).
+   */
   sha: string | null
 
-  /** Publication date of the release. */
+  /**
+   * Publication date of the release.
+   */
   publishedAt: Date
 
-  /** Tag name (e.g. V1.2.3). */
+  /**
+   * Tag name (e.g. V1.2.3).
+   */
   version: string
 
-  /** Release name or tag name when name is not provided. */
+  /**
+   * Release name or tag name when name is not provided.
+   */
   name: string
 
-  /** HTML URL of the release page. */
+  /**
+   * HTML URL of the release page.
+   */
   url: string
 }

package/dist/types/scan-result.d.ts

@@ -1,12 +1,20 @@
 import { GitHubAction } from './github-action';
-/** Result of scanning a repository for GitHub Actions usage. */
+/**
+ * Result of scanning a repository for GitHub Actions usage.
+ */
 export interface ScanResult {
-  /** Map of workflow files to their used GitHub Actions. */
+  /**
+   * Map of workflow files to their used GitHub Actions.
+   */
   workflows: Map<string, GitHubAction[]>
 
-  /** Map of composite action names to their file paths. */
+  /**
+   * Map of composite action names to their file paths.
+   */
   compositeActions: Map<string, string>
 
-  /** List of all unique GitHub Actions found in the repository. */
+  /**
+   * List of all unique GitHub Actions found in the repository.
+   */
   actions: GitHubAction[]
 }

package/dist/types/tag-info.d.ts

@@ -1,14 +1,24 @@
-/** Normalized tag information (message/date) and the resolved commit SHA. */
+/**
+ * Normalized tag information (message/date) and the resolved commit SHA.
+ */
 export interface TagInfo {
-  /** Tag or commit message, null when absent. */
+  /**
+   * Tag or commit message, null when absent.
+   */
   message: string | null
 
-  /** Commit SHA the tag ultimately points to (may be null). */
+  /**
+   * Commit SHA the tag ultimately points to (may be null).
+   */
   sha: string | null
 
-  /** Date associated with the tag (from release, tagger or commit). */
+  /**
+   * Date associated with the tag (from release, tagger or commit).
+   */
   date: Date | null
 
-  /** Tag name (e.g. V1.2.3). */
+  /**
+   * Tag name (e.g. V1.2.3).
+   */
   tag: string
 }

package/dist/types/update-mode.d.ts

@@ -1,2 +1,4 @@
-/** Allowed update modes for filtering actions. */
+/**
+ * Allowed update modes for filtering actions.
+ */
 export type UpdateMode = 'major' | 'minor' | 'patch'

package/dist/types/workflow-job.d.ts

@@ -1,27 +1,45 @@
 import { WorkflowStep } from './workflow-step';
-/** Represents a job in a GitHub Actions workflow. */
+/**
+ * Represents a job in a GitHub Actions workflow.
+ */
 export interface WorkflowJob {
-  /** Secrets passed to the reusable workflow ('inherit' or specific secrets). */
+  /**
+   * Secrets passed to the reusable workflow ('inherit' or specific secrets).
+   */
   secrets?: Record<string, unknown> | 'inherit'
 
-  /** Input parameters passed to the reusable workflow. */
+  /**
+   * Input parameters passed to the reusable workflow.
+   */
   with?: Record<string, unknown>
 
-  /** Runner environment(s) to execute this job on (e.g., 'ubuntu-latest'). */
+  /**
+   * Runner environment(s) to execute this job on (e.g., 'ubuntu-latest').
+   */
   'runs-on'?: string[] | string
 
-  /** Job IDs that must complete successfully before this job runs. */
+  /**
+   * Job IDs that must complete successfully before this job runs.
+   */
   needs?: string[] | string
 
-  /** Array of steps to execute in this job. */
+  /**
+   * Array of steps to execute in this job.
+   */
   steps?: WorkflowStep[]
 
-  /** Allow additional properties for job configuration. */
+  /**
+   * Allow additional properties for job configuration.
+   */
   [key: string]: unknown
 
-  /** Reusable workflow reference (mutually exclusive with 'steps'). */
+  /**
+   * Reusable workflow reference (mutually exclusive with 'steps').
+   */
   uses?: string
 
-  /** Conditional expression to determine if the job should run. */
+  /**
+   * Conditional expression to determine if the job should run.
+   */
   if?: string
 }

package/dist/types/workflow-step.d.ts

@@ -1,20 +1,34 @@
-/** Represents a single step in a GitHub Actions workflow job. */
+/**
+ * Represents a single step in a GitHub Actions workflow job.
+ */
 export interface WorkflowStep {
-  /** Input parameters to pass to the action. */
+  /**
+   * Input parameters to pass to the action.
+   */
   with?: Record<string, unknown>
 
-  /** Environment variables to set for this step. */
+  /**
+   * Environment variables to set for this step.
+   */
   env?: Record<string, unknown>
 
-  /** Allow additional properties for step configuration. */
+  /**
+   * Allow additional properties for step configuration.
+   */
   [key: string]: unknown
 
-  /** Action to use for this step (e.g., 'actions/checkout@v4'). */
+  /**
+   * Action to use for this step (e.g., 'actions/checkout@v4').
+   */
   uses?: string
 
-  /** Display name for this step. */
+  /**
+   * Display name for this step.
+   */
   name?: string
 
-  /** Shell command to run for this step. */
+  /**
+   * Shell command to run for this step.
+   */
   run?: string
 }

package/dist/types/workflow-structure.d.ts

@@ -1,15 +1,25 @@
 import { WorkflowJob } from './workflow-job';
-/** Represents the root structure of a GitHub Actions workflow file. */
+/**
+ * Represents the root structure of a GitHub Actions workflow file.
+ */
 export interface WorkflowStructure {
-  /** Map of job IDs to job configurations. */
+  /**
+   * Map of job IDs to job configurations.
+   */
   jobs?: Record<string, WorkflowJob>
 
-  /** Allow additional properties for workflow configuration. */
+  /**
+   * Allow additional properties for workflow configuration.
+   */
   [key: string]: unknown
 
-  /** Display name for the workflow. */
+  /**
+   * Display name for the workflow.
+   */
   name?: string
 
-  /** Events that trigger the workflow (push, pull_request, etc.). */
+  /**
+   * Events that trigger the workflow (push, pull_request, etc.).
+   */
   on?: unknown
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.11.0",
+  "version": "1.12.1",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",
@@ -36,19 +36,14 @@
     "./dist"
   ],
   "dependencies": {
-    "cac": "^6.7.14",
+    "cac": "^7.0.0",
     "enquirer": "^2.4.1",
     "nanospinner": "^1.2.2",
     "picocolors": "^1.1.1",
     "semver": "^7.7.4",
-    "yaml": "^2.8.2"
+    "yaml": "^2.8.3"
   },
   "engines": {
     "node": "^18.0.0 || >=20.0.0"
-  },
-  "pnpm": {
-    "overrides": {
-      "vite": "npm:rolldown-vite@latest"
-    }
   }
 }

package/readme.md

@@ -12,15 +12,21 @@
 [![Code Coverage](https://img.shields.io/codecov/c/github/azat-io/actions-up.svg?color=fff&labelColor=4493f8)](https://codecov.io/gh/azat-io/actions-up)
 [![GitHub License](https://img.shields.io/badge/license-MIT-232428.svg?color=fff&labelColor=4493f8)](https://github.com/azat-io/actions-up/blob/main/license.md)
 
-Actions Up scans your workflows and composite actions to discover every referenced GitHub Action, then checks for newer releases.
+Actions Up scans your workflows and composite actions to discover every
+referenced GitHub Action, then checks for newer releases.
 
-Interactively upgrade and pin actions to exact commit SHAs for secure, reproducible CI and low-friction maintenance.
+Interactively upgrade and pin actions to exact commit SHAs for secure,
+reproducible CI and low-friction maintenance.
 
 ## Features
 
-- **Auto-discovery**: Scans all workflows (`.github/workflows/*.yml`) and composite actions (`.github/actions/*/action.yml` and root `action.yml`/`action.yaml`)
-- **Reusable Workflows**: Detects and updates reusable workflow calls at the job level
-- **SHA pinning**: Updates actions to use commit SHA instead of tags for better security
+- **Auto-discovery**: Scans all workflows (`.github/workflows/*.yml`) and
+  composite actions (`.github/actions/*/action.yml` and root
+  `action.yml`/`action.yaml`)
+- **Reusable Workflows**: Detects and updates reusable workflow calls at the job
+  level
+- **SHA pinning**: Updates actions to use commit SHA instead of tags for better
+  security
 - **Batch Updates**: Update multiple actions at once
 - **Interactive Selection**: Choose which actions to update
 - **Breaking Changes Detection**: Warns about major version updates
@@ -49,7 +55,9 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
 
 ## Why
 
-Keeping GitHub Actions updated is critical and time-consuming. Actions Up scans all workflows, highlights available updates, and can pin actions to SHAs for reproducibility.
+Keeping GitHub Actions updated is critical and time-consuming. Actions Up scans
+all workflows, highlights available updates, and can pin actions to SHAs for
+reproducibility.
 
 | Without Actions Up             | With Actions Up                  |
 | :----------------------------- | :------------------------------- |
@@ -59,7 +67,10 @@ Keeping GitHub Actions updated is critical and time-consuming. Actions Up scans
 
 ### Security Motivation
 
-GitHub Actions run arbitrary code in your CI. If a job has secrets available, any action used in that job can read the environment and exfiltrate those secrets. A compromised action or a mutable version tag is a direct path to leakage.
+GitHub Actions run arbitrary code in your CI. If a job has secrets available,
+any action used in that job can read the environment and exfiltrate those
+secrets. A compromised action or a mutable version tag is a direct path to
+leakage.
 
 Actions Up reduces risk by:
 
@@ -67,7 +78,9 @@ Actions Up reduces risk by:
 - Making outdated actions visible and showing exactly what runs in CI
 - Warning about major updates so you can review changes before applying them
 
-Note: secrets are available on `push`, `workflow_dispatch`, `schedule`, and `pull_request_target` triggers (and on fork PRs if explicitly enabled). Always scope workflow permissions to the minimum required.
+Note: secrets are available on `push`, `workflow_dispatch`, `schedule`, and
+`pull_request_target` triggers (and on fork PRs if explicitly enabled). Always
+scope workflow permissions to the minimum required.
 
 ## Installation
 
@@ -107,7 +120,8 @@ npx actions-up
 
 This will:
 
-1. Scan all `.github/workflows/*.yml` and `.github/actions/*/action.yml` files, plus root `action.yml`/`action.yaml`
+1. Scan all `.github/workflows/*.yml` and `.github/actions/*/action.yml` files,
+   plus root `action.yml`/`action.yaml`
 2. Check for available updates
 3. Show an interactive list to select updates
 4. Apply selected updates with SHA pinning
@@ -134,7 +148,8 @@ npx actions-up --dry-run
 
 By default, Actions Up scans `.github`.
 
-Use `--dir` to choose another directory, and pass it multiple times to scan several directories:
+Use `--dir` to choose another directory, and pass it multiple times to scan
+several directories:
 
 ```bash
 npx actions-up --dir .gitea
@@ -143,15 +158,23 @@ npx actions-up --dir .github --dir ./other/.github
 
 ### Recursive Scanning
 
-Use `--recursive` (`-r`) to scan YAML workflow/composite-action files recursively in the selected directories:
+Use `--recursive` (`-r`) to scan YAML workflow/composite-action files
+recursively in the selected directories:
 
 ```bash
+npx actions-up -r
 npx actions-up --dir ./gh-repo-defaults -r
 ```
 
+When `--recursive` is used without `--dir`, Actions Up scans from the current
+directory (`.`).
+
 ### Branch References
 
-By default, actions pinned to branch refs (e.g., `@main`, `@release/v1`) are skipped to avoid changing intentionally floating references. Skipped entries are listed in the output. To include them in update checks, pass `--include-branches`.
+By default, actions pinned to branch refs (e.g., `@main`, `@release/v1`) are
+skipped to avoid changing intentionally floating references. Skipped entries are
+listed in the output. To include them in update checks, pass
+`--include-branches`.
 
 ### Update Mode
 
@@ -162,11 +185,17 @@ npx actions-up --mode minor
 npx actions-up --mode patch
 ```
 
+In `minor` and `patch` modes, Actions Up tries to find the newest compatible tag
+first (for example, from `@v4` in `minor` mode it will choose the latest
+`v4.x.y`). If no compatible version exists, that action is skipped.
+
 ## GitHub Actions Integration
 
 ### Automated PR Checks
 
-You can integrate Actions Up into your CI/CD pipeline to automatically check for outdated actions on every pull request. This helps maintain security and ensures your team stays aware of available updates.
+You can integrate Actions Up into your CI/CD pipeline to automatically check for
+outdated actions on every pull request. This helps maintain security and ensures
+your team stays aware of available updates.
 
 <details>
 <summary>Create <code>.github/workflows/check-actions-updates.yml</code>.</summary>
@@ -288,7 +317,9 @@ jobs:
           fi
 
       - name: Comment PR with updates
-        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
+        if:
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository
         uses: actions/github-script@v7
         with:
           script: |
@@ -426,7 +457,8 @@ jobs:
 
 ### GitHub Token
 
-Use `GITHUB_TOKEN` (or a PAT) to raise API rate limits from 60 to 5000 requests/hour.
+Use `GITHUB_TOKEN` (or a PAT) to raise API rate limits from 60 to 5000
+requests/hour.
 
 ```bash
 GITHUB_TOKEN=your_token_here npx actions-up
@@ -472,14 +504,17 @@ Ignore comments (file/block/next-line/inline):
 
 Interactive CLI for developers who want control over GitHub Actions updates.
 
-- **vs. Dependabot/Renovate:** Dependabot and Renovate update via pull requests; Actions Up is an interactive CLI with explicit SHA pinning.
-- **vs. pinact:** pinact is a CLI to pin and update Actions and reusable workflows; Actions Up adds interactive selection and major update warnings.
+- **vs. Dependabot/Renovate:** Dependabot and Renovate update via pull requests;
+  Actions Up is an interactive CLI with explicit SHA pinning.
+- **vs. pinact:** pinact is a CLI to pin and update Actions and reusable
+  workflows; Actions Up adds interactive selection and major update warnings.
 - **Zero-config:** `npx actions-up` runs immediately.
 - **Breaking change warnings:** Major updates are flagged before applying.
 
 ## Contributing
 
-See [Contributing Guide](https://github.com/azat-io/actions-up/blob/main/contributing.md).
+See
+[Contributing Guide](https://github.com/azat-io/actions-up/blob/main/contributing.md).
 
 ## License