actions-up 1.12.0 → 1.12.1

package/dist/cli/index.d.ts

@@ -1,2 +1,4 @@
-/** Run the CLI. */
+/**
+ * Run the CLI.
+ */
 export declare function run(): void;

package/dist/cli/resolve-scan-directories.d.ts

@@ -1,10 +1,14 @@
-/** Options for resolving scan directories from CLI flags. */
+/**
+ * Options for resolving scan directories from CLI flags.
+ */
 interface ResolveScanDirectoriesOptions {
     dir?: string[] | string;
     recursive?: boolean;
     cwd: string;
 }
-/** Resolved directory with root and relative directory. */
+/**
+ * Resolved directory with root and relative directory.
+ */
 interface ResolvedDirectory {
     root: string;
     dir: string;

package/dist/core/api/check-updates.js

@@ -2,19 +2,19 @@ import { normalizeVersion } from "../versions/normalize-version.js";
 import { isSemverLike } from "../versions/is-semver-like.js";
 import { createGitHubClient } from "./create-github-client.js";
 import semver from "semver";
-async function checkUpdates(i, o, c) {
-	let l = c?.client ?? createGitHubClient(o), u = c?.includeBranches ?? !1, d = i.filter((e) => e.type === "external" || e.type === "reusable-workflow");
-	if (d.length === 0) return [];
-	let f = /* @__PURE__ */ new Map();
-	for (let e of d) {
-		let t = f.get(e.name) ?? [];
-		t.push(e), f.set(e.name, t);
+async function checkUpdates(i, o, l) {
+	let u = l?.client ?? createGitHubClient(o), d = l?.includeBranches ?? !1, f = i.filter((e) => e.type === "external" || e.type === "reusable-workflow");
+	if (f.length === 0) return [];
+	let p = /* @__PURE__ */ new Map();
+	for (let e of f) {
+		let t = p.get(e.name) ?? [];
+		t.push(e), p.set(e.name, t);
 	}
-	let p = {
+	let m = {
 		rateLimitError: null,
 		rateLimitHit: !1
-	}, m = await [...f.keys()].reduce((n, i) => n.then(async (n) => {
-		if (p.rateLimitHit) return [...n, {
+	}, h = await [...p.keys()].reduce((n, i) => n.then(async (n) => {
+		if (m.rateLimitHit) return [...n, {
 			publishedAt: null,
 			version: null,
 			actionName: i,
@@ -27,16 +27,16 @@ async function checkUpdates(i, o, c) {
 			actionName: i,
 			sha: null
 		}];
-		let [o, c] = a;
-		if (!o || !c) return [...n, {
+		let [o, l] = a;
+		if (!o || !l) return [...n, {
 			publishedAt: null,
 			version: null,
 			actionName: i,
 			sha: null
 		}];
 		try {
-			let a = f.get(i)[0]?.version;
-			if (a && !isSha(a) && !isSemverLike(a) && await l.getRefType(o, c, a) === "branch" && !u) return [...n, {
+			let a = p.get(i)[0]?.version;
+			if (a && !isSha(a) && !isSemverLike(a) && await u.getRefType(o, l, a) === "branch" && !d) return [...n, {
 				skipReason: "branch",
 				status: "skipped",
 				publishedAt: null,
@@ -44,37 +44,39 @@ async function checkUpdates(i, o, c) {
 				actionName: i,
 				sha: null
 			}];
-			let d = await l.getLatestRelease(o, c);
-			if (!d) {
-				let e = await l.getAllReleases(o, c, 1);
-				d = e.find((e) => !e.isPrerelease) ?? e[0] ?? null;
+			let f = await u.getLatestRelease(o, l);
+			if (!f) {
+				let e = await u.getAllReleases(o, l, 1);
+				f = e.find((e) => !e.isPrerelease) ?? e[0] ?? null;
 			}
-			if (d) {
-				let { publishedAt: a, version: s, sha: u } = d, f = !1;
+			if (f) {
+				let { publishedAt: a, version: s, sha: d } = f, p = !1;
 				{
 					let n = normalizeVersion(s), i = !!(s && s.trim() !== ""), a = i && /^v?\d+$/u.test(s.trim()), o = semver.valid(n);
-					f = !i || a || !o || !isSemverLike(s);
+					p = !i || a || !o || !isSemverLike(s);
 				}
-				if (f) {
-					let a = await l.getAllTags(o, c, 30);
+				if (p) {
+					let a = await u.getAllTags(o, l, 30);
 					if (a.length > 0) {
-						let u = a.filter((e) => isSemverLike(e.tag)).map((t) => ({
+						let d = a.filter((e) => isSemverLike(e.tag)).map((t) => ({
 							v: semver.valid(normalizeVersion(t.tag)),
 							raw: t
 						}));
-						if (u.length > 0) {
-							u.sort((e, t) => {
+						if (d.length > 0) {
+							d.sort((e, t) => {
 								let n = semver.rcompare(e.v, t.v);
 								if (n !== 0) return n;
 								let i = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
 								return (/\d+\.\d+/u.test(t.raw.tag) ? 1 : 0) - i;
 							});
-							let t = u[0].raw, a = semver.valid(normalizeVersion(s) ?? void 0);
-							if (!a || semver.gt(u[0].v, a) || semver.eq(u[0].v, a) && /\d+\.\d+/u.test(t.tag)) {
+							let t = d[0].raw, a = semver.valid(normalizeVersion(s) ?? void 0);
+							if (!a || semver.gt(d[0].v, a) || semver.eq(d[0].v, a) && /\d+\.\d+/u.test(t.tag)) {
 								let e = t.tag, r = t.sha?.length ? t.sha : null;
 								if (!r && e) try {
-									r = await l.getTagSha(o, c, e);
-								} catch {}
+									r = await u.getTagSha(o, l, e);
+								} catch (e) {
+									if (isRateLimitError(e)) throw e;
+								}
 								return [...n, {
 									version: e,
 									publishedAt: null,
@@ -85,20 +87,26 @@ async function checkUpdates(i, o, c) {
 						}
 					}
 				}
-				if (!u && s) try {
-					u = await l.getTagSha(o, c, s);
-				} catch {}
+				if (s) {
+					let e = d;
+					try {
+						d = await u.getTagSha(o, l, s) ?? e;
+					} catch (t) {
+						if (isRateLimitError(t)) throw t;
+						d = e;
+					}
+				}
 				return [...n, {
 					status: "ok",
 					publishedAt: a,
 					actionName: i,
 					version: s,
-					sha: u
+					sha: d
 				}];
 			}
-			let p = await l.getAllTags(o, c, 30);
-			if (p.length > 0) {
-				let a = p.filter((e) => isSemverLike(e.tag)).map((t) => ({
+			let m = await u.getAllTags(o, l, 30);
+			if (m.length > 0) {
+				let a = m.filter((e) => isSemverLike(e.tag)).map((t) => ({
 					v: semver.valid(normalizeVersion(t.tag)),
 					raw: t
 				})), s;
@@ -107,17 +115,19 @@ async function checkUpdates(i, o, c) {
 					if (n !== 0) return n;
 					let i = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
 					return (/\d+\.\d+/u.test(t.raw.tag) ? 1 : 0) - i;
-				}), s = a[0].raw) : s = p[0];
-				let u = s.tag, d = s.sha?.length ? s.sha : null;
-				if (!d && u) try {
-					d = await l.getTagSha(o, c, u);
-				} catch {}
+				}), s = a[0].raw) : s = m[0];
+				let d = s.tag, f = s.sha?.length ? s.sha : null;
+				if (!f && d) try {
+					f = await u.getTagSha(o, l, d);
+				} catch (e) {
+					if (isRateLimitError(e)) throw e;
+				}
 				return [...n, {
 					status: "ok",
 					publishedAt: null,
 					actionName: i,
-					version: u,
-					sha: d
+					version: d,
+					sha: f
 				}];
 			}
 			return [...n, {
@@ -127,7 +137,7 @@ async function checkUpdates(i, o, c) {
 				sha: null
 			}];
 		} catch (e) {
-			return e instanceof Error && e.name === "GitHubRateLimitError" ? (p.rateLimitHit = !0, p.rateLimitError = e, [...n, {
+			return e instanceof Error && e.name === "GitHubRateLimitError" ? (m.rateLimitHit = !0, m.rateLimitError = e, [...n, {
 				publishedAt: null,
 				version: null,
 				actionName: i,
@@ -140,12 +150,12 @@ async function checkUpdates(i, o, c) {
 			}]);
 		}
 	}), Promise.resolve([]));
-	if (p.rateLimitError) {
-		let e = !!(o ?? process.env.GITHUB_TOKEN), t = `${p.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits"}`, n = Error(t);
+	if (m.rateLimitError) {
+		let e = !!(o ?? process.env.GITHUB_TOKEN), t = `${m.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#github-token"}`, n = Error(t);
 		throw n.name = "GitHubRateLimitError", n;
 	}
-	let h = /* @__PURE__ */ new Map();
-	for (let e of m) h.set(e.actionName, {
+	let g = /* @__PURE__ */ new Map();
+	for (let e of h) g.set(e.actionName, {
 		publishedAt: e.publishedAt,
 		actionName: e.actionName,
 		skipReason: e.skipReason,
@@ -153,23 +163,23 @@ async function checkUpdates(i, o, c) {
 		status: e.status,
 		sha: e.sha
 	});
-	let g = [];
-	for (let e of d) {
-		let t = h.get(e.name);
-		t ? g.push(createUpdate(e, {
+	let _ = [];
+	for (let e of f) {
+		let t = g.get(e.name);
+		t ? _.push(createUpdate(e, {
 			publishedAt: t.publishedAt,
 			version: t.version,
 			sha: t.sha
 		}, {
 			skipReason: t.skipReason,
 			status: t.status
-		})) : g.push(createUpdate(e, {
+		})) : _.push(createUpdate(e, {
 			publishedAt: null,
 			version: null,
 			sha: null
 		}));
 	}
-	return g;
+	return _;
 }
 function createUpdate(t, n, i = {}) {
 	let { version: a, sha: c, publishedAt: l } = n, u = t.version ?? "unknown", d = normalizeVersion(u), f = a ? normalizeVersion(a) : null, p = i.status ?? "ok", m = i.skipReason, h = !1, g = !1;
@@ -216,4 +226,7 @@ function isSha(e) {
 	let t = e.replace(/^v/u, "");
 	return /^[0-9a-f]{7,40}$/iu.test(t);
 }
+function isRateLimitError(e) {
+	return e instanceof Error && e.name === "GitHubRateLimitError";
+}
 export { checkUpdates };

package/dist/core/api/get-all-releases.d.ts

@@ -4,7 +4,8 @@ import { ReleaseInfo } from '../../types/release-info';
  * Fetch releases for a repository.
  *
  * Resolves SHA only for the first returned release via target_commitish when it
- * looks like a SHA; further enrichment happens at higher levels when needed.
+ * looks like a SHA; callers can resolve the tag via git refs later when
+ * pinning.
  *
  * @param context - Client context.
  * @param parameters - Request parameters.

package/dist/core/api/get-compatible-update.d.ts

@@ -2,15 +2,25 @@ import { GitHubClient } from '../../types/github-client';
 import { UpdateMode } from '../../types/update-mode';
 import { TagInfo } from '../../types/tag-info';
 interface GetCompatibleUpdateParameters {
-    /** Optional in-memory cache for resolved tag SHAs. */
+    /**
+     * Optional in-memory cache for resolved tag SHAs.
+     */
     shaCache?: Map<string, string | null>;
-    /** Update mode that limits which tag can be selected. */
+    /**
+     * Update mode that limits which tag can be selected.
+     */
     mode: Exclude<UpdateMode, 'major'>;
-    /** Optional in-memory cache for action tags. */
+    /**
+     * Optional in-memory cache for action tags.
+     */
     tagsCache?: Map<string, TagInfo[]>;
-    /** Current action version used as compatibility baseline. */
+    /**
+     * Current action version used as compatibility baseline.
+     */
     currentVersion: string | null;
-    /** Action name in `owner/repo` format (path suffix is allowed). */
+    /**
+     * Action name in `owner/repo` format (path suffix is allowed).
+     */
     actionName: string;
 }
 /**

package/dist/core/api/get-latest-release.d.ts

@@ -3,9 +3,9 @@ import { ReleaseInfo } from '../../types/release-info';
 /**
  * Fetch the latest release for a repository.
  *
- * If the latest release does not exist (404), returns null. The commit SHA is
- * taken from target_commitish only when it looks like a SHA; otherwise SHA is
- * left null and may be resolved later via tag lookups.
+ * If the latest release does not exist (404), returns null. The commit SHA may
+ * be taken from target_commitish when it looks like a SHA; callers can resolve
+ * the tag via git refs later when pinning.
  *
  * @param context - Client context.
  * @param owner - Repository owner.

package/dist/core/ast/utils/extract-uses-from-steps.d.ts

@@ -1,12 +1,20 @@
 import { GitHubAction } from '../../../types/github-action';
 interface ExtractUsesOptions {
-    /** YAML sequence node containing workflow/action steps. */
+    /**
+     * YAML sequence node containing workflow/action steps.
+     */
     stepsNode: unknown;
-    /** Path of the file being scanned (for metadata). */
+    /**
+     * Path of the file being scanned (for metadata).
+     */
     filePath: string;
-    /** Name of the job containing these steps (for workflows). */
+    /**
+     * Name of the job containing these steps (for workflows).
+     */
     jobName?: string;
-    /** Original YAML file content (for line number calculation). */
+    /**
+     * Original YAML file content (for line number calculation).
+     */
     content: string;
 }
 /**

package/dist/core/constants.d.ts

@@ -1,4 +1,6 @@
-/** Constants for directory names used in the project. */
+/**
+ * Constants for directory names used in the project.
+ */
 export declare const GITHUB_DIRECTORY: ".github";
 export declare const WORKFLOWS_DIRECTORY: "workflows";
 export declare const ACTIONS_DIRECTORY: "actions";

package/dist/core/interactive/prompt-update-selection.d.ts

@@ -1,6 +1,8 @@
 import { ActionUpdate } from '../../types/action-update';
 interface PromptUpdateSelectionOptions {
-    /** Whether to show the Age column. */
+    /**
+     * Whether to show the Age column.
+     */
     showAge?: boolean;
 }
 export declare function promptUpdateSelection(updates: ActionUpdate[], options?: PromptUpdateSelectionOptions): Promise<ActionUpdate[] | null>;

package/dist/core/parsing/parse-action-reference.d.ts

@@ -4,18 +4,22 @@ import { GitHubAction } from '../../types/github-action';
  * object.
  *
  * @example
- *   const action = parseActionReference(
- *     'actions/checkout@v3',
- *     'workflow.yml',
- *     10,
- *   )
- *   // Returns: {
- *   //   type: 'external',
- *   //   name: 'actions/checkout',
- *   //   version: 'v3',
- *   //   file: 'workflow.yml',
- *   //   line: 10,
- *   // }
+ *
+ * ```ts
+ * const action = parseActionReference(
+ *   'actions/checkout@v3',
+ *   'workflow.yml',
+ *   10,
+ * )
+ * // Returns:
+ * // {
+ * //   type: 'external',
+ * //   name: 'actions/checkout',
+ * //   version: 'v3',
+ * //   file: 'workflow.yml',
+ * //   line: 10,
+ * // }
+ * ```
  *
  * @param reference - The action reference string to parse. Can be:
  *

package/dist/core/scan-github-actions.d.ts

@@ -4,7 +4,10 @@ import { ScanResult } from '../types/scan-result';
  * actions.
  *
  * @example
- *   const result = await scanGitHubActions('/path/to/repo')
+ *
+ * ```ts
+ * const result = await scanGitHubActions('/path/to/repo')
+ * ```
  *
  * @param rootPath - The root path of the repository to scan. Defaults to
  *   current working directory.

package/dist/core/versions/get-update-level.d.ts

@@ -1,4 +1,6 @@
-/** Update level for a version change. */
+/**
+ * Update level for a version change.
+ */
 type UpdateLevel = 'unknown' | 'major' | 'minor' | 'patch' | 'none';
 /**
  * Determine the update level between two version strings.

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.12.0";
+const version = "1.12.1";
 export { version };

package/dist/types/action-update.d.ts

@@ -1,30 +1,50 @@
 import { GitHubAction } from './github-action';
-/** Update information for a GitHub Action. */
+/**
+ * Update information for a GitHub Action.
+ */
 export interface ActionUpdate {
-  /** Reason for skipping the update check. */
+  /**
+   * Reason for skipping the update check.
+   */
   skipReason?: 'unknown' | 'branch'
 
-  /** Current version string. */
+  /**
+   * Current version string.
+   */
   currentVersion: string | null
 
-  /** Latest available version. */
+  /**
+   * Latest available version.
+   */
   latestVersion: string | null
 
-  /** Status of the check for this action. */
+  /**
+   * Status of the check for this action.
+   */
   status?: 'skipped' | 'ok'
 
-  /** SHA hash of the latest version. */
+  /**
+   * SHA hash of the latest version.
+   */
   latestSha: string | null
 
-  /** Publication date of the latest version (null if unknown). */
+  /**
+   * Publication date of the latest version (null if unknown).
+   */
   publishedAt: Date | null
 
-  /** The original action from scanning. */
+  /**
+   * The original action from scanning.
+   */
   action: GitHubAction
 
-  /** Whether this is a major version change. */
+  /**
+   * Whether this is a major version change.
+   */
   isBreaking: boolean
 
-  /** Whether an update is available. */
+  /**
+   * Whether an update is available.
+   */
   hasUpdate: boolean
 }

package/dist/types/composite-action-runs.d.ts

@@ -1,12 +1,20 @@
 import { CompositeActionStep } from './composite-action-step';
-/** Represents the runs configuration for a composite action. */
+/**
+ * Represents the runs configuration for a composite action.
+ */
 export interface CompositeActionRuns {
-  /** Array of steps to execute. */
+  /**
+   * Array of steps to execute.
+   */
   steps?: CompositeActionStep[]
 
-  /** Allow additional properties. */
+  /**
+   * Allow additional properties.
+   */
   [key: string]: unknown
 
-  /** Must be 'composite' for composite actions. */
+  /**
+   * Must be 'composite' for composite actions.
+   */
   using?: string
 }

package/dist/types/composite-action-step.d.ts

@@ -1,23 +1,39 @@
-/** Represents a step in a composite GitHub Action. */
+/**
+ * Represents a step in a composite GitHub Action.
+ */
 export interface CompositeActionStep {
-  /** Environment variables for this step. */
+  /**
+   * Environment variables for this step.
+   */
   env?: Record<string, unknown>
 
-  /** Working directory for the step. */
+  /**
+   * Working directory for the step.
+   */
   'working-directory'?: string
 
-  /** Allow additional properties. */
+  /**
+   * Allow additional properties.
+   */
   [key: string]: unknown
 
-  /** Shell to use for the run command. */
+  /**
+   * Shell to use for the run command.
+   */
   shell?: string
 
-  /** Action to use for this step. */
+  /**
+   * Action to use for this step.
+   */
   uses?: string
 
-  /** Display name for this step. */
+  /**
+   * Display name for this step.
+   */
   name?: string
 
-  /** Shell command to run for this step. */
+  /**
+   * Shell command to run for this step.
+   */
   run?: string
 }

package/dist/types/composite-action-structure.d.ts

@@ -1,21 +1,35 @@
 import { CompositeActionRuns } from './composite-action-runs';
-/** Represents the structure of a composite GitHub Action file. */
+/**
+ * Represents the structure of a composite GitHub Action file.
+ */
 export interface CompositeActionStructure {
-  /** Output values from the action. */
+  /**
+   * Output values from the action.
+   */
   outputs?: Record<string, unknown>
 
-  /** Input parameters for the action. */
+  /**
+   * Input parameters for the action.
+   */
   inputs?: Record<string, unknown>
 
-  /** Runs configuration for composite actions. */
+  /**
+   * Runs configuration for composite actions.
+   */
   runs?: CompositeActionRuns
 
-  /** Allow additional properties. */
+  /**
+   * Allow additional properties.
+   */
   [key: string]: unknown
 
-  /** Description of what the action does. */
+  /**
+   * Description of what the action does.
+   */
   description?: string
 
-  /** Display name of the action. */
+  /**
+   * Display name of the action.
+   */
   name?: string
 }

package/dist/types/github-action.d.ts

@@ -1,26 +1,44 @@
-/** Represents a GitHub Action used in workflows or composite actions. */
+/**
+ * Represents a GitHub Action used in workflows or composite actions.
+ */
 export interface GitHubAction {
-  /** Type of the GitHub Action. */
+  /**
+   * Type of the GitHub Action.
+   */
   type: 'reusable-workflow' | 'composite' | 'external' | 'docker' | 'local'
 
-  /** Version or tag of the action (e.g., 'v1', 'main', commit SHA). */
+  /**
+   * Version or tag of the action (e.g., 'v1', 'main', commit SHA).
+   */
   version?: string | null
 
-  /** Line number where the action is used in the file. */
+  /**
+   * Line number where the action is used in the file.
+   */
   line?: number
 
-  /** Path to the file where this action is used. */
+  /**
+   * Path to the file where this action is used.
+   */
   file?: string
 
-  /** Original `uses` string from workflow, if available. */
+  /**
+   * Original `uses` string from workflow, if available.
+   */
   uses?: string
 
-  /** Name of the job where this action is used (for workflows). */
+  /**
+   * Name of the job where this action is used (for workflows).
+   */
   job?: string
 
-  /** Full name of the action (e.g., 'actions/checkout'). */
+  /**
+   * Full name of the action (e.g., 'actions/checkout').
+   */
   name: string
 
-  /** Original `ref` string from workflow, if available. */
+  /**
+   * Original `ref` string from workflow, if available.
+   */
   ref?: string
 }

package/dist/types/github-client-context.d.ts

@@ -6,27 +6,43 @@ import { TagInfo } from './tag-info';
  * number of API requests during a single run.
  */
 export interface GitHubClientContext {
-  /** Lightweight caches keyed by owner/repo (+ extra payload). */
+  /**
+   * Lightweight caches keyed by owner/repo (+ extra payload).
+   */
   caches: {
-    /** Cache of reference type detections (branch/tag/null). */
+    /**
+     * Cache of reference type detections (branch/tag/null).
+     */
     refType: Map<string, 'branch' | 'tag' | null>
 
-    /** Cache of resolved tag metadata (message/date/SHA). */
+    /**
+     * Cache of resolved tag metadata (message/date/SHA).
+     */
     tagInfo: Map<string, TagInfo | null>
 
-    /** Cache of resolved tag commit SHAs. */
+    /**
+     * Cache of resolved tag commit SHAs.
+     */
     tagSha: Map<string, string | null>
   }
 
-  /** Remaining requests available per current rate-limit window. */
+  /**
+   * Remaining requests available per current rate-limit window.
+   */
   rateLimitRemaining: number
 
-  /** GitHub token, if available. */
+  /**
+   * GitHub token, if available.
+   */
   token: undefined | string
 
-  /** Scheduled time when rate limit resets. */
+  /**
+   * Scheduled time when rate limit resets.
+   */
   rateLimitReset: Date
 
-  /** GitHub REST API base URL. */
+  /**
+   * GitHub REST API base URL.
+   */
   baseUrl: string
 }

package/dist/types/github-client.d.ts

@@ -8,35 +8,51 @@ import { TagInfo } from './tag-info';
  * normalized, serializable data structures.
  */
 export interface GitHubClient {
-  /** Detect whether a reference is a tag or a branch (or unknown). */
+  /**
+   * Detect whether a reference is a tag or a branch (or unknown).
+   */
   getRefType(
     owner: string,
     repo: string,
     reference: string,
   ): Promise<'branch' | 'tag' | null>
 
-  /** List releases with minimal enrichment. */
+  /**
+   * List releases with minimal enrichment.
+   */
   getAllReleases(
     owner: string,
     repo: string,
     limit?: number,
   ): Promise<ReleaseInfo[]>
 
-  /** Fetch tag metadata (message/date) and the resolved commit SHA. */
+  /**
+   * Fetch tag metadata (message/date) and the resolved commit SHA.
+   */
   getTagInfo(owner: string, repo: string, tag: string): Promise<TagInfo | null>
 
-  /** Resolve commit SHA for a tag without fetching commit data. */
+  /**
+   * Resolve commit SHA for a tag without fetching commit data.
+   */
   getTagSha(owner: string, repo: string, tag: string): Promise<string | null>
 
-  /** List repository tags (name + commit SHA). */
+  /**
+   * List repository tags (name + commit SHA).
+   */
   getAllTags(owner: string, repo: string, limit?: number): Promise<TagInfo[]>
 
-  /** Fetch the latest release or null when no latest release exists. */
+  /**
+   * Fetch the latest release or null when no latest release exists.
+   */
   getLatestRelease(owner: string, repo: string): Promise<ReleaseInfo | null>
 
-  /** Current rate limit snapshot. */
+  /**
+   * Current rate limit snapshot.
+   */
   getRateLimitStatus(): { remaining: number; resetAt: Date }
 
-  /** True when remaining requests are below a threshold. */
+  /**
+   * True when remaining requests are below a threshold.
+   */
   shouldWaitForRateLimit(threshold?: number): boolean
 }

package/dist/types/release-info.d.ts

@@ -1,23 +1,39 @@
-/** Normalized release information used across the tool. */
+/**
+ * Normalized release information used across the tool.
+ */
 export interface ReleaseInfo {
-  /** Release description (body) or null when absent. */
+  /**
+   * Release description (body) or null when absent.
+   */
   description: string | null
 
-  /** True when the release is marked as prerelease. */
+  /**
+   * True when the release is marked as prerelease.
+   */
   isPrerelease: boolean
 
-  /** Commit SHA associated with the release tag (may be null). */
+  /**
+   * Commit SHA associated with the release tag when known (may be provisional).
+   */
   sha: string | null
 
-  /** Publication date of the release. */
+  /**
+   * Publication date of the release.
+   */
   publishedAt: Date
 
-  /** Tag name (e.g. V1.2.3). */
+  /**
+   * Tag name (e.g. V1.2.3).
+   */
   version: string
 
-  /** Release name or tag name when name is not provided. */
+  /**
+   * Release name or tag name when name is not provided.
+   */
   name: string
 
-  /** HTML URL of the release page. */
+  /**
+   * HTML URL of the release page.
+   */
   url: string
 }

package/dist/types/scan-result.d.ts

@@ -1,12 +1,20 @@
 import { GitHubAction } from './github-action';
-/** Result of scanning a repository for GitHub Actions usage. */
+/**
+ * Result of scanning a repository for GitHub Actions usage.
+ */
 export interface ScanResult {
-  /** Map of workflow files to their used GitHub Actions. */
+  /**
+   * Map of workflow files to their used GitHub Actions.
+   */
   workflows: Map<string, GitHubAction[]>
 
-  /** Map of composite action names to their file paths. */
+  /**
+   * Map of composite action names to their file paths.
+   */
   compositeActions: Map<string, string>
 
-  /** List of all unique GitHub Actions found in the repository. */
+  /**
+   * List of all unique GitHub Actions found in the repository.
+   */
   actions: GitHubAction[]
 }

package/dist/types/tag-info.d.ts

@@ -1,14 +1,24 @@
-/** Normalized tag information (message/date) and the resolved commit SHA. */
+/**
+ * Normalized tag information (message/date) and the resolved commit SHA.
+ */
 export interface TagInfo {
-  /** Tag or commit message, null when absent. */
+  /**
+   * Tag or commit message, null when absent.
+   */
   message: string | null
 
-  /** Commit SHA the tag ultimately points to (may be null). */
+  /**
+   * Commit SHA the tag ultimately points to (may be null).
+   */
   sha: string | null
 
-  /** Date associated with the tag (from release, tagger or commit). */
+  /**
+   * Date associated with the tag (from release, tagger or commit).
+   */
   date: Date | null
 
-  /** Tag name (e.g. V1.2.3). */
+  /**
+   * Tag name (e.g. V1.2.3).
+   */
   tag: string
 }

package/dist/types/update-mode.d.ts

@@ -1,2 +1,4 @@
-/** Allowed update modes for filtering actions. */
+/**
+ * Allowed update modes for filtering actions.
+ */
 export type UpdateMode = 'major' | 'minor' | 'patch'

package/dist/types/workflow-job.d.ts

@@ -1,27 +1,45 @@
 import { WorkflowStep } from './workflow-step';
-/** Represents a job in a GitHub Actions workflow. */
+/**
+ * Represents a job in a GitHub Actions workflow.
+ */
 export interface WorkflowJob {
-  /** Secrets passed to the reusable workflow ('inherit' or specific secrets). */
+  /**
+   * Secrets passed to the reusable workflow ('inherit' or specific secrets).
+   */
   secrets?: Record<string, unknown> | 'inherit'
 
-  /** Input parameters passed to the reusable workflow. */
+  /**
+   * Input parameters passed to the reusable workflow.
+   */
   with?: Record<string, unknown>
 
-  /** Runner environment(s) to execute this job on (e.g., 'ubuntu-latest'). */
+  /**
+   * Runner environment(s) to execute this job on (e.g., 'ubuntu-latest').
+   */
   'runs-on'?: string[] | string
 
-  /** Job IDs that must complete successfully before this job runs. */
+  /**
+   * Job IDs that must complete successfully before this job runs.
+   */
   needs?: string[] | string
 
-  /** Array of steps to execute in this job. */
+  /**
+   * Array of steps to execute in this job.
+   */
   steps?: WorkflowStep[]
 
-  /** Allow additional properties for job configuration. */
+  /**
+   * Allow additional properties for job configuration.
+   */
   [key: string]: unknown
 
-  /** Reusable workflow reference (mutually exclusive with 'steps'). */
+  /**
+   * Reusable workflow reference (mutually exclusive with 'steps').
+   */
   uses?: string
 
-  /** Conditional expression to determine if the job should run. */
+  /**
+   * Conditional expression to determine if the job should run.
+   */
   if?: string
 }

package/dist/types/workflow-step.d.ts

@@ -1,20 +1,34 @@
-/** Represents a single step in a GitHub Actions workflow job. */
+/**
+ * Represents a single step in a GitHub Actions workflow job.
+ */
 export interface WorkflowStep {
-  /** Input parameters to pass to the action. */
+  /**
+   * Input parameters to pass to the action.
+   */
   with?: Record<string, unknown>
 
-  /** Environment variables to set for this step. */
+  /**
+   * Environment variables to set for this step.
+   */
   env?: Record<string, unknown>
 
-  /** Allow additional properties for step configuration. */
+  /**
+   * Allow additional properties for step configuration.
+   */
   [key: string]: unknown
 
-  /** Action to use for this step (e.g., 'actions/checkout@v4'). */
+  /**
+   * Action to use for this step (e.g., 'actions/checkout@v4').
+   */
   uses?: string
 
-  /** Display name for this step. */
+  /**
+   * Display name for this step.
+   */
   name?: string
 
-  /** Shell command to run for this step. */
+  /**
+   * Shell command to run for this step.
+   */
   run?: string
 }

package/dist/types/workflow-structure.d.ts

@@ -1,15 +1,25 @@
 import { WorkflowJob } from './workflow-job';
-/** Represents the root structure of a GitHub Actions workflow file. */
+/**
+ * Represents the root structure of a GitHub Actions workflow file.
+ */
 export interface WorkflowStructure {
-  /** Map of job IDs to job configurations. */
+  /**
+   * Map of job IDs to job configurations.
+   */
   jobs?: Record<string, WorkflowJob>
 
-  /** Allow additional properties for workflow configuration. */
+  /**
+   * Allow additional properties for workflow configuration.
+   */
   [key: string]: unknown
 
-  /** Display name for the workflow. */
+  /**
+   * Display name for the workflow.
+   */
   name?: string
 
-  /** Events that trigger the workflow (push, pull_request, etc.). */
+  /**
+   * Events that trigger the workflow (push, pull_request, etc.).
+   */
   on?: unknown
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.12.0",
+  "version": "1.12.1",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",
@@ -36,19 +36,14 @@
     "./dist"
   ],
   "dependencies": {
-    "cac": "^6.7.14",
+    "cac": "^7.0.0",
     "enquirer": "^2.4.1",
     "nanospinner": "^1.2.2",
     "picocolors": "^1.1.1",
     "semver": "^7.7.4",
-    "yaml": "^2.8.2"
+    "yaml": "^2.8.3"
   },
   "engines": {
     "node": "^18.0.0 || >=20.0.0"
-  },
-  "pnpm": {
-    "overrides": {
-      "vite": "npm:rolldown-vite@latest"
-    }
   }
 }

package/readme.md

@@ -12,15 +12,21 @@
 [![Code Coverage](https://img.shields.io/codecov/c/github/azat-io/actions-up.svg?color=fff&labelColor=4493f8)](https://codecov.io/gh/azat-io/actions-up)
 [![GitHub License](https://img.shields.io/badge/license-MIT-232428.svg?color=fff&labelColor=4493f8)](https://github.com/azat-io/actions-up/blob/main/license.md)
 
-Actions Up scans your workflows and composite actions to discover every referenced GitHub Action, then checks for newer releases.
+Actions Up scans your workflows and composite actions to discover every
+referenced GitHub Action, then checks for newer releases.
 
-Interactively upgrade and pin actions to exact commit SHAs for secure, reproducible CI and low-friction maintenance.
+Interactively upgrade and pin actions to exact commit SHAs for secure,
+reproducible CI and low-friction maintenance.
 
 ## Features
 
-- **Auto-discovery**: Scans all workflows (`.github/workflows/*.yml`) and composite actions (`.github/actions/*/action.yml` and root `action.yml`/`action.yaml`)
-- **Reusable Workflows**: Detects and updates reusable workflow calls at the job level
-- **SHA pinning**: Updates actions to use commit SHA instead of tags for better security
+- **Auto-discovery**: Scans all workflows (`.github/workflows/*.yml`) and
+  composite actions (`.github/actions/*/action.yml` and root
+  `action.yml`/`action.yaml`)
+- **Reusable Workflows**: Detects and updates reusable workflow calls at the job
+  level
+- **SHA pinning**: Updates actions to use commit SHA instead of tags for better
+  security
 - **Batch Updates**: Update multiple actions at once
 - **Interactive Selection**: Choose which actions to update
 - **Breaking Changes Detection**: Warns about major version updates
@@ -49,7 +55,9 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
 
 ## Why
 
-Keeping GitHub Actions updated is critical and time-consuming. Actions Up scans all workflows, highlights available updates, and can pin actions to SHAs for reproducibility.
+Keeping GitHub Actions updated is critical and time-consuming. Actions Up scans
+all workflows, highlights available updates, and can pin actions to SHAs for
+reproducibility.
 
 | Without Actions Up             | With Actions Up                  |
 | :----------------------------- | :------------------------------- |
@@ -59,7 +67,10 @@ Keeping GitHub Actions updated is critical and time-consuming. Actions Up scans
 
 ### Security Motivation
 
-GitHub Actions run arbitrary code in your CI. If a job has secrets available, any action used in that job can read the environment and exfiltrate those secrets. A compromised action or a mutable version tag is a direct path to leakage.
+GitHub Actions run arbitrary code in your CI. If a job has secrets available,
+any action used in that job can read the environment and exfiltrate those
+secrets. A compromised action or a mutable version tag is a direct path to
+leakage.
 
 Actions Up reduces risk by:
 
@@ -67,7 +78,9 @@ Actions Up reduces risk by:
 - Making outdated actions visible and showing exactly what runs in CI
 - Warning about major updates so you can review changes before applying them
 
-Note: secrets are available on `push`, `workflow_dispatch`, `schedule`, and `pull_request_target` triggers (and on fork PRs if explicitly enabled). Always scope workflow permissions to the minimum required.
+Note: secrets are available on `push`, `workflow_dispatch`, `schedule`, and
+`pull_request_target` triggers (and on fork PRs if explicitly enabled). Always
+scope workflow permissions to the minimum required.
 
 ## Installation
 
@@ -107,7 +120,8 @@ npx actions-up
 
 This will:
 
-1. Scan all `.github/workflows/*.yml` and `.github/actions/*/action.yml` files, plus root `action.yml`/`action.yaml`
+1. Scan all `.github/workflows/*.yml` and `.github/actions/*/action.yml` files,
+   plus root `action.yml`/`action.yaml`
 2. Check for available updates
 3. Show an interactive list to select updates
 4. Apply selected updates with SHA pinning
@@ -134,7 +148,8 @@ npx actions-up --dry-run
 
 By default, Actions Up scans `.github`.
 
-Use `--dir` to choose another directory, and pass it multiple times to scan several directories:
+Use `--dir` to choose another directory, and pass it multiple times to scan
+several directories:
 
 ```bash
 npx actions-up --dir .gitea
@@ -143,18 +158,23 @@ npx actions-up --dir .github --dir ./other/.github
 
 ### Recursive Scanning
 
-Use `--recursive` (`-r`) to scan YAML workflow/composite-action files recursively in the selected directories:
+Use `--recursive` (`-r`) to scan YAML workflow/composite-action files
+recursively in the selected directories:
 
 ```bash
 npx actions-up -r
 npx actions-up --dir ./gh-repo-defaults -r
 ```
 
-When `--recursive` is used without `--dir`, Actions Up scans from the current directory (`.`).
+When `--recursive` is used without `--dir`, Actions Up scans from the current
+directory (`.`).
 
 ### Branch References
 
-By default, actions pinned to branch refs (e.g., `@main`, `@release/v1`) are skipped to avoid changing intentionally floating references. Skipped entries are listed in the output. To include them in update checks, pass `--include-branches`.
+By default, actions pinned to branch refs (e.g., `@main`, `@release/v1`) are
+skipped to avoid changing intentionally floating references. Skipped entries are
+listed in the output. To include them in update checks, pass
+`--include-branches`.
 
 ### Update Mode
 
@@ -165,15 +185,17 @@ npx actions-up --mode minor
 npx actions-up --mode patch
 ```
 
-In `minor` and `patch` modes, Actions Up tries to find the newest compatible
-tag first (for example, from `@v4` in `minor` mode it will choose the latest
+In `minor` and `patch` modes, Actions Up tries to find the newest compatible tag
+first (for example, from `@v4` in `minor` mode it will choose the latest
 `v4.x.y`). If no compatible version exists, that action is skipped.
 
 ## GitHub Actions Integration
 
 ### Automated PR Checks
 
-You can integrate Actions Up into your CI/CD pipeline to automatically check for outdated actions on every pull request. This helps maintain security and ensures your team stays aware of available updates.
+You can integrate Actions Up into your CI/CD pipeline to automatically check for
+outdated actions on every pull request. This helps maintain security and ensures
+your team stays aware of available updates.
 
 <details>
 <summary>Create <code>.github/workflows/check-actions-updates.yml</code>.</summary>
@@ -295,7 +317,9 @@ jobs:
           fi
 
       - name: Comment PR with updates
-        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
+        if:
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository
         uses: actions/github-script@v7
         with:
           script: |
@@ -433,7 +457,8 @@ jobs:
 
 ### GitHub Token
 
-Use `GITHUB_TOKEN` (or a PAT) to raise API rate limits from 60 to 5000 requests/hour.
+Use `GITHUB_TOKEN` (or a PAT) to raise API rate limits from 60 to 5000
+requests/hour.
 
 ```bash
 GITHUB_TOKEN=your_token_here npx actions-up
@@ -479,14 +504,17 @@ Ignore comments (file/block/next-line/inline):
 
 Interactive CLI for developers who want control over GitHub Actions updates.
 
-- **vs. Dependabot/Renovate:** Dependabot and Renovate update via pull requests; Actions Up is an interactive CLI with explicit SHA pinning.
-- **vs. pinact:** pinact is a CLI to pin and update Actions and reusable workflows; Actions Up adds interactive selection and major update warnings.
+- **vs. Dependabot/Renovate:** Dependabot and Renovate update via pull requests;
+  Actions Up is an interactive CLI with explicit SHA pinning.
+- **vs. pinact:** pinact is a CLI to pin and update Actions and reusable
+  workflows; Actions Up adds interactive selection and major update warnings.
 - **Zero-config:** `npx actions-up` runs immediately.
 - **Breaking change warnings:** Major updates are flagged before applying.
 
 ## Contributing
 
-See [Contributing Guide](https://github.com/azat-io/actions-up/blob/main/contributing.md).
+See
+[Contributing Guide](https://github.com/azat-io/actions-up/blob/main/contributing.md).
 
 ## License