actions-up 1.12.0 → 1.13.0

package/dist/core/api/check-updates.js

@@ -2,19 +2,19 @@ import { normalizeVersion } from "../versions/normalize-version.js";
 import { isSemverLike } from "../versions/is-semver-like.js";
 import { createGitHubClient } from "./create-github-client.js";
 import semver from "semver";
-async function checkUpdates(i, o, c) {
-	let l = c?.client ?? createGitHubClient(o), u = c?.includeBranches ?? !1, d = i.filter((e) => e.type === "external" || e.type === "reusable-workflow");
-	if (d.length === 0) return [];
-	let f = /* @__PURE__ */ new Map();
-	for (let e of d) {
-		let t = f.get(e.name) ?? [];
-		t.push(e), f.set(e.name, t);
+async function checkUpdates(i, o, l) {
+	let u = l?.client ?? createGitHubClient(o), d = l?.includeBranches ?? !1, f = i.filter((e) => e.type === "external" || e.type === "reusable-workflow");
+	if (f.length === 0) return [];
+	let p = /* @__PURE__ */ new Map();
+	for (let e of f) {
+		let t = p.get(e.name) ?? [];
+		t.push(e), p.set(e.name, t);
 	}
-	let p = {
+	let m = {
 		rateLimitError: null,
 		rateLimitHit: !1
-	}, m = await [...f.keys()].reduce((n, i) => n.then(async (n) => {
-		if (p.rateLimitHit) return [...n, {
+	}, h = await [...p.keys()].reduce((n, i) => n.then(async (n) => {
+		if (m.rateLimitHit) return [...n, {
 			publishedAt: null,
 			version: null,
 			actionName: i,
@@ -27,16 +27,16 @@ async function checkUpdates(i, o, c) {
 			actionName: i,
 			sha: null
 		}];
-		let [o, c] = a;
-		if (!o || !c) return [...n, {
+		let [o, l] = a;
+		if (!o || !l) return [...n, {
 			publishedAt: null,
 			version: null,
 			actionName: i,
 			sha: null
 		}];
 		try {
-			let a = f.get(i)[0]?.version;
-			if (a && !isSha(a) && !isSemverLike(a) && await l.getRefType(o, c, a) === "branch" && !u) return [...n, {
+			let a = p.get(i)[0]?.version;
+			if (a && !isSha(a) && !isSemverLike(a) && await u.getRefType(o, l, a) === "branch" && !d) return [...n, {
 				skipReason: "branch",
 				status: "skipped",
 				publishedAt: null,
@@ -44,37 +44,39 @@ async function checkUpdates(i, o, c) {
 				actionName: i,
 				sha: null
 			}];
-			let d = await l.getLatestRelease(o, c);
-			if (!d) {
-				let e = await l.getAllReleases(o, c, 1);
-				d = e.find((e) => !e.isPrerelease) ?? e[0] ?? null;
+			let f = await u.getLatestRelease(o, l);
+			if (!f) {
+				let e = await u.getAllReleases(o, l, 1);
+				f = e.find((e) => !e.isPrerelease) ?? e[0] ?? null;
 			}
-			if (d) {
-				let { publishedAt: a, version: s, sha: u } = d, f = !1;
+			if (f) {
+				let { publishedAt: a, version: s, sha: d } = f, p = !1;
 				{
 					let n = normalizeVersion(s), i = !!(s && s.trim() !== ""), a = i && /^v?\d+$/u.test(s.trim()), o = semver.valid(n);
-					f = !i || a || !o || !isSemverLike(s);
+					p = !i || a || !o || !isSemverLike(s);
 				}
-				if (f) {
-					let a = await l.getAllTags(o, c, 30);
+				if (p) {
+					let a = await u.getAllTags(o, l, 30);
 					if (a.length > 0) {
-						let u = a.filter((e) => isSemverLike(e.tag)).map((t) => ({
+						let d = a.filter((e) => isSemverLike(e.tag)).map((t) => ({
 							v: semver.valid(normalizeVersion(t.tag)),
 							raw: t
 						}));
-						if (u.length > 0) {
-							u.sort((e, t) => {
+						if (d.length > 0) {
+							d.sort((e, t) => {
 								let n = semver.rcompare(e.v, t.v);
 								if (n !== 0) return n;
 								let i = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
 								return (/\d+\.\d+/u.test(t.raw.tag) ? 1 : 0) - i;
 							});
-							let t = u[0].raw, a = semver.valid(normalizeVersion(s) ?? void 0);
-							if (!a || semver.gt(u[0].v, a) || semver.eq(u[0].v, a) && /\d+\.\d+/u.test(t.tag)) {
+							let t = d[0].raw, a = semver.valid(normalizeVersion(s) ?? void 0);
+							if (!a || semver.gt(d[0].v, a) || semver.eq(d[0].v, a) && /\d+\.\d+/u.test(t.tag)) {
 								let e = t.tag, r = t.sha?.length ? t.sha : null;
 								if (!r && e) try {
-									r = await l.getTagSha(o, c, e);
-								} catch {}
+									r = await u.getTagSha(o, l, e);
+								} catch (e) {
+									if (isRateLimitError(e)) throw e;
+								}
 								return [...n, {
 									version: e,
 									publishedAt: null,
@@ -85,20 +87,26 @@ async function checkUpdates(i, o, c) {
 						}
 					}
 				}
-				if (!u && s) try {
-					u = await l.getTagSha(o, c, s);
-				} catch {}
+				if (s) {
+					let e = d;
+					try {
+						d = await u.getTagSha(o, l, s) ?? e;
+					} catch (t) {
+						if (isRateLimitError(t)) throw t;
+						d = e;
+					}
+				}
 				return [...n, {
 					status: "ok",
 					publishedAt: a,
 					actionName: i,
 					version: s,
-					sha: u
+					sha: d
 				}];
 			}
-			let p = await l.getAllTags(o, c, 30);
-			if (p.length > 0) {
-				let a = p.filter((e) => isSemverLike(e.tag)).map((t) => ({
+			let m = await u.getAllTags(o, l, 30);
+			if (m.length > 0) {
+				let a = m.filter((e) => isSemverLike(e.tag)).map((t) => ({
 					v: semver.valid(normalizeVersion(t.tag)),
 					raw: t
 				})), s;
@@ -107,17 +115,19 @@ async function checkUpdates(i, o, c) {
 					if (n !== 0) return n;
 					let i = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
 					return (/\d+\.\d+/u.test(t.raw.tag) ? 1 : 0) - i;
-				}), s = a[0].raw) : s = p[0];
-				let u = s.tag, d = s.sha?.length ? s.sha : null;
-				if (!d && u) try {
-					d = await l.getTagSha(o, c, u);
-				} catch {}
+				}), s = a[0].raw) : s = m[0];
+				let d = s.tag, f = s.sha?.length ? s.sha : null;
+				if (!f && d) try {
+					f = await u.getTagSha(o, l, d);
+				} catch (e) {
+					if (isRateLimitError(e)) throw e;
+				}
 				return [...n, {
 					status: "ok",
 					publishedAt: null,
 					actionName: i,
-					version: u,
-					sha: d
+					version: d,
+					sha: f
 				}];
 			}
 			return [...n, {
@@ -127,7 +137,7 @@ async function checkUpdates(i, o, c) {
 				sha: null
 			}];
 		} catch (e) {
-			return e instanceof Error && e.name === "GitHubRateLimitError" ? (p.rateLimitHit = !0, p.rateLimitError = e, [...n, {
+			return e instanceof Error && e.name === "GitHubRateLimitError" ? (m.rateLimitHit = !0, m.rateLimitError = e, [...n, {
 				publishedAt: null,
 				version: null,
 				actionName: i,
@@ -140,12 +150,12 @@ async function checkUpdates(i, o, c) {
 			}]);
 		}
 	}), Promise.resolve([]));
-	if (p.rateLimitError) {
-		let e = !!(o ?? process.env.GITHUB_TOKEN), t = `${p.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits"}`, n = Error(t);
+	if (m.rateLimitError) {
+		let e = !!(o ?? process.env.GITHUB_TOKEN), t = `${m.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#github-token"}`, n = Error(t);
 		throw n.name = "GitHubRateLimitError", n;
 	}
-	let h = /* @__PURE__ */ new Map();
-	for (let e of m) h.set(e.actionName, {
+	let g = /* @__PURE__ */ new Map();
+	for (let e of h) g.set(e.actionName, {
 		publishedAt: e.publishedAt,
 		actionName: e.actionName,
 		skipReason: e.skipReason,
@@ -153,23 +163,23 @@ async function checkUpdates(i, o, c) {
 		status: e.status,
 		sha: e.sha
 	});
-	let g = [];
-	for (let e of d) {
-		let t = h.get(e.name);
-		t ? g.push(createUpdate(e, {
+	let _ = [];
+	for (let e of f) {
+		let t = g.get(e.name);
+		t ? _.push(createUpdate(e, {
 			publishedAt: t.publishedAt,
 			version: t.version,
 			sha: t.sha
 		}, {
 			skipReason: t.skipReason,
 			status: t.status
-		})) : g.push(createUpdate(e, {
+		})) : _.push(createUpdate(e, {
 			publishedAt: null,
 			version: null,
 			sha: null
 		}));
 	}
-	return g;
+	return _;
 }
 function createUpdate(t, n, i = {}) {
 	let { version: a, sha: c, publishedAt: l } = n, u = t.version ?? "unknown", d = normalizeVersion(u), f = a ? normalizeVersion(a) : null, p = i.status ?? "ok", m = i.skipReason, h = !1, g = !1;
@@ -216,4 +226,7 @@ function isSha(e) {
 	let t = e.replace(/^v/u, "");
 	return /^[0-9a-f]{7,40}$/iu.test(t);
 }
+function isRateLimitError(e) {
+	return e instanceof Error && e.name === "GitHubRateLimitError";
+}
 export { checkUpdates };

package/dist/core/api/get-all-releases.d.ts

@@ -4,7 +4,8 @@ import { ReleaseInfo } from '../../types/release-info';
  * Fetch releases for a repository.
  *
  * Resolves SHA only for the first returned release via target_commitish when it
- * looks like a SHA; further enrichment happens at higher levels when needed.
+ * looks like a SHA; callers can resolve the tag via git refs later when
+ * pinning.
  *
  * @param context - Client context.
  * @param parameters - Request parameters.

package/dist/core/api/get-compatible-update.d.ts

@@ -2,15 +2,25 @@ import { GitHubClient } from '../../types/github-client';
 import { UpdateMode } from '../../types/update-mode';
 import { TagInfo } from '../../types/tag-info';
 interface GetCompatibleUpdateParameters {
-    /** Optional in-memory cache for resolved tag SHAs. */
+    /**
+     * Optional in-memory cache for resolved tag SHAs.
+     */
     shaCache?: Map<string, string | null>;
-    /** Update mode that limits which tag can be selected. */
+    /**
+     * Update mode that limits which tag can be selected.
+     */
     mode: Exclude<UpdateMode, 'major'>;
-    /** Optional in-memory cache for action tags. */
+    /**
+     * Optional in-memory cache for action tags.
+     */
     tagsCache?: Map<string, TagInfo[]>;
-    /** Current action version used as compatibility baseline. */
+    /**
+     * Current action version used as compatibility baseline.
+     */
     currentVersion: string | null;
-    /** Action name in `owner/repo` format (path suffix is allowed). */
+    /**
+     * Action name in `owner/repo` format (path suffix is allowed).
+     */
     actionName: string;
 }
 /**

package/dist/core/api/get-latest-release.d.ts

@@ -3,9 +3,9 @@ import { ReleaseInfo } from '../../types/release-info';
 /**
  * Fetch the latest release for a repository.
  *
- * If the latest release does not exist (404), returns null. The commit SHA is
- * taken from target_commitish only when it looks like a SHA; otherwise SHA is
- * left null and may be resolved later via tag lookups.
+ * If the latest release does not exist (404), returns null. The commit SHA may
+ * be taken from target_commitish when it looks like a SHA; callers can resolve
+ * the tag via git refs later when pinning.
  *
  * @param context - Client context.
  * @param owner - Repository owner.

package/dist/core/ast/utils/extract-uses-from-steps.d.ts

@@ -1,12 +1,20 @@
 import { GitHubAction } from '../../../types/github-action';
 interface ExtractUsesOptions {
-    /** YAML sequence node containing workflow/action steps. */
+    /**
+     * YAML sequence node containing workflow/action steps.
+     */
     stepsNode: unknown;
-    /** Path of the file being scanned (for metadata). */
+    /**
+     * Path of the file being scanned (for metadata).
+     */
     filePath: string;
-    /** Name of the job containing these steps (for workflows). */
+    /**
+     * Name of the job containing these steps (for workflows).
+     */
     jobName?: string;
-    /** Original YAML file content (for line number calculation). */
+    /**
+     * Original YAML file content (for line number calculation).
+     */
     content: string;
 }
 /**

package/dist/core/constants.d.ts

@@ -1,4 +1,6 @@
-/** Constants for directory names used in the project. */
+/**
+ * Constants for directory names used in the project.
+ */
 export declare const GITHUB_DIRECTORY: ".github";
 export declare const WORKFLOWS_DIRECTORY: "workflows";
 export declare const ACTIONS_DIRECTORY: "actions";

package/dist/core/fs/find-yaml-files-recursive.js

@@ -1,6 +1,6 @@
 import { isYamlFile } from "./is-yaml-file.js";
-import { lstat, readdir } from "node:fs/promises";
 import { join } from "node:path";
+import { lstat, readdir } from "node:fs/promises";
 async function findYamlFilesRecursive(i) {
 	let a = [], o = /* @__PURE__ */ new Set();
 	async function s(i) {

package/dist/core/interactive/prompt-update-selection.d.ts

@@ -1,6 +1,8 @@
 import { ActionUpdate } from '../../types/action-update';
 interface PromptUpdateSelectionOptions {
-    /** Whether to show the Age column. */
+    /**
+     * Whether to show the Age column.
+     */
     showAge?: boolean;
 }
 export declare function promptUpdateSelection(updates: ActionUpdate[], options?: PromptUpdateSelectionOptions): Promise<ActionUpdate[] | null>;

package/dist/core/interactive/prompt-update-selection.js

@@ -4,10 +4,10 @@ import { GITHUB_DIRECTORY } from "../constants.js";
 import { isSha } from "../versions/is-sha.js";
 import { stripAnsi } from "./strip-ansi.js";
 import { padString } from "./pad-string.js";
+import path from "node:path";
 import "node:worker_threads";
 import pc from "picocolors";
 import enquirer from "enquirer";
-import path from "node:path";
 var MIN_ACTION_WIDTH = 40, MIN_JOB_WIDTH = 4, MIN_CURRENT_WIDTH = 16, MAX_VERSION_WIDTH = 7;
 async function promptUpdateSelection(g, v = {}) {
 	let { showAge: y = !1 } = v;
@@ -41,8 +41,8 @@ async function promptUpdateSelection(g, v = {}) {
 		};
 	})), C = [], w = stripAnsi("Action").length, T = stripAnsi("Current").length, E = stripAnsi("Job").length, D = 0, O = !1;
 	for (let [t, a] of b.entries()) {
-		let o = a.action.name, u = S[t], d = u.display, f = a.action.job ?? "–";
-		if (w = Math.max(w, o.length), T = Math.max(T, stripAnsi(d).length, u.versionForPadding && u.shortSha ? stripAnsi(`${padString(u.versionForPadding, D + 1)}${pc.gray(`(${u.shortSha})`)}`).length : 0), E = Math.max(E, f.length), a.latestVersion) {
+		let o = a.action.name, l = S[t], d = l.display, f = a.action.job ?? "–";
+		if (w = Math.max(w, o.length), T = Math.max(T, stripAnsi(d).length, l.versionForPadding && l.shortSha ? stripAnsi(`${padString(l.versionForPadding, D + 1)}${pc.gray(`(${l.shortSha})`)}`).length : 0), E = Math.max(E, f.length), a.latestVersion) {
 			let o = formatVersion(a.latestVersion, S[t]?.effectiveForDiff ?? a.currentVersion);
 			D = Math.max(D, stripAnsi(o).length);
 		}
@@ -56,7 +56,7 @@ async function promptUpdateSelection(g, v = {}) {
 			console.warn(`Unexpected missing group for file: ${a}`);
 			continue;
 		}
-		let s = [], u = o;
+		let s = [], l = o;
 		s.push({
 			current: "Current",
 			action: "Action",
@@ -65,10 +65,10 @@ async function promptUpdateSelection(g, v = {}) {
 			job: "Job",
 			age: "Age"
 		});
-		for (let { update: t, index: a } of u) {
-			let o = !!t.latestSha, u = S[a], d = u.display;
-			u.versionForPadding && u.shortSha && (d = `${padString(u.versionForPadding, M + 1)}${pc.gray(`(${u.shortSha})`)}`);
-			let f = u.effectiveForDiff ?? t.currentVersion, p = formatVersion(t.latestVersion, f), m = t.action.name;
+		for (let { update: t, index: a } of l) {
+			let o = !!t.latestSha, l = S[a], d = l.display;
+			l.versionForPadding && l.shortSha && (d = `${padString(l.versionForPadding, M + 1)}${pc.gray(`(${l.shortSha})`)}`);
+			let f = l.effectiveForDiff ?? t.currentVersion, p = formatVersion(t.latestVersion, f), m = t.action.name;
 			if (t.latestSha) {
 				let i = t.latestSha.slice(0, 7);
 				p = `${padString(p, M + 1)}${pc.gray(`(${i})`)}`;
@@ -101,7 +101,7 @@ async function promptUpdateSelection(g, v = {}) {
 				name: ""
 			});
 			else {
-				let { update: i, index: a } = u[t - 1], s = !!i.latestSha, c = s && !i.isBreaking;
+				let { update: i, index: a } = l[t - 1], s = !!i.latestSha, c = s && !i.isBreaking;
 				_.push({
 					message: o,
 					value: String(a),

package/dist/core/parsing/parse-action-reference.d.ts

@@ -4,18 +4,22 @@ import { GitHubAction } from '../../types/github-action';
  * object.
  *
  * @example
- *   const action = parseActionReference(
- *     'actions/checkout@v3',
- *     'workflow.yml',
- *     10,
- *   )
- *   // Returns: {
- *   //   type: 'external',
- *   //   name: 'actions/checkout',
- *   //   version: 'v3',
- *   //   file: 'workflow.yml',
- *   //   line: 10,
- *   // }
+ *
+ * ```ts
+ * const action = parseActionReference(
+ *   'actions/checkout@v3',
+ *   'workflow.yml',
+ *   10,
+ * )
+ * // Returns:
+ * // {
+ * //   type: 'external',
+ * //   name: 'actions/checkout',
+ * //   version: 'v3',
+ * //   file: 'workflow.yml',
+ * //   line: 10,
+ * // }
+ * ```
  *
  * @param reference - The action reference string to parse. Can be:
  *

package/dist/core/scan-github-actions.d.ts

@@ -4,7 +4,10 @@ import { ScanResult } from '../types/scan-result';
  * actions.
  *
  * @example
- *   const result = await scanGitHubActions('/path/to/repo')
+ *
+ * ```ts
+ * const result = await scanGitHubActions('/path/to/repo')
+ * ```
  *
  * @param rootPath - The root path of the repository to scan. Defaults to
  *   current working directory.