actions-up 1.12.0 → 1.13.0

package/dist/types/tag-info.d.ts

@@ -1,14 +1,24 @@
-/** Normalized tag information (message/date) and the resolved commit SHA. */
+/**
+ * Normalized tag information (message/date) and the resolved commit SHA.
+ */
 export interface TagInfo {
-  /** Tag or commit message, null when absent. */
+  /**
+   * Tag or commit message, null when absent.
+   */
   message: string | null
 
-  /** Commit SHA the tag ultimately points to (may be null). */
+  /**
+   * Commit SHA the tag ultimately points to (may be null).
+   */
   sha: string | null
 
-  /** Date associated with the tag (from release, tagger or commit). */
+  /**
+   * Date associated with the tag (from release, tagger or commit).
+   */
   date: Date | null
 
-  /** Tag name (e.g. V1.2.3). */
+  /**
+   * Tag name (e.g. V1.2.3).
+   */
   tag: string
 }

package/dist/types/update-mode.d.ts

@@ -1,2 +1,4 @@
-/** Allowed update modes for filtering actions. */
+/**
+ * Allowed update modes for filtering actions.
+ */
 export type UpdateMode = 'major' | 'minor' | 'patch'

package/dist/types/workflow-job.d.ts

@@ -1,27 +1,45 @@
 import { WorkflowStep } from './workflow-step';
-/** Represents a job in a GitHub Actions workflow. */
+/**
+ * Represents a job in a GitHub Actions workflow.
+ */
 export interface WorkflowJob {
-  /** Secrets passed to the reusable workflow ('inherit' or specific secrets). */
+  /**
+   * Secrets passed to the reusable workflow ('inherit' or specific secrets).
+   */
   secrets?: Record<string, unknown> | 'inherit'
 
-  /** Input parameters passed to the reusable workflow. */
+  /**
+   * Input parameters passed to the reusable workflow.
+   */
   with?: Record<string, unknown>
 
-  /** Runner environment(s) to execute this job on (e.g., 'ubuntu-latest'). */
+  /**
+   * Runner environment(s) to execute this job on (e.g., 'ubuntu-latest').
+   */
   'runs-on'?: string[] | string
 
-  /** Job IDs that must complete successfully before this job runs. */
+  /**
+   * Job IDs that must complete successfully before this job runs.
+   */
   needs?: string[] | string
 
-  /** Array of steps to execute in this job. */
+  /**
+   * Array of steps to execute in this job.
+   */
   steps?: WorkflowStep[]
 
-  /** Allow additional properties for job configuration. */
+  /**
+   * Allow additional properties for job configuration.
+   */
   [key: string]: unknown
 
-  /** Reusable workflow reference (mutually exclusive with 'steps'). */
+  /**
+   * Reusable workflow reference (mutually exclusive with 'steps').
+   */
   uses?: string
 
-  /** Conditional expression to determine if the job should run. */
+  /**
+   * Conditional expression to determine if the job should run.
+   */
   if?: string
 }

package/dist/types/workflow-step.d.ts

@@ -1,20 +1,34 @@
-/** Represents a single step in a GitHub Actions workflow job. */
+/**
+ * Represents a single step in a GitHub Actions workflow job.
+ */
 export interface WorkflowStep {
-  /** Input parameters to pass to the action. */
+  /**
+   * Input parameters to pass to the action.
+   */
   with?: Record<string, unknown>
 
-  /** Environment variables to set for this step. */
+  /**
+   * Environment variables to set for this step.
+   */
   env?: Record<string, unknown>
 
-  /** Allow additional properties for step configuration. */
+  /**
+   * Allow additional properties for step configuration.
+   */
   [key: string]: unknown
 
-  /** Action to use for this step (e.g., 'actions/checkout@v4'). */
+  /**
+   * Action to use for this step (e.g., 'actions/checkout@v4').
+   */
   uses?: string
 
-  /** Display name for this step. */
+  /**
+   * Display name for this step.
+   */
   name?: string
 
-  /** Shell command to run for this step. */
+  /**
+   * Shell command to run for this step.
+   */
   run?: string
 }

package/dist/types/workflow-structure.d.ts

@@ -1,15 +1,25 @@
 import { WorkflowJob } from './workflow-job';
-/** Represents the root structure of a GitHub Actions workflow file. */
+/**
+ * Represents the root structure of a GitHub Actions workflow file.
+ */
 export interface WorkflowStructure {
-  /** Map of job IDs to job configurations. */
+  /**
+   * Map of job IDs to job configurations.
+   */
   jobs?: Record<string, WorkflowJob>
 
-  /** Allow additional properties for workflow configuration. */
+  /**
+   * Allow additional properties for workflow configuration.
+   */
   [key: string]: unknown
 
-  /** Display name for the workflow. */
+  /**
+   * Display name for the workflow.
+   */
   name?: string
 
-  /** Events that trigger the workflow (push, pull_request, etc.). */
+  /**
+   * Events that trigger the workflow (push, pull_request, etc.).
+   */
   on?: unknown
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.12.0",
+  "version": "1.13.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",
@@ -36,19 +36,14 @@
     "./dist"
   ],
   "dependencies": {
-    "cac": "^6.7.14",
+    "cac": "^7.0.0",
     "enquirer": "^2.4.1",
     "nanospinner": "^1.2.2",
     "picocolors": "^1.1.1",
     "semver": "^7.7.4",
-    "yaml": "^2.8.2"
+    "yaml": "^2.8.3"
   },
   "engines": {
     "node": "^18.0.0 || >=20.0.0"
-  },
-  "pnpm": {
-    "overrides": {
-      "vite": "npm:rolldown-vite@latest"
-    }
   }
 }

package/readme.md

@@ -12,15 +12,21 @@
 [![Code Coverage](https://img.shields.io/codecov/c/github/azat-io/actions-up.svg?color=fff&labelColor=4493f8)](https://codecov.io/gh/azat-io/actions-up)
 [![GitHub License](https://img.shields.io/badge/license-MIT-232428.svg?color=fff&labelColor=4493f8)](https://github.com/azat-io/actions-up/blob/main/license.md)
 
-Actions Up scans your workflows and composite actions to discover every referenced GitHub Action, then checks for newer releases.
+Actions Up scans your workflows and composite actions to discover every
+referenced GitHub Action, then checks for newer releases.
 
-Interactively upgrade and pin actions to exact commit SHAs for secure, reproducible CI and low-friction maintenance.
+Interactively upgrade and pin actions to exact commit SHAs for secure,
+reproducible CI and low-friction maintenance.
 
 ## Features
 
-- **Auto-discovery**: Scans all workflows (`.github/workflows/*.yml`) and composite actions (`.github/actions/*/action.yml` and root `action.yml`/`action.yaml`)
-- **Reusable Workflows**: Detects and updates reusable workflow calls at the job level
-- **SHA pinning**: Updates actions to use commit SHA instead of tags for better security
+- **Auto-discovery**: Scans all workflows (`.github/workflows/*.yml`) and
+  composite actions (`.github/actions/*/action.yml` and root
+  `action.yml`/`action.yaml`)
+- **Reusable Workflows**: Detects and updates reusable workflow calls at the job
+  level
+- **SHA pinning**: Updates actions to use commit SHA instead of tags for better
+  security
 - **Batch Updates**: Update multiple actions at once
 - **Interactive Selection**: Choose which actions to update
 - **Breaking Changes Detection**: Warns about major version updates
@@ -49,7 +55,9 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
 
 ## Why
 
-Keeping GitHub Actions updated is critical and time-consuming. Actions Up scans all workflows, highlights available updates, and can pin actions to SHAs for reproducibility.
+Keeping GitHub Actions updated is critical and time-consuming. Actions Up scans
+all workflows, highlights available updates, and can pin actions to SHAs for
+reproducibility.
 
 | Without Actions Up             | With Actions Up                  |
 | :----------------------------- | :------------------------------- |
@@ -59,7 +67,10 @@ Keeping GitHub Actions updated is critical and time-consuming. Actions Up scans
 
 ### Security Motivation
 
-GitHub Actions run arbitrary code in your CI. If a job has secrets available, any action used in that job can read the environment and exfiltrate those secrets. A compromised action or a mutable version tag is a direct path to leakage.
+GitHub Actions run arbitrary code in your CI. If a job has secrets available,
+any action used in that job can read the environment and exfiltrate those
+secrets. A compromised action or a mutable version tag is a direct path to
+leakage.
 
 Actions Up reduces risk by:
 
@@ -67,7 +78,9 @@ Actions Up reduces risk by:
 - Making outdated actions visible and showing exactly what runs in CI
 - Warning about major updates so you can review changes before applying them
 
-Note: secrets are available on `push`, `workflow_dispatch`, `schedule`, and `pull_request_target` triggers (and on fork PRs if explicitly enabled). Always scope workflow permissions to the minimum required.
+Note: secrets are available on `push`, `workflow_dispatch`, `schedule`, and
+`pull_request_target` triggers (and on fork PRs if explicitly enabled). Always
+scope workflow permissions to the minimum required.
 
 ## Installation
 
@@ -107,7 +120,8 @@ npx actions-up
 
 This will:
 
-1. Scan all `.github/workflows/*.yml` and `.github/actions/*/action.yml` files, plus root `action.yml`/`action.yaml`
+1. Scan all `.github/workflows/*.yml` and `.github/actions/*/action.yml` files,
+   plus root `action.yml`/`action.yaml`
 2. Check for available updates
 3. Show an interactive list to select updates
 4. Apply selected updates with SHA pinning
@@ -130,11 +144,23 @@ Check for updates without making any changes:
 npx actions-up --dry-run
 ```
 
+### JSON Mode
+
+Output a machine-readable JSON report instead of the interactive UI:
+
+```bash
+npx actions-up --json
+```
+
+`--json` is report-only: it never writes files, skips the interactive prompt,
+and cannot be combined with `--yes`.
+
 ### Custom Directory
 
 By default, Actions Up scans `.github`.
 
-Use `--dir` to choose another directory, and pass it multiple times to scan several directories:
+Use `--dir` to choose another directory, and pass it multiple times to scan
+several directories:
 
 ```bash
 npx actions-up --dir .gitea
@@ -143,18 +169,23 @@ npx actions-up --dir .github --dir ./other/.github
 
 ### Recursive Scanning
 
-Use `--recursive` (`-r`) to scan YAML workflow/composite-action files recursively in the selected directories:
+Use `--recursive` (`-r`) to scan YAML workflow/composite-action files
+recursively in the selected directories:
 
 ```bash
 npx actions-up -r
 npx actions-up --dir ./gh-repo-defaults -r
 ```
 
-When `--recursive` is used without `--dir`, Actions Up scans from the current directory (`.`).
+When `--recursive` is used without `--dir`, Actions Up scans from the current
+directory (`.`).
 
 ### Branch References
 
-By default, actions pinned to branch refs (e.g., `@main`, `@release/v1`) are skipped to avoid changing intentionally floating references. Skipped entries are listed in the output. To include them in update checks, pass `--include-branches`.
+By default, actions pinned to branch refs (e.g., `@main`, `@release/v1`) are
+skipped to avoid changing intentionally floating references. Skipped entries are
+listed in the output. To include them in update checks, pass
+`--include-branches`.
 
 ### Update Mode
 
@@ -165,15 +196,17 @@ npx actions-up --mode minor
 npx actions-up --mode patch
 ```
 
-In `minor` and `patch` modes, Actions Up tries to find the newest compatible
-tag first (for example, from `@v4` in `minor` mode it will choose the latest
+In `minor` and `patch` modes, Actions Up tries to find the newest compatible tag
+first (for example, from `@v4` in `minor` mode it will choose the latest
 `v4.x.y`). If no compatible version exists, that action is skipped.
 
 ## GitHub Actions Integration
 
 ### Automated PR Checks
 
-You can integrate Actions Up into your CI/CD pipeline to automatically check for outdated actions on every pull request. This helps maintain security and ensures your team stays aware of available updates.
+You can integrate Actions Up into your CI/CD pipeline to automatically check for
+outdated actions on every pull request. This helps maintain security and ensures
+your team stays aware of available updates.
 
 <details>
 <summary>Create <code>.github/workflows/check-actions-updates.yml</code>.</summary>
@@ -213,69 +246,53 @@ jobs:
           echo "## GitHub Actions Update Check" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
 
-          # Initialize variables
-          HAS_UPDATES=false
-          UPDATE_COUNT=0
-
-          # Run actions-up and capture output
+          # Run actions-up and capture machine-readable output
           echo "Running actions-up to check for updates..."
-          actions-up --dry-run > actions-up-raw.txt 2>&1
+          actions-up --json > actions-up-report.json
 
-          # Parse the output to detect updates
-          if grep -q "→" actions-up-raw.txt; then
-            HAS_UPDATES=true
-            # Count the number of updates (lines with arrows)
-            UPDATE_COUNT=$(grep -c "→" actions-up-raw.txt || echo "0")
-          fi
+          UPDATE_COUNT=$(node -pe "JSON.parse(require('node:fs').readFileSync('actions-up-report.json', 'utf8')).summary.totalUpdates")
 
           # Create formatted output
-          if [ "$HAS_UPDATES" = true ]; then
+          if [ "$UPDATE_COUNT" -gt 0 ]; then
             echo "Found $UPDATE_COUNT GitHub Actions with available updates" >> $GITHUB_STEP_SUMMARY
             echo "" >> $GITHUB_STEP_SUMMARY
             echo "<details>" >> $GITHUB_STEP_SUMMARY
-            echo "<summary>Click to see details</summary>" >> $GITHUB_STEP_SUMMARY
+            echo "<summary>Click to see JSON report</summary>" >> $GITHUB_STEP_SUMMARY
             echo "" >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-            cat actions-up-raw.txt >> $GITHUB_STEP_SUMMARY
+            echo '```json' >> $GITHUB_STEP_SUMMARY
+            cat actions-up-report.json >> $GITHUB_STEP_SUMMARY
             echo '```' >> $GITHUB_STEP_SUMMARY
             echo "</details>" >> $GITHUB_STEP_SUMMARY
 
             # Create detailed markdown report with better formatting
-            {
-              echo "## GitHub Actions Update Report"
-              echo ""
+            node --input-type=module <<'EOF'
+            import { readFileSync, writeFileSync } from 'node:fs'
+
+            let report = JSON.parse(readFileSync('actions-up-report.json', 'utf8'))
+            let lines = [
+              '## GitHub Actions Update Report',
+              '',
+              '### Summary',
+              `- **Updates available:** ${report.summary.totalUpdates}`,
+              '',
+              '### Updates',
+              '',
+            ]
+
+            for (let update of report.updates) {
+              let file = update.action.file ?? 'unknown'
+              let currentVersion = update.currentVersion ?? 'unknown'
+              let latestVersion = update.latestVersion ?? 'unknown'
+              lines.push(
+                `- \`${update.action.name}\` in \`${file}\`: \`${currentVersion}\` → \`${latestVersion}\``,
+              )
+            }
 
-              echo "### Summary"
-              echo "- **Updates available:** $UPDATE_COUNT"
-              echo ""
+            lines.push('')
+            lines.push('Run `npx actions-up` locally to review and apply updates.')
 
-              # See the raw output above for details.
-              echo "### How to Update"
-              echo ""
-              echo "Choose from several ways to update these actions:"
-              echo ""
-              echo "#### Option 1: Automatic Update (Recommended)"
-              echo '```bash'
-              echo "# Run this command locally in your repository"
-              echo "npx actions-up"
-              echo '```'
-              echo ""
-              echo "#### Option 2: Manual Update"
-              echo "1. Review each update in the table above"
-              echo "2. For breaking changes, click the Release Notes link to review changes"
-              echo "3. Edit the workflows and update the version numbers"
-              echo "4. Test the changes in your CI/CD pipeline"
-              echo ""
-              echo "---"
-              echo ""
-              echo "<details>"
-              echo "<summary>Raw actions-up output</summary>"
-              echo ""
-              echo '```'
-              cat actions-up-raw.txt
-              echo '```'
-              echo "</details>"
-            } > actions-up-report.md
+            writeFileSync('actions-up-report.md', lines.join('\n'))
+            EOF
 
             echo "has-updates=true" >> $GITHUB_OUTPUT
             echo "update-count=$UPDATE_COUNT" >> $GITHUB_OUTPUT
@@ -295,7 +312,9 @@ jobs:
           fi
 
       - name: Comment PR with updates
-        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
+        if:
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository
         uses: actions/github-script@v7
         with:
           script: |
@@ -433,7 +452,8 @@ jobs:
 
 ### GitHub Token
 
-Use `GITHUB_TOKEN` (or a PAT) to raise API rate limits from 60 to 5000 requests/hour.
+Use `GITHUB_TOKEN` (or a PAT) to raise API rate limits from 60 to 5000
+requests/hour.
 
 ```bash
 GITHUB_TOKEN=your_token_here npx actions-up
@@ -445,7 +465,7 @@ Or in GitHub Actions:
 - name: Check for updates
   env:
     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  run: npx actions-up --dry-run
+  run: npx actions-up --json
 ```
 
 ### Skipping Updates
@@ -479,14 +499,17 @@ Ignore comments (file/block/next-line/inline):
 
 Interactive CLI for developers who want control over GitHub Actions updates.
 
-- **vs. Dependabot/Renovate:** Dependabot and Renovate update via pull requests; Actions Up is an interactive CLI with explicit SHA pinning.
-- **vs. pinact:** pinact is a CLI to pin and update Actions and reusable workflows; Actions Up adds interactive selection and major update warnings.
+- **vs. Dependabot/Renovate:** Dependabot and Renovate update via pull requests;
+  Actions Up is an interactive CLI with explicit SHA pinning.
+- **vs. pinact:** pinact is a CLI to pin and update Actions and reusable
+  workflows; Actions Up adds interactive selection and major update warnings.
 - **Zero-config:** `npx actions-up` runs immediately.
 - **Breaking change warnings:** Major updates are flagged before applying.
 
 ## Contributing
 
-See [Contributing Guide](https://github.com/azat-io/actions-up/blob/main/contributing.md).
+See
+[Contributing Guide](https://github.com/azat-io/actions-up/blob/main/contributing.md).
 
 ## License