actions-up 1.12.1 → 1.14.0

package/readme.md

@@ -16,7 +16,7 @@ Actions Up scans your workflows and composite actions to discover every
 referenced GitHub Action, then checks for newer releases.
 
 Interactively upgrade and pin actions to exact commit SHAs for secure,
-reproducible CI and low-friction maintenance.
+reproducible CI, or preserve tag-style references when you need to stay on tags.
 
 ## Features
 
@@ -25,8 +25,8 @@ reproducible CI and low-friction maintenance.
   `action.yml`/`action.yaml`)
 - **Reusable Workflows**: Detects and updates reusable workflow calls at the job
   level
-- **SHA pinning**: Updates actions to use commit SHA instead of tags for better
-  security
+- **Flexible update styles**: Use SHA pinning by default, or preserve tag-style
+  references with `--style preserve`
 - **Batch Updates**: Update multiple actions at once
 - **Interactive Selection**: Choose which actions to update
 - **Breaking Changes Detection**: Warns about major version updates
@@ -124,7 +124,7 @@ This will:
    plus root `action.yml`/`action.yaml`
 2. Check for available updates
 3. Show an interactive list to select updates
-4. Apply selected updates with SHA pinning
+4. Apply selected updates with SHA pinning by default
 
 ### Auto-Update Mode
 
@@ -144,6 +144,17 @@ Check for updates without making any changes:
 npx actions-up --dry-run
 ```
 
+### JSON Mode
+
+Output a machine-readable JSON report instead of the interactive UI:
+
+```bash
+npx actions-up --json
+```
+
+`--json` is report-only: it never writes files, skips the interactive prompt,
+and cannot be combined with `--yes`.
+
 ### Custom Directory
 
 By default, Actions Up scans `.github`.
@@ -189,6 +200,24 @@ In `minor` and `patch` modes, Actions Up tries to find the newest compatible tag
 first (for example, from `@v4` in `minor` mode it will choose the latest
 `v4.x.y`). If no compatible version exists, that action is skipped.
 
+### Update Style
+
+By default, Actions Up writes updates as pinned SHAs:
+
+```bash
+npx actions-up --style sha
+```
+
+Use `--style preserve` to keep the current reference style:
+
+```bash
+npx actions-up --style preserve
+```
+
+`preserve` keeps tag references on tags and SHA references on SHAs. For example,
+`actions/checkout@v5` updates to `actions/checkout@v6.0.2`, while a SHA-pinned
+action continues updating to the latest resolved SHA.
+
 ## GitHub Actions Integration
 
 ### Automated PR Checks
@@ -235,69 +264,53 @@ jobs:
           echo "## GitHub Actions Update Check" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
 
-          # Initialize variables
-          HAS_UPDATES=false
-          UPDATE_COUNT=0
-
-          # Run actions-up and capture output
+          # Run actions-up and capture machine-readable output
           echo "Running actions-up to check for updates..."
-          actions-up --dry-run > actions-up-raw.txt 2>&1
+          actions-up --json > actions-up-report.json
 
-          # Parse the output to detect updates
-          if grep -q "→" actions-up-raw.txt; then
-            HAS_UPDATES=true
-            # Count the number of updates (lines with arrows)
-            UPDATE_COUNT=$(grep -c "→" actions-up-raw.txt || echo "0")
-          fi
+          UPDATE_COUNT=$(node -pe "JSON.parse(require('node:fs').readFileSync('actions-up-report.json', 'utf8')).summary.totalUpdates")
 
           # Create formatted output
-          if [ "$HAS_UPDATES" = true ]; then
+          if [ "$UPDATE_COUNT" -gt 0 ]; then
             echo "Found $UPDATE_COUNT GitHub Actions with available updates" >> $GITHUB_STEP_SUMMARY
             echo "" >> $GITHUB_STEP_SUMMARY
             echo "<details>" >> $GITHUB_STEP_SUMMARY
-            echo "<summary>Click to see details</summary>" >> $GITHUB_STEP_SUMMARY
+            echo "<summary>Click to see JSON report</summary>" >> $GITHUB_STEP_SUMMARY
             echo "" >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-            cat actions-up-raw.txt >> $GITHUB_STEP_SUMMARY
+            echo '```json' >> $GITHUB_STEP_SUMMARY
+            cat actions-up-report.json >> $GITHUB_STEP_SUMMARY
             echo '```' >> $GITHUB_STEP_SUMMARY
             echo "</details>" >> $GITHUB_STEP_SUMMARY
 
             # Create detailed markdown report with better formatting
-            {
-              echo "## GitHub Actions Update Report"
-              echo ""
+            node --input-type=module <<'EOF'
+            import { readFileSync, writeFileSync } from 'node:fs'
+
+            let report = JSON.parse(readFileSync('actions-up-report.json', 'utf8'))
+            let lines = [
+              '## GitHub Actions Update Report',
+              '',
+              '### Summary',
+              `- **Updates available:** ${report.summary.totalUpdates}`,
+              '',
+              '### Updates',
+              '',
+            ]
+
+            for (let update of report.updates) {
+              let file = update.action.file ?? 'unknown'
+              let currentVersion = update.currentVersion ?? 'unknown'
+              let latestVersion = update.latestVersion ?? 'unknown'
+              lines.push(
+                `- \`${update.action.name}\` in \`${file}\`: \`${currentVersion}\` → \`${latestVersion}\``,
+              )
+            }
 
-              echo "### Summary"
-              echo "- **Updates available:** $UPDATE_COUNT"
-              echo ""
+            lines.push('')
+            lines.push('Run `npx actions-up` locally to review and apply updates.')
 
-              # See the raw output above for details.
-              echo "### How to Update"
-              echo ""
-              echo "Choose from several ways to update these actions:"
-              echo ""
-              echo "#### Option 1: Automatic Update (Recommended)"
-              echo '```bash'
-              echo "# Run this command locally in your repository"
-              echo "npx actions-up"
-              echo '```'
-              echo ""
-              echo "#### Option 2: Manual Update"
-              echo "1. Review each update in the table above"
-              echo "2. For breaking changes, click the Release Notes link to review changes"
-              echo "3. Edit the workflows and update the version numbers"
-              echo "4. Test the changes in your CI/CD pipeline"
-              echo ""
-              echo "---"
-              echo ""
-              echo "<details>"
-              echo "<summary>Raw actions-up output</summary>"
-              echo ""
-              echo '```'
-              cat actions-up-raw.txt
-              echo '```'
-              echo "</details>"
-            } > actions-up-report.md
+            writeFileSync('actions-up-report.md', lines.join('\n'))
+            EOF
 
             echo "has-updates=true" >> $GITHUB_OUTPUT
             echo "update-count=$UPDATE_COUNT" >> $GITHUB_OUTPUT
@@ -470,7 +483,7 @@ Or in GitHub Actions:
 - name: Check for updates
   env:
     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  run: npx actions-up --dry-run
+  run: npx actions-up --json
 ```
 
 ### Skipping Updates
@@ -505,7 +518,8 @@ Ignore comments (file/block/next-line/inline):
 Interactive CLI for developers who want control over GitHub Actions updates.
 
 - **vs. Dependabot/Renovate:** Dependabot and Renovate update via pull requests;
-  Actions Up is an interactive CLI with explicit SHA pinning.
+  Actions Up is an interactive CLI with explicit SHA pinning by default and an
+  opt-in preserve mode for tag users.
 - **vs. pinact:** pinact is a CLI to pin and update Actions and reusable
   workflows; Actions Up adds interactive selection and major update warnings.
 - **Zero-config:** `npx actions-up` runs immediately.