actions-up 1.13.0 → 1.14.0

package/dist/core/interactive/prompt-update-selection.js

@@ -9,55 +9,55 @@ import "node:worker_threads";
 import pc from "picocolors";
 import enquirer from "enquirer";
 var MIN_ACTION_WIDTH = 40, MIN_JOB_WIDTH = 4, MIN_CURRENT_WIDTH = 16, MAX_VERSION_WIDTH = 7;
-async function promptUpdateSelection(g, v = {}) {
-	let { showAge: y = !1 } = v;
-	if (g.length === 0) return null;
-	let b = g.filter((t) => t.hasUpdate);
-	if (b.length === 0) return console.info(pc.green("✓ All actions are up to date!")), null;
-	let x = /* @__PURE__ */ new Map();
-	for (let [t, i] of b.entries()) {
-		let o = i.action.file ?? "unknown file", s = path.relative(path.join(process.cwd(), GITHUB_DIRECTORY), o);
-		s === "" && (s = o);
-		let c = x.get(s) ?? [];
-		c.push({
-			update: i,
-			index: t
-		}), x.set(s, c);
+async function promptUpdateSelection(b, S = {}) {
+	let { showAge: C = !1 } = S;
+	if (b.length === 0) return null;
+	let w = b.filter((e) => e.hasUpdate);
+	if (w.length === 0) return console.info(pc.green("✓ All actions are up to date!")), null;
+	let T = /* @__PURE__ */ new Map();
+	for (let [e, c] of w.entries()) {
+		let u = c.action.file ?? "unknown file", d = path.relative(path.join(process.cwd(), GITHUB_DIRECTORY), u);
+		d === "" && (d = u);
+		let f = T.get(d) ?? [];
+		f.push({
+			update: c,
+			index: e
+		}), T.set(d, f);
 	}
-	let S = await Promise.all(b.map(async (i) => {
-		let a = formatVersionOrSha(i.currentVersion), s = i.currentVersion ?? void 0, c = null, l = null;
-		if (!i.currentVersion || !isSha(i.currentVersion)) return {
-			versionForPadding: c,
-			effectiveForDiff: s,
-			shortSha: l,
-			display: a
+	let E = await Promise.all(w.map(async (c) => {
+		let l = formatVersionOrSha(c.currentVersion), d = c.currentVersion ?? void 0, f = null, p = null;
+		if (!c.currentVersion || !isSha(c.currentVersion)) return {
+			versionForPadding: f,
+			effectiveForDiff: d,
+			shortSha: p,
+			display: l
 		};
-		let u = await readInlineVersionComment(i.action.file, i.action.line);
-		return u && (l = i.currentVersion.slice(0, 7), c = formatVersionOrSha(u), a = c, s = u), {
-			versionForPadding: c,
-			effectiveForDiff: s,
-			shortSha: l,
-			display: a
+		let m = await readInlineVersionComment(c.action.file, c.action.line);
+		return m && (p = c.currentVersion.slice(0, 7), f = formatVersionOrSha(m), l = f, d = m), {
+			versionForPadding: f,
+			effectiveForDiff: d,
+			shortSha: p,
+			display: l
 		};
-	})), C = [], w = stripAnsi("Action").length, T = stripAnsi("Current").length, E = stripAnsi("Job").length, D = 0, O = !1;
-	for (let [t, a] of b.entries()) {
-		let o = a.action.name, l = S[t], d = l.display, f = a.action.job ?? "–";
-		if (w = Math.max(w, o.length), T = Math.max(T, stripAnsi(d).length, l.versionForPadding && l.shortSha ? stripAnsi(`${padString(l.versionForPadding, D + 1)}${pc.gray(`(${l.shortSha})`)}`).length : 0), E = Math.max(E, f.length), a.latestVersion) {
-			let o = formatVersion(a.latestVersion, S[t]?.effectiveForDiff ?? a.currentVersion);
-			D = Math.max(D, stripAnsi(o).length);
+	})), D = [], O = stripAnsi("Action").length, k = stripAnsi("Current").length, A = stripAnsi("Job").length, j = 0, M = !1;
+	for (let [e, l] of w.entries()) {
+		let u = l.action.name, p = E[e], h = p.display, g = l.action.job ?? "–";
+		if (O = Math.max(O, u.length), k = Math.max(k, stripAnsi(h).length, p.versionForPadding && p.shortSha ? stripAnsi(`${padString(p.versionForPadding, j + 1)}${pc.gray(`(${p.shortSha})`)}`).length : 0), A = Math.max(A, g.length), l.latestVersion) {
+			let u = formatVersion(l.targetRefStyle === "tag" && l.targetRef ? l.targetRef : l.latestVersion, E[e]?.effectiveForDiff ?? l.currentVersion);
+			j = Math.max(j, stripAnsi(u).length);
 		}
-		let p = S[t]?.versionForPadding;
-		p && (D = Math.max(D, stripAnsi(p).length)), a.publishedAt && (O = !0);
+		let _ = E[e]?.versionForPadding;
+		_ && (j = Math.max(j, stripAnsi(_).length)), l.publishedAt && (M = !0);
 	}
-	let k = Math.max(w, MIN_ACTION_WIDTH), A = Math.max(T, MIN_CURRENT_WIDTH), j = Math.max(E, MIN_JOB_WIDTH), M = Math.min(D, MAX_VERSION_WIDTH), N = M + 1 + 9, P = y && O ? 6 : 0, F = [...x.keys()].toSorted();
-	for (let [t, a] of F.entries()) {
-		let o = x.get(a);
-		if (!o) {
-			console.warn(`Unexpected missing group for file: ${a}`);
+	let N = Math.max(O, MIN_ACTION_WIDTH), P = Math.max(k, MIN_CURRENT_WIDTH), F = Math.max(A, MIN_JOB_WIDTH), I = Math.min(j, MAX_VERSION_WIDTH), L = I + 1 + 9, R = C && M ? 6 : 0, z = [...T.keys()].toSorted();
+	for (let [e, l] of z.entries()) {
+		let u = T.get(l);
+		if (!u) {
+			console.warn(`Unexpected missing group for file: ${l}`);
 			continue;
 		}
-		let s = [], l = o;
-		s.push({
+		let d = [], p = u;
+		d.push({
 			current: "Current",
 			action: "Action",
 			target: "Target",
@@ -65,74 +65,74 @@ async function promptUpdateSelection(g, v = {}) {
 			job: "Job",
 			age: "Age"
 		});
-		for (let { update: t, index: a } of l) {
-			let o = !!t.latestSha, l = S[a], d = l.display;
-			l.versionForPadding && l.shortSha && (d = `${padString(l.versionForPadding, M + 1)}${pc.gray(`(${l.shortSha})`)}`);
-			let f = l.effectiveForDiff ?? t.currentVersion, p = formatVersion(t.latestVersion, f), m = t.action.name;
-			if (t.latestSha) {
-				let i = t.latestSha.slice(0, 7);
-				p = `${padString(p, M + 1)}${pc.gray(`(${i})`)}`;
+		for (let { update: e, index: l } of p) {
+			let u = hasResolvedTarget(e), p = E[l], h = p.display;
+			p.versionForPadding && p.shortSha && (h = `${padString(p.versionForPadding, I + 1)}${pc.gray(`(${p.shortSha})`)}`);
+			let g = p.effectiveForDiff ?? e.currentVersion, _ = formatVersion(getTargetVersion(e), g), v = e.action.name;
+			if (getResolvedTargetStyle(e) === "sha" && getResolvedTarget(e)) {
+				let c = getResolvedTarget(e).slice(0, 7);
+				_ = `${padString(_, I + 1)}${pc.gray(`(${c})`)}`;
 			}
-			o || (p = pc.gray(p), d = pc.gray(d), m = pc.gray(m));
-			let h = t.action.job ?? "–", g = formatAge(t.publishedAt);
-			s.push({
-				job: o ? h : pc.gray(h),
-				age: o ? g : pc.gray(g),
-				action: m,
-				target: p,
+			u || (_ = pc.gray(_), h = pc.gray(h), v = pc.gray(v));
+			let y = e.action.job ?? "–", b = formatAge(e.publishedAt);
+			d.push({
+				job: u ? y : pc.gray(y),
+				age: u ? b : pc.gray(b),
+				action: v,
+				target: _,
 				arrow: "❯",
-				current: d
+				current: h
 			});
 		}
-		let d = Math.max(k, MIN_ACTION_WIDTH), h = Math.max(A, MIN_CURRENT_WIDTH), g = Math.max(j, MIN_JOB_WIDTH), _ = [];
-		for (let [t, i] of s.entries()) {
-			let a = t === 0, o = formatTableRow({
-				targetWidth: N,
-				currentWidth: h,
-				actionWidth: d,
-				ageWidth: P,
-				jobWidth: g,
-				row: i
+		let h = Math.max(N, MIN_ACTION_WIDTH), y = Math.max(P, MIN_CURRENT_WIDTH), b = Math.max(F, MIN_JOB_WIDTH), x = [];
+		for (let [e, c] of d.entries()) {
+			let l = e === 0, u = formatTableRow({
+				targetWidth: L,
+				currentWidth: y,
+				actionWidth: h,
+				ageWidth: R,
+				jobWidth: b,
+				row: c
 			});
-			if (a) _.push({
-				message: pc.gray(` ○ ${o}`),
+			if (l) x.push({
+				message: pc.gray(` ○ ${u}`),
 				role: "separator",
 				indent: "",
 				name: ""
 			});
 			else {
-				let { update: i, index: a } = l[t - 1], s = !!i.latestSha, c = s && !i.isBreaking;
-				_.push({
-					message: o,
-					value: String(a),
-					name: String(a),
-					disabled: !s,
+				let { update: c, index: l } = p[e - 1], d = hasResolvedTarget(c), f = d && !c.isBreaking;
+				x.push({
+					message: u,
+					value: String(l),
+					disabled: !d,
+					name: String(l),
 					indent: "",
-					enabled: c
+					enabled: f
 				});
 			}
 		}
-		C.push({
-			message: pc.gray(a),
-			value: `label|${a}`,
-			choices: _,
-			name: `label|${a}`,
+		D.push({
+			message: pc.gray(l),
+			value: `label|${l}`,
+			choices: x,
+			name: `label|${l}`,
 			isGroupLabel: !0,
 			enabled: !1
-		}), t < F.length - 1 && C.push({
+		}), e < z.length - 1 && D.push({
 			role: "separator",
 			message: " ",
 			name: ""
 		});
 	}
 	try {
-		let t = {
-			indicator(t, i) {
-				if (i.isGroupLabel) {
-					let t = (i.choices ?? []).filter((t) => !("role" in t)), a = t.length, o = t.filter((t) => !!t.enabled).length === a ? "●" : "○";
-					return ` ${pc.gray(o)}`;
+		let e = {
+			indicator(e, c) {
+				if (c.isGroupLabel) {
+					let e = (c.choices ?? []).filter((e) => !("role" in e)), l = e.length, u = e.filter((e) => !!e.enabled).length === l ? "●" : "○";
+					return ` ${pc.gray(u)}`;
 				}
-				return `   ${i.enabled ? "●" : "○"}`;
+				return `   ${c.enabled ? "●" : "○"}`;
 			},
 			message: `Choose which actions to update (Press ${pc.cyan("<space>")} to select, ${pc.cyan("<a>")} to toggle all, ${pc.cyan("<i>")} to invert selection)`,
 			styles: {
@@ -153,44 +153,56 @@ async function promptUpdateSelection(g, v = {}) {
 			type: "multiselect",
 			name: "selected",
 			pointer: "❯",
-			choices: C
-		}, { selected: i } = await enquirer.prompt(t), a = /* @__PURE__ */ new Set();
-		for (let t of i) {
-			if (t.startsWith("label|")) {
-				let i = t.slice(6), o = x.get(i) ?? [];
-				for (let { update: t, index: i } of o) t.latestSha && a.add(i);
+			choices: D
+		}, { selected: c } = await enquirer.prompt(e), l = /* @__PURE__ */ new Set();
+		for (let e of c) {
+			if (e.startsWith("label|")) {
+				let c = e.slice(6), u = T.get(c) ?? [];
+				for (let { update: e, index: c } of u) hasResolvedTarget(e) && l.add(c);
 				continue;
 			}
-			let i = Number.parseInt(t, 10);
-			Number.isFinite(i) && a.add(i);
+			let c = Number.parseInt(e, 10);
+			Number.isFinite(c) && l.add(c);
 		}
-		let o = [];
-		for (let [t, i] of b.entries()) a.has(t) && i.latestSha && o.push(i);
-		return o.length === 0 ? (console.info(pc.yellow("\nNo actions selected")), null) : o;
-	} catch (t) {
-		if (t instanceof Error && (t.message.includes("cancelled") || t.message.includes("ESC") || t.name === "ExitPromptError")) return logSelectionCancelled(), null;
-		throw console.error(pc.red("Unexpected error during selection:"), t), t;
+		let u = [];
+		for (let [e, c] of w.entries()) l.has(e) && hasResolvedTarget(c) && u.push(c);
+		return u.length === 0 ? (console.info(pc.yellow("\nNo actions selected")), null) : u;
+	} catch (e) {
+		if (e instanceof Error && (e.message.includes("cancelled") || e.message.includes("ESC") || e.name === "ExitPromptError")) return logSelectionCancelled(), null;
+		throw console.error(pc.red("Unexpected error during selection:"), e), e;
 	}
 }
-function formatAge(t) {
-	if (!t) return "";
-	let i = Date.now() - t.getTime(), a = Math.floor(i / (1e3 * 60 * 60)), o = Math.floor(a / 24), s = Math.floor(o / 7), c = o % 7;
-	return s >= 1 ? c > 0 ? `${s}w ${c}d` : `${s}w` : o >= 1 ? `${o}d` : `${a}h`;
+function formatAge(e) {
+	if (!e) return "";
+	let c = Date.now() - e.getTime(), l = Math.floor(c / (1e3 * 60 * 60)), u = Math.floor(l / 24), d = Math.floor(u / 7), f = u % 7;
+	return d >= 1 ? f > 0 ? `${d}w ${f}d` : `${d}w` : u >= 1 ? `${u}d` : `${l}h`;
 }
-function formatTableRow(t) {
-	let { currentWidth: i, actionWidth: a, targetWidth: o, jobWidth: s, ageWidth: l, row: u } = t, d = [
-		padString(u.action, a),
-		padString(u.job, s),
-		padString(u.current, i),
-		u.arrow,
-		padString(u.target, o)
+function formatTableRow(e) {
+	let { currentWidth: c, actionWidth: l, targetWidth: u, jobWidth: d, ageWidth: p, row: m } = e, h = [
+		padString(m.action, l),
+		padString(m.job, d),
+		padString(m.current, c),
+		m.arrow,
+		padString(m.target, u)
 	];
-	return l > 0 && d.push(u.age), d.join("  ").replace(/\s+$/u, "");
+	return p > 0 && h.push(m.age), h.join("  ").replace(/\s+$/u, "");
 }
-function formatVersionOrSha(t) {
-	return t ? isSha(t) ? t.slice(0, 7) : t.replace(/^v/u, "") : pc.gray("unknown");
+function formatVersionOrSha(e) {
+	return e ? isSha(e) ? e.slice(0, 7) : e.replace(/^v/u, "") : pc.gray("unknown");
+}
+function getTargetVersion(e) {
+	return getResolvedTargetStyle(e) === "tag" && getResolvedTarget(e) ? getResolvedTarget(e) : e.latestVersion;
+}
+function getResolvedTargetStyle(e) {
+	return e.targetRefStyle ? e.targetRefStyle : e.latestSha ? "sha" : null;
+}
+function getResolvedTarget(e) {
+	return e.targetRef ? e.targetRef : e.latestSha;
 }
 function logSelectionCancelled() {
 	console.info(`\r\u001B[K${pc.yellow("Selection cancelled")}`);
 }
+function hasResolvedTarget(e) {
+	return !!getResolvedTarget(e);
+}
 export { promptUpdateSelection };

package/dist/core/updates/resolve-target-reference.d.ts

@@ -0,0 +1,10 @@
+import { ActionUpdate } from '../../types/action-update';
+import { UpdateStyle } from '../../types/update-style';
+/**
+ * Resolve the final reference that should be written back to the workflow.
+ *
+ * @param update - Update entry enriched with lookup data.
+ * @param style - Effective update style.
+ * @returns Update entry with resolved target reference fields.
+ */
+export declare function resolveTargetReference(update: ActionUpdate, style: UpdateStyle): ActionUpdate;

package/dist/core/updates/resolve-target-reference.js

@@ -0,0 +1,24 @@
+function resolveTargetReference(e, t) {
+	return e.hasUpdate ? t === "sha" || e.currentRefType === "sha" ? e.latestSha ? {
+		...e,
+		targetRef: e.latestSha,
+		targetRefStyle: "sha"
+	} : {
+		...e,
+		targetRefStyle: null,
+		targetRef: null
+	} : e.currentRefType === "tag" && e.latestVersion ? {
+		...e,
+		targetRef: e.latestVersion,
+		targetRefStyle: "tag"
+	} : {
+		...e,
+		targetRefStyle: null,
+		targetRef: null
+	} : {
+		...e,
+		targetRefStyle: null,
+		targetRef: null
+	};
+}
+export { resolveTargetReference };

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.13.0";
+const version = "1.14.0";
 export { version };

package/dist/types/action-update.d.ts

@@ -6,7 +6,17 @@ export interface ActionUpdate {
   /**
    * Reason for skipping the update check.
    */
-  skipReason?: 'unknown' | 'branch'
+  skipReason?: 'unsupported-style' | 'unknown' | 'branch'
+
+  /**
+   * Detected style of the current reference in the source file.
+   */
+  currentRefType?: 'unknown' | 'branch' | 'sha' | 'tag'
+
+  /**
+   * Style of the final reference that should be written back to the file.
+   */
+  targetRefStyle?: 'sha' | 'tag' | null
 
   /**
    * Current version string.
@@ -23,6 +33,11 @@ export interface ActionUpdate {
    */
   status?: 'skipped' | 'ok'
 
+  /**
+   * Final reference that should be written back to the file.
+   */
+  targetRef?: string | null
+
   /**
    * SHA hash of the latest version.
    */

package/dist/types/update-style.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Strategy used when writing updated action references back to workflow files.
+ */
+export type UpdateStyle = 'preserve' | 'sha'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "actions-up",
-  "version": "1.13.0",
-  "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
+  "version": "1.14.0",
+  "description": "Interactive CLI tool to update GitHub Actions with SHA pinning or preserved refs",
   "keywords": [
     "github-actions",
     "actions",

package/readme.md

@@ -16,7 +16,7 @@ Actions Up scans your workflows and composite actions to discover every
 referenced GitHub Action, then checks for newer releases.
 
 Interactively upgrade and pin actions to exact commit SHAs for secure,
-reproducible CI and low-friction maintenance.
+reproducible CI, or preserve tag-style references when you need to stay on tags.
 
 ## Features
 
@@ -25,8 +25,8 @@ reproducible CI and low-friction maintenance.
   `action.yml`/`action.yaml`)
 - **Reusable Workflows**: Detects and updates reusable workflow calls at the job
   level
-- **SHA pinning**: Updates actions to use commit SHA instead of tags for better
-  security
+- **Flexible update styles**: Use SHA pinning by default, or preserve tag-style
+  references with `--style preserve`
 - **Batch Updates**: Update multiple actions at once
 - **Interactive Selection**: Choose which actions to update
 - **Breaking Changes Detection**: Warns about major version updates
@@ -124,7 +124,7 @@ This will:
    plus root `action.yml`/`action.yaml`
 2. Check for available updates
 3. Show an interactive list to select updates
-4. Apply selected updates with SHA pinning
+4. Apply selected updates with SHA pinning by default
 
 ### Auto-Update Mode
 
@@ -200,6 +200,24 @@ In `minor` and `patch` modes, Actions Up tries to find the newest compatible tag
 first (for example, from `@v4` in `minor` mode it will choose the latest
 `v4.x.y`). If no compatible version exists, that action is skipped.
 
+### Update Style
+
+By default, Actions Up writes updates as pinned SHAs:
+
+```bash
+npx actions-up --style sha
+```
+
+Use `--style preserve` to keep the current reference style:
+
+```bash
+npx actions-up --style preserve
+```
+
+`preserve` keeps tag references on tags and SHA references on SHAs. For example,
+`actions/checkout@v5` updates to `actions/checkout@v6.0.2`, while a SHA-pinned
+action continues updating to the latest resolved SHA.
+
 ## GitHub Actions Integration
 
 ### Automated PR Checks
@@ -500,7 +518,8 @@ Ignore comments (file/block/next-line/inline):
 Interactive CLI for developers who want control over GitHub Actions updates.
 
 - **vs. Dependabot/Renovate:** Dependabot and Renovate update via pull requests;
-  Actions Up is an interactive CLI with explicit SHA pinning.
+  Actions Up is an interactive CLI with explicit SHA pinning by default and an
+  opt-in preserve mode for tag users.
 - **vs. pinact:** pinact is a CLI to pin and update Actions and reusable
   workflows; Actions Up adds interactive selection and major update warnings.
 - **Zero-config:** `npx actions-up` runs immediately.