actions-up 1.2.0 → 1.3.0

package/dist/core/interactive/format-version.js

@@ -1,5 +1,36 @@
 import pc from "picocolors";
-function formatVersion(version) {
-	return version ?? pc.gray("unknown");
+import semver from "semver";
+function formatVersion(latestVersion, currentVersion) {
+	if (!latestVersion) return pc.gray("unknown");
+	let latest = semver.parse(latestVersion);
+	let current = currentVersion ? semver.parse(normalizeVersion(currentVersion)) : null;
+	if (!current || !latest) return latestVersion;
+	let change = semver.diff(normalizeVersion(currentVersion), latestVersion);
+	let unstable = current.major === 0;
+	let changeColor = unstable ? pc.yellowBright : pc.gray;
+	let parts = [
+		latest.major,
+		latest.minor,
+		latest.patch
+	];
+	let colors = parts.map((_, i) => {
+		if (change === "major") return pc.redBright;
+		if (change === "minor" && i >= 1) return changeColor;
+		if (change === "patch" && i === 2) return changeColor;
+		return identity;
+	});
+	let result = colors[0](String(parts[0]));
+	if (parts[1] !== void 0) result += colors[0](".") + colors[1](String(parts[1]));
+	if (parts[2] !== void 0) result += colors[1](".") + colors[2](String(parts[2]));
+	return result;
+}
+function normalizeVersion(version) {
+	let cleaned = version.replace(/^v/u, "");
+	let parts = cleaned.split(".");
+	while (parts.length < 3) parts.push("0");
+	return parts.slice(0, 3).join(".");
+}
+function identity(string) {
+	return string;
 }
 export { formatVersion };

package/dist/core/interactive/prompt-update-selection.js

@@ -4,10 +4,11 @@ import { stripAnsi } from "./strip-ansi.js";
 import { padString } from "./pad-string.js";
 import "node:worker_threads";
 import pc from "picocolors";
+import { readFile } from "node:fs/promises";
 import enquirer from "enquirer";
 import path from "node:path";
 const MIN_ACTION_WIDTH = 56;
-const MIN_CURRENT_WIDTH = 10;
+const MIN_CURRENT_WIDTH = 16;
 async function promptUpdateSelection(updates) {
 	if (updates.length === 0) return null;
 	let outdated = updates.filter((update) => update.hasUpdate);
@@ -27,14 +28,33 @@ async function promptUpdateSelection(updates) {
 		});
 		groups.set(file, group);
 	}
+	let currentComputedByIndex = await Promise.all(outdated.map(async (update) => {
+		let display = formatVersionOrSha(update.currentVersion);
+		let effectiveForDiff = update.currentVersion ?? void 0;
+		if (!update.currentVersion || !isSha(update.currentVersion)) return {
+			effectiveForDiff,
+			display
+		};
+		let versionFromComment = await tryReadInlineVersionComment(update.action.file, update.action.line);
+		if (versionFromComment) {
+			let shortSha = update.currentVersion.slice(0, 7);
+			let version = formatVersionOrSha(versionFromComment);
+			display = `${version} ${pc.gray(`(${shortSha})`)}`;
+			effectiveForDiff = versionFromComment;
+		}
+		return {
+			effectiveForDiff,
+			display
+		};
+	}));
 	let choices = [];
 	let maxActionLength = stripAnsi("Action").length;
 	let maxCurrentLength = stripAnsi("Current").length;
-	for (let update of outdated) {
+	for (let [index, update] of outdated.entries()) {
 		let actionNameRaw = update.action.name;
-		let currentRaw = formatVersionOrSha(update.currentVersion);
+		let currentRaw = currentComputedByIndex[index].display;
 		maxActionLength = Math.max(maxActionLength, actionNameRaw.length);
-		maxCurrentLength = Math.max(maxCurrentLength, currentRaw.length);
+		maxCurrentLength = Math.max(maxCurrentLength, stripAnsi(currentRaw).length);
 	}
 	let globalActionWidth = Math.max(maxActionLength, MIN_ACTION_WIDTH);
 	let globalCurrentWidth = Math.max(maxCurrentLength, MIN_CURRENT_WIDTH);
@@ -53,10 +73,11 @@ async function promptUpdateSelection(updates) {
 			target: "Target",
 			arrow: "❯"
 		});
-		for (let { update } of groupOrder) {
+		for (let { update, index } of groupOrder) {
 			let hasSha = Boolean(update.latestSha);
-			let current = formatVersionOrSha(update.currentVersion);
-			let latest = formatVersion(update.latestVersion);
+			let current = currentComputedByIndex[index].display;
+			let effectiveCurrentForDiff = currentComputedByIndex[index]?.effectiveForDiff ?? update.currentVersion;
+			let latest = formatVersion(update.latestVersion, effectiveCurrentForDiff);
 			let actionName = update.action.name;
 			if (update.latestSha) {
 				let shortSha = update.latestSha.slice(0, 7);
@@ -180,6 +201,19 @@ async function promptUpdateSelection(updates) {
 		throw error;
 	}
 }
+async function tryReadInlineVersionComment(filePath, lineNumber) {
+	try {
+		if (!filePath || !lineNumber || lineNumber <= 0) return null;
+		let content = await readFile(filePath, "utf8");
+		let lines = content.split("\n");
+		let index = lineNumber - 1;
+		if (index < 0 || index >= lines.length) return null;
+		let line = lines[index];
+		let match = line.match(/#\s*(?<version>[Vv]?\d+(?:\.\d+){0,2}(?:[+-][\w\-.]+)?)/u);
+		if (match?.groups?.["version"]) return match.groups["version"];
+	} catch {}
+	return null;
+}
 function formatTableRow(row, actionWidth, currentWidth) {
 	let parts = [
 		padString(row.action, actionWidth),
@@ -198,6 +232,6 @@ function isSha(value) {
 function formatVersionOrSha(version) {
 	if (!version) return pc.gray("unknown");
 	if (isSha(version)) return version.slice(0, 7);
-	return version;
+	return version.replace(/^v/u, "");
 }
 export { promptUpdateSelection };

package/dist/core/scan-github-actions.js

@@ -2,8 +2,8 @@ import { ACTIONS_DIRECTORY, GITHUB_DIRECTORY, WORKFLOWS_DIRECTORY } from "./cons
 import { scanWorkflowFile } from "./scan-workflow-file.js";
 import { scanActionFile } from "./scan-action-file.js";
 import { isYamlFile } from "./fs/is-yaml-file.js";
-import { isAbsolute, join, relative, resolve } from "node:path";
 import { readFile, readdir, stat } from "node:fs/promises";
+import { isAbsolute, join, relative, resolve } from "node:path";
 async function scanGitHubActions(rootPath = process.cwd()) {
 	let result = {
 		compositeActions: /* @__PURE__ */ new Map(),

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.2.0";
+const version = "1.3.0";
 export { version };

package/dist/types/github-client-context.d.ts

@@ -0,0 +1,32 @@
+import { TagInfo } from './tag-info';
+/**
+ * Internal client context shared by all API functions.
+ *
+ * Stores auth, rate-limit state, base URL and in-memory caches to decrease the
+ * number of API requests during a single run.
+ */
+export interface GitHubClientContext {
+  /** Lightweight caches keyed by owner/repo (+ extra payload). */
+  caches: {
+    /** Cache of reference type detections (branch/tag/null). */
+    refType: Map<string, 'branch' | 'tag' | null>
+
+    /** Cache of resolved tag metadata (message/date/SHA). */
+    tagInfo: Map<string, TagInfo | null>
+
+    /** Cache of resolved tag commit SHAs. */
+    tagSha: Map<string, string | null>
+  }
+
+  /** Remaining requests available per current rate-limit window. */
+  rateLimitRemaining: number
+
+  /** GitHub token, if available. */
+  token: undefined | string
+
+  /** Scheduled time when rate limit resets. */
+  rateLimitReset: Date
+
+  /** GitHub REST API base URL. */
+  baseUrl: string
+}

package/dist/types/github-client.d.ts

@@ -0,0 +1,42 @@
+import { ReleaseInfo } from './release-info';
+import { TagInfo } from './tag-info';
+/**
+ * Public API surface for interacting with GitHub from Actions Up.
+ *
+ * Methods are thin wrappers around lower-level functions bound to a client
+ * context (auth + rate-limit + caches). All methods are async and return
+ * normalized, serializable data structures.
+ */
+export interface GitHubClient {
+  /** Detect whether a reference is a tag or a branch (or unknown). */
+  getRefType(
+    owner: string,
+    repo: string,
+    reference: string,
+  ): Promise<'branch' | 'tag' | null>
+
+  /** List releases with minimal enrichment. */
+  getAllReleases(
+    owner: string,
+    repo: string,
+    limit?: number,
+  ): Promise<ReleaseInfo[]>
+
+  /** Fetch tag metadata (message/date) and the resolved commit SHA. */
+  getTagInfo(owner: string, repo: string, tag: string): Promise<TagInfo | null>
+
+  /** Resolve commit SHA for a tag without fetching commit data. */
+  getTagSha(owner: string, repo: string, tag: string): Promise<string | null>
+
+  /** List repository tags (name + commit SHA). */
+  getAllTags(owner: string, repo: string, limit?: number): Promise<TagInfo[]>
+
+  /** Fetch the latest release or null when no latest release exists. */
+  getLatestRelease(owner: string, repo: string): Promise<ReleaseInfo | null>
+
+  /** Current rate limit snapshot. */
+  getRateLimitStatus(): { remaining: number; resetAt: Date }
+
+  /** True when remaining requests are below a threshold. */
+  shouldWaitForRateLimit(threshold?: number): boolean
+}

package/dist/types/release-info.d.ts

@@ -0,0 +1,23 @@
+/** Normalized release information used across the tool. */
+export interface ReleaseInfo {
+  /** Release description (body) or null when absent. */
+  description: string | null
+
+  /** True when the release is marked as prerelease. */
+  isPrerelease: boolean
+
+  /** Commit SHA associated with the release tag (may be null). */
+  sha: string | null
+
+  /** Publication date of the release. */
+  publishedAt: Date
+
+  /** Tag name (e.g. V1.2.3). */
+  version: string
+
+  /** Release name or tag name when name is not provided. */
+  name: string
+
+  /** HTML URL of the release page. */
+  url: string
+}

package/dist/types/tag-info.d.ts

@@ -0,0 +1,14 @@
+/** Normalized tag information (message/date) and the resolved commit SHA. */
+export interface TagInfo {
+  /** Tag or commit message, null when absent. */
+  message: string | null
+
+  /** Commit SHA the tag ultimately points to (may be null). */
+  sha: string | null
+
+  /** Date associated with the tag (from release, tagger or commit). */
+  date: Date | null
+
+  /** Tag name (e.g. V1.2.3). */
+  tag: string
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",

package/readme.md

@@ -23,8 +23,8 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
 - **Batch Updates**: Update multiple actions at once
 - **Interactive Selection**: Choose which actions to update
 - **Breaking Changes Detection**: Warns about major version updates
-- **Fast & Efficient**: Parallel processing with optimized API calls
-- **CI/CD Integration**: Can be used as a GitHub Action for automated PR checks
+- **Fast & Efficient**: Optimized API usage with deduped lookups
+- **CI/CD Integration**: Use in GitHub Actions workflows for automated PR checks
 
 ###
 
@@ -167,15 +167,8 @@ jobs:
           echo "Running actions-up to check for updates..."
           actions-up --dry-run > actions-up-raw.txt 2>&1 || true
 
-          # Strip ANSI color codes from the output
-          sed -i 's/\x1b\[[0-9;]*m//g' actions-up-raw.txt
-
-          # Also remove any other control characters
-          sed -i 's/\x1b\[[0-9;]*[a-zA-Z]//g' actions-up-raw.txt
-
           # Parse the output to detect updates
-          # Look for patterns like "v3 → v4" or "would be updated"
-          if grep -E "(→|would be updated|Update available)" actions-up-raw.txt > /dev/null 2>&1; then
+          if grep -q "→" actions-up-raw.txt; then
             HAS_UPDATES=true
             # Count the number of updates (lines with arrows)
             UPDATE_COUNT=$(grep -c "→" actions-up-raw.txt || echo "0")
@@ -198,67 +191,11 @@ jobs:
               echo "## GitHub Actions Update Report"
               echo ""
 
-              # Extract summary information
-              TOTAL_ACTIONS=$(grep -oP 'Found \K[0-9]+(?= actions)' actions-up-raw.txt | head -1 || echo "0")
-              BREAKING_UPDATES=$(grep -oP '\(([0-9]+) breaking\)' actions-up-raw.txt | grep -oP '[0-9]+' || echo "0")
-
               echo "### Summary"
-              echo "- **Total actions scanned:** $TOTAL_ACTIONS"
               echo "- **Updates available:** $UPDATE_COUNT"
-              if [ "$BREAKING_UPDATES" != "0" ]; then
-                echo "- **Breaking changes:** $BREAKING_UPDATES"
-              fi
               echo ""
 
-              echo "### Available Updates"
-              echo ""
-
-              # Format the updates in a table
-              echo "| Workflow File | Action | Current | Available | Type | Release Notes |"
-              echo "|--------------|--------|---------|-----------|------|---------------|"
-
-              # Parse each update line
-              grep "→" actions-up-raw.txt | while IFS= read -r line; do
-                # Extract workflow file path (remove leading path)
-                if echo "$line" | grep -q "\.github/workflows/"; then
-                  PREV_FILE=$(echo "$line" | grep -oP '\.github/workflows/[^:]+' | head -1)
-                fi
-
-                # Skip file path lines, process only action updates
-                if echo "$line" | grep -q ": .* → "; then
-                  # Extract action name and versions
-                  ACTION=$(echo "$line" | cut -d: -f1 | xargs)
-                  CURRENT=$(echo "$line" | grep -oP 'v[0-9]+(\.[0-9]+)*' | head -1)
-                  NEW=$(echo "$line" | grep -oP '→ \Kv[0-9]+(\.[0-9]+)*' | head -1)
-
-                  # Determine if it's a breaking change
-                  CURRENT_MAJOR=$(echo "$CURRENT" | grep -oP 'v\K[0-9]+' || echo "0")
-                  NEW_MAJOR=$(echo "$NEW" | grep -oP 'v\K[0-9]+' || echo "0")
-
-                  if [ "$CURRENT_MAJOR" != "$NEW_MAJOR" ]; then
-                    TYPE="Breaking"
-                    # Generate release URL
-                    # Handle both owner/repo and just repo formats
-                    if echo "$ACTION" | grep -q "/"; then
-                      REPO_PATH="$ACTION"
-                    else
-                      # For actions without owner, assume it's under 'actions' org
-                      REPO_PATH="actions/$ACTION"
-                    fi
-                    RELEASE_URL="https://github.com/${REPO_PATH}/releases/tag/${NEW}"
-                    RELEASE_LINK="[Release](${RELEASE_URL})"
-                  else
-                    TYPE="Minor"
-                    RELEASE_LINK="-"
-                  fi
-
-                  # Output table row
-                  WORKFLOW_NAME=$(basename "$PREV_FILE" 2>/dev/null || echo "workflow.yml")
-                  echo "| \`$WORKFLOW_NAME\` | $ACTION | $CURRENT | **$NEW** | $TYPE | $RELEASE_LINK |"
-                fi
-              done
-
-              echo ""
+              # See the raw output above for details.
               echo "### How to Update"
               echo ""
               echo "You have several options to update these actions:"
@@ -275,42 +212,6 @@ jobs:
               echo "3. Edit the workflow files and update the version numbers"
               echo "4. Test the changes in your CI/CD pipeline"
               echo ""
-              echo "#### Option 3: Selective Update"
-              echo '```bash'
-              echo "# Update only non-breaking changes"
-              echo "npx actions-up --breaking false"
-              echo '```'
-              echo ""
-
-              if [ "$BREAKING_UPDATES" != "0" ]; then
-                echo "### Breaking Changes Warning"
-                echo ""
-                echo "This update includes **$BREAKING_UPDATES breaking change(s)**. Please review the release notes before updating:"
-                echo ""
-                grep "→" actions-up-raw.txt | while IFS= read -r line; do
-                  if echo "$line" | grep -q ": .* → "; then
-                    ACTION=$(echo "$line" | cut -d: -f1 | xargs)
-                    CURRENT=$(echo "$line" | grep -oP 'v[0-9]+' | head -1)
-                    NEW=$(echo "$line" | grep -oP '→ \Kv[0-9]+(\.[0-9]+)*' | head -1)
-                    CURRENT_MAJOR=$(echo "$CURRENT" | grep -oP '[0-9]+' || echo "0")
-                    NEW_MAJOR=$(echo "$NEW" | grep -oP '[0-9]+' || echo "0")
-                    if [ "$CURRENT_MAJOR" != "$NEW_MAJOR" ]; then
-                      # Generate release URL
-                      if echo "$ACTION" | grep -q "/"; then
-                        REPO_PATH="$ACTION"
-                      else
-                        REPO_PATH="actions/$ACTION"
-                      fi
-                      RELEASE_URL="https://github.com/${REPO_PATH}/releases/tag/${NEW}"
-                      echo "- **$ACTION**: $CURRENT → $NEW - [View Release Notes](${RELEASE_URL})"
-                    fi
-                  fi
-                done
-                echo ""
-                echo "**Important:** Breaking changes may require modifications to your workflow configuration. Always review the release notes and test thoroughly."
-                echo ""
-              fi
-
               echo "---"
               echo ""
               echo "<details>"
@@ -440,17 +341,6 @@ jobs:
 
 </details>
 
-### Advanced PR Integration with Comments
-
-For a more sophisticated integration that comments directly on PRs with detailed update information, check out our [example workflow with PR comments](https://github.com/azat-io/actions-up/blob/main/examples/workflows/check-with-comments.yml).
-
-This advanced workflow:
-
-- Comments on PRs with a formatted table of available updates
-- Adds labels to PRs with outdated actions
-- Includes links to release notes for breaking changes
-- Updates existing comments instead of creating duplicates
-
 ### Scheduled Checks
 
 You can also set up scheduled checks to stay informed about updates:
@@ -518,22 +408,6 @@ Or in GitHub Actions:
   run: npx actions-up --dry-run
 ```
 
-### Command Line Options
-
-```bash
-# Update all actions without prompts
-npx actions-up --yes
-
-# Check for updates without making changes
-npx actions-up --dry-run
-
-# Update only non-breaking changes
-npx actions-up --breaking false
-
-# Specify custom workflow directory
-npx actions-up --workflows ./custom/workflows
-```
-
 ## Security
 
 Actions Up promotes security best practices:

package/dist/core/api/client.d.ts

@@ -1,98 +0,0 @@
-interface ReleaseInfo {
-    /** Release description or null if not provided. */
-    description: string | null;
-    /** Whether this release is marked as a pre-release. */
-    isPrerelease: boolean;
-    /** Git commit SHA for this release. */
-    sha: string | null;
-    /** Date when the release was published. */
-    publishedAt: Date;
-    /** Version tag name (e.g., 'v1.2.3'). */
-    version: string;
-    /** Release name or tag name if name not provided. */
-    name: string;
-    /** GitHub URL for this release. */
-    url: string;
-}
-/** Processed tag information with normalized types. */
-interface TagInfo {
-    /** Tag or commit message, null if not provided. */
-    message: string | null;
-    /** Git commit SHA that this tag points to. */
-    sha: string | null;
-    /** Date when the tag was created or committed. */
-    date: Date | null;
-    /** Tag name (e.g., 'v1.2.3'). */
-    tag: string;
-}
-/** GitHub REST API client with optional authentication. */
-export declare class Client {
-    private readonly baseUrl;
-    private readonly token;
-    private rateLimitReset;
-    private rateLimitRemaining;
-    /**
-     * Creates a new GitHub API client.
-     *
-     * @param token - Optional GitHub token for authentication.
-     */
-    constructor(token?: string);
-    private static isRateLimitError;
-    /**
-     * Get specific tag/version information.
-     *
-     * @param owner - The repository owner.
-     * @param repo - The repository name.
-     * @param tag - The tag name to fetch.
-     * @returns Tag information or null if not found.
-     */
-    getTagInfo(owner: string, repo: string, tag: string): Promise<TagInfo | null>;
-    /**
-     * Get all releases for a repository.
-     *
-     * @param owner - The repository owner.
-     * @param repo - The repository name.
-     * @param limit - Maximum number of releases to fetch.
-     * @returns Array of release information.
-     */
-    getAllReleases(owner: string, repo: string, limit?: number): Promise<ReleaseInfo[]>;
-    /**
-     * Get the latest release for a GitHub repository.
-     *
-     * @param owner - The repository owner.
-     * @param repo - The repository name.
-     * @returns Latest release information or null if not found.
-     */
-    getLatestRelease(owner: string, repo: string): Promise<ReleaseInfo | null>;
-    getAllTags(owner: string, repo: string, limit?: number): Promise<TagInfo[]>;
-    getRefType(owner: string, repo: string, reference: string): Promise<'branch' | 'tag' | null>;
-    getRateLimitStatus(): {
-        remaining: number;
-        resetAt: Date;
-    };
-    /**
-     * Check if we should wait before making more requests.
-     *
-     * @param threshold - Minimum remaining requests before waiting.
-     * @returns True if rate limit is below threshold.
-     */
-    shouldWaitForRateLimit(threshold?: number): boolean;
-    private makeRequest;
-    private updateRateLimitInfo;
-}
-/**
- * Resolve GitHub token from multiple sources with descending priority.
- *
- * Priority:
- *
- * 1. Env GITHUB_TOKEN
- * 2. Env GH_TOKEN
- * 3. Gh auth token
- * 4. .git/config keys (github.token, github.oauth-token, hub.oauthtoken).
- *
- * This is a synchronous best-effort resolver without throwing on failures.
- *
- * @returns Token string or undefined when not found.
- */
-export declare function resolveGitHubTokenSync(): undefined | string;
-export {};