actions-up 1.3.1 → 1.4.0

package/dist/core/parsing/parse-action-reference.js

@@ -1,34 +1,34 @@
-function parseActionReference(reference, file, line) {
-	if (!reference || reference.trim() === "") return null;
-	if (reference.startsWith("docker://")) return {
+function parseActionReference(e, t, n) {
+	if (!e || e.trim() === "") return null;
+	if (e.startsWith("docker://")) return {
 		version: void 0,
-		name: reference,
+		name: e,
 		type: "docker",
-		file,
-		line
+		file: t,
+		line: n
 	};
-	if (reference.startsWith("./") || reference.startsWith("../")) return {
+	if (e.startsWith("./") || e.startsWith("../")) return {
 		version: void 0,
-		name: reference,
+		name: e,
 		type: "local",
-		file,
-		line
+		file: t,
+		line: n
 	};
-	let parts = reference.split("@");
-	if (parts.length !== 2) return null;
-	let [namePart, version] = parts;
-	if (!namePart || !version) return null;
-	let segs = namePart.split("/");
-	if (segs.length < 2) return null;
-	let [owner, repo] = segs;
-	if (!owner || !repo) return null;
-	for (let seg of segs.slice(2)) if (!seg) return null;
+	let r = e.split("@");
+	if (r.length !== 2) return null;
+	let [i, a] = r;
+	if (!i || !a) return null;
+	let o = i.split("/");
+	if (o.length < 2) return null;
+	let [s, c] = o;
+	if (!s || !c) return null;
+	for (let e of o.slice(2)) if (!e) return null;
 	return {
 		type: "external",
-		name: namePart,
-		version,
-		file,
-		line
+		name: i,
+		version: a,
+		file: t,
+		line: n
 	};
 }
 export { parseActionReference };

package/dist/core/scan-action-file.js

@@ -1,7 +1,7 @@
 import { readYamlDocument } from "./fs/read-yaml-document.js";
 import { scanCompositeActionAst } from "./ast/scanners/scan-composite-action-ast.js";
-async function scanActionFile(filePath) {
-	let { document, content } = await readYamlDocument(filePath);
-	return scanCompositeActionAst(document, content, filePath);
+async function scanActionFile(n) {
+	let { document: r, content: i } = await readYamlDocument(n);
+	return scanCompositeActionAst(r, i, n);
 }
 export { scanActionFile };

package/dist/core/scan-github-actions.js

@@ -4,190 +4,141 @@ import { scanActionFile } from "./scan-action-file.js";
 import { isYamlFile } from "./fs/is-yaml-file.js";
 import { readFile, readdir, stat } from "node:fs/promises";
 import { isAbsolute, join, relative, resolve } from "node:path";
-async function scanGitHubActions(rootPath = process.cwd()) {
-	let result = {
+async function scanGitHubActions(d = process.cwd()) {
+	let m = {
 		compositeActions: /* @__PURE__ */ new Map(),
 		workflows: /* @__PURE__ */ new Map(),
 		actions: []
-	};
-	let normalizedRoot = resolve(rootPath);
-	function isWithin(root, candidate) {
-		let relativePath = relative(root, candidate);
-		return relativePath !== "" && !relativePath.startsWith("..") && !isAbsolute(relativePath);
+	}, h = resolve(d);
+	function g(e, o) {
+		let s = relative(e, o);
+		return s !== "" && !s.startsWith("..") && !isAbsolute(s);
 	}
-	let githubPath = join(normalizedRoot, GITHUB_DIRECTORY);
-	if (!isWithin(normalizedRoot, githubPath)) throw new Error("Invalid path: detected path traversal attempt");
-	function isValidName(name) {
-		if (name.includes("..") || name.includes("/") || name.includes("\\")) {
-			console.warn(`Skipping invalid name: ${name}`);
-			return false;
-		}
-		return true;
+	let _ = join(h, GITHUB_DIRECTORY);
+	if (!g(h, _)) throw Error("Invalid path: detected path traversal attempt");
+	function v(e) {
+		return e.includes("..") || e.includes("/") || e.includes("\\") ? (console.warn(`Skipping invalid name: ${e}`), !1) : !0;
 	}
-	let workflowsPath = join(githubPath, WORKFLOWS_DIRECTORY);
-	if (!isWithin(normalizedRoot, workflowsPath)) return result;
+	let y = join(_, WORKFLOWS_DIRECTORY);
+	if (!g(h, y)) return m;
 	try {
-		let workflowsStat = await stat(workflowsPath);
-		if (workflowsStat.isDirectory()) {
-			let files = await readdir(workflowsPath);
-			let workflowPromises = files.filter((file) => {
-				if (!isValidName(file)) return false;
-				return isYamlFile(file);
-			}).map(async (file) => {
-				let filePath = join(workflowsPath, file);
-				if (!isWithin(workflowsPath, filePath)) {
-					console.warn(`Skipping file outside workflows directory: ${file}`);
-					return {
-						success: false,
-						actions: [],
-						path: ""
-					};
-				}
+		if ((await stat(y)).isDirectory()) {
+			let e = (await readdir(y)).filter((e) => v(e) ? isYamlFile(e) : !1).map(async (e) => {
+				let l = join(y, e);
+				if (!g(y, l)) return console.warn(`Skipping file outside workflows directory: ${e}`), {
+					success: !1,
+					actions: [],
+					path: ""
+				};
 				try {
-					let actions = await scanWorkflowFile(filePath);
+					let u = await scanWorkflowFile(l);
 					return {
-						path: `${GITHUB_DIRECTORY}/${WORKFLOWS_DIRECTORY}/${file}`,
-						success: true,
-						actions
+						path: `${GITHUB_DIRECTORY}/${WORKFLOWS_DIRECTORY}/${e}`,
+						success: !0,
+						actions: u
 					};
 				} catch {
 					return {
-						path: `${GITHUB_DIRECTORY}/${WORKFLOWS_DIRECTORY}/${file}`,
-						success: false,
+						path: `${GITHUB_DIRECTORY}/${WORKFLOWS_DIRECTORY}/${e}`,
+						success: !1,
 						actions: []
 					};
 				}
-			});
-			let workflowResults = await Promise.all(workflowPromises);
-			for (let workflow of workflowResults) if (workflow.success && workflow.path) if (workflow.actions.length > 0) {
-				result.workflows.set(workflow.path, workflow.actions);
-				result.actions.push(...workflow.actions);
-			} else result.workflows.set(workflow.path, []);
+			}), l = await Promise.all(e);
+			for (let e of l) e.success && e.path && (e.actions.length > 0 ? (m.workflows.set(e.path, e.actions), m.actions.push(...e.actions)) : m.workflows.set(e.path, []));
 		}
 	} catch {}
-	let actionsPath = join(githubPath, ACTIONS_DIRECTORY);
-	if (!isWithin(normalizedRoot, actionsPath)) return result;
+	let b = join(_, ACTIONS_DIRECTORY);
+	if (!g(h, b)) return m;
 	try {
-		let actionsStat = await stat(actionsPath);
-		if (actionsStat.isDirectory()) {
-			let subdirectories = await readdir(actionsPath);
-			let actionPromises = subdirectories.map(async (subdir) => {
-				if (!isValidName(subdir)) return null;
-				let subdirPath = join(actionsPath, subdir);
-				if (!isWithin(actionsPath, subdirPath)) {
-					console.warn(`Skipping subdirectory outside actions path: ${subdir}`);
-					return null;
-				}
+		if ((await stat(b)).isDirectory()) {
+			let s = (await readdir(b)).map(async (s) => {
+				if (!v(s)) return null;
+				let c = join(b, s);
+				if (!g(b, c)) return console.warn(`Skipping subdirectory outside actions path: ${s}`), null;
 				try {
-					let subdirectoryStat = await stat(subdirPath);
-					if (!subdirectoryStat.isDirectory()) return null;
-					let actionFilePath = join(subdirPath, "action.yml");
-					if (!isWithin(subdirPath, actionFilePath)) return null;
-					let actions = [];
+					if (!(await stat(c)).isDirectory()) return null;
+					let u = join(c, "action.yml");
+					if (!g(c, u)) return null;
+					let d = [];
 					try {
-						actions = await scanActionFile(actionFilePath);
+						d = await scanActionFile(u);
 					} catch {
 						try {
-							actionFilePath = join(subdirPath, "action.yaml");
-							if (!isWithin(subdirPath, actionFilePath)) return null;
-							actions = await scanActionFile(actionFilePath);
+							if (u = join(c, "action.yaml"), !g(c, u)) return null;
+							d = await scanActionFile(u);
 						} catch {
 							return null;
 						}
 					}
 					return {
-						path: `${GITHUB_DIRECTORY}/${ACTIONS_DIRECTORY}/${subdir}`,
-						name: subdir,
-						actions
+						path: `${GITHUB_DIRECTORY}/${ACTIONS_DIRECTORY}/${s}`,
+						name: s,
+						actions: d
 					};
 				} catch {
 					return null;
 				}
-			});
-			let actionResults = await Promise.all(actionPromises);
-			for (let actionResult of actionResults) if (actionResult) {
-				result.compositeActions.set(actionResult.name, actionResult.path);
-				result.actions.push(...actionResult.actions);
-			}
+			}), c = await Promise.all(s);
+			for (let e of c) e && (m.compositeActions.set(e.name, e.path), m.actions.push(...e.actions));
 		}
 	} catch {}
 	try {
-		let repoSlug = await getCurrentRepoSlug(normalizedRoot);
-		if (repoSlug) {
-			if (process.env["ACTIONS_UP_TEST_THROW"] === "1") throw new Error("test");
-			let seenCompositeDirectories = /* @__PURE__ */ new Set();
-			let queue = [];
-			for (let action of result.actions) {
-				if (action.type !== "external") continue;
-				let segs = action.name.split("/");
-				if (segs.length < 3) continue;
-				let candidateSlug = `${segs[0]}/${segs[1]}`;
-				if (candidateSlug !== repoSlug) continue;
-				let compositeDirectory = join(normalizedRoot, ...segs.slice(2));
-				if (!isWithin(normalizedRoot, compositeDirectory)) continue;
-				if (seenCompositeDirectories.has(compositeDirectory)) continue;
-				seenCompositeDirectories.add(compositeDirectory);
-				queue.push(compositeDirectory);
+		let e = await getCurrentRepoSlug(h);
+		if (e) {
+			if (process.env.ACTIONS_UP_TEST_THROW === "1") throw Error("test");
+			let o = /* @__PURE__ */ new Set(), s = [];
+			for (let c of m.actions) {
+				if (c.type !== "external") continue;
+				let l = c.name.split("/");
+				if (l.length < 3 || `${l[0]}/${l[1]}` !== e) continue;
+				let u = join(h, ...l.slice(2));
+				if (!g(h, u) || o.has(u)) continue;
+				o.add(u), s.push(u);
 			}
-			async function processQueue() {
-				if (queue.length === 0) return;
-				let batch = queue.splice(0);
-				let discoveredNext = await Promise.all(batch.map(async (directory) => {
+			async function c() {
+				if (s.length === 0) return;
+				let u = s.splice(0), d = await Promise.all(u.map(async (s) => {
 					try {
-						let ymlPath = join(directory, "action.yml");
-						let yamlPath = join(directory, "action.yaml");
-						let filePath = ymlPath;
+						let c = join(s, "action.yml"), u = join(s, "action.yaml"), d = c;
 						try {
-							let fileInfo = await stat(ymlPath);
-							if (!fileInfo.isFile()) throw new Error("not a file");
+							if (!(await stat(c)).isFile()) throw Error("not a file");
 						} catch {
-							let yamlInfo = await stat(yamlPath);
-							if (!yamlInfo.isFile()) throw new Error("not a file");
-							filePath = yamlPath;
+							if (!(await stat(u)).isFile()) throw Error("not a file");
+							d = u;
 						}
-						let nestedActions = await scanActionFile(filePath);
-						if (nestedActions.length > 0) result.actions.push(...nestedActions);
-						let nextDirectories = [];
-						for (let nestedAction of nestedActions) {
-							if (nestedAction.type !== "external") continue;
-							let nameSegments = nestedAction.name.split("/");
-							if (nameSegments.length < 3) continue;
-							let nameSlug = `${nameSegments[0]}/${nameSegments[1]}`;
-							if (nameSlug !== repoSlug) continue;
-							let nextDirectory = join(normalizedRoot, ...nameSegments.slice(2));
-							if (!isWithin(normalizedRoot, nextDirectory)) continue;
-							if (seenCompositeDirectories.has(nextDirectory)) continue;
-							seenCompositeDirectories.add(nextDirectory);
-							nextDirectories.push(nextDirectory);
+						let f = await scanActionFile(d);
+						f.length > 0 && m.actions.push(...f);
+						let p = [];
+						for (let s of f) {
+							if (s.type !== "external") continue;
+							let c = s.name.split("/");
+							if (c.length < 3 || `${c[0]}/${c[1]}` !== e) continue;
+							let l = join(h, ...c.slice(2));
+							if (!g(h, l) || o.has(l)) continue;
+							o.add(l), p.push(l);
 						}
-						return nextDirectories;
+						return p;
 					} catch {
 						return [];
 					}
 				}));
-				for (let list of discoveredNext) for (let directory of list) queue.push(directory);
-				await processQueue();
+				for (let e of d) for (let o of e) s.push(o);
+				await c();
 			}
-			await processQueue();
+			await c();
 		}
 	} catch {}
-	return result;
+	return m;
 }
-async function getCurrentRepoSlug(root) {
-	let environmentSlug = process.env["GITHUB_REPOSITORY"];
-	if (environmentSlug && /^[^\s/]+\/[^\s/]+$/u.test(environmentSlug)) return environmentSlug;
+async function getCurrentRepoSlug(e) {
+	let o = process.env.GITHUB_REPOSITORY;
+	if (o && /^[^\s/]+\/[^\s/]+$/u.test(o)) return o;
 	try {
-		let gitConfigPath = join(root, ".git", "config");
-		let content = await readFile(gitConfigPath, "utf8");
-		let originUrlMatch = content.match(/\[remote "origin"\][\s\S]*?url\s*=\s*(?<url>.+)/u);
-		let url = originUrlMatch?.groups?.["url"]?.trim();
-		if (!url) {
-			let anyUrlMatch = content.match(/url\s*=\s*(?<url>.+)/u);
-			url = anyUrlMatch?.groups?.["url"]?.trim();
-		}
-		if (!url) return null;
-		let httpsMatch = url.match(/github\.com[/:](?<owner>[^/]+)\/(?<repo>[^./]+)(?:\.git)?$/u);
-		if (httpsMatch?.groups) return `${httpsMatch.groups["owner"]}/${httpsMatch.groups["repo"]}`;
+		let o = join(e, ".git", "config"), s = await readFile(o, "utf8"), c = s.match(/\[remote "origin"\][\s\S]*?url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim();
+		if (c ||= s.match(/url\s*=\s*(?<url>.+)/u)?.groups?.url?.trim(), !c) return null;
+		let l = c.match(/github\.com[/:](?<owner>[^/]+)\/(?<repo>[^./]+)(?:\.git)?$/u);
+		if (l?.groups) return `${l.groups.owner}/${l.groups.repo}`;
 	} catch {}
 	return null;
 }

package/dist/core/scan-workflow-file.js

@@ -1,7 +1,7 @@
 import { scanWorkflowAst } from "./ast/scanners/scan-workflow-ast.js";
 import { readYamlDocument } from "./fs/read-yaml-document.js";
-async function scanWorkflowFile(filePath) {
-	let { document, content } = await readYamlDocument(filePath);
-	return scanWorkflowAst(document, content, filePath);
+async function scanWorkflowFile(n) {
+	let { document: r, content: i } = await readYamlDocument(n);
+	return scanWorkflowAst(r, i, n);
 }
 export { scanWorkflowFile };

package/dist/core/schema/composite/is-composite-action-runs.js

@@ -1,6 +1,4 @@
-function isCompositeActionRuns(value) {
-	if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
-	let object = value;
-	return "using" in object;
+function isCompositeActionRuns(e) {
+	return typeof e != "object" || !e || Array.isArray(e) ? !1 : "using" in e;
 }
 export { isCompositeActionRuns };

package/dist/core/schema/composite/is-composite-action-structure.js

@@ -1,6 +1,6 @@
-function isCompositeActionStructure(value) {
-	if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
-	let object = value;
-	return "name" in object || "description" in object || "runs" in object;
+function isCompositeActionStructure(e) {
+	if (typeof e != "object" || !e || Array.isArray(e)) return !1;
+	let t = e;
+	return "name" in t || "description" in t || "runs" in t;
 }
 export { isCompositeActionStructure };

package/dist/core/schema/workflow/is-workflow-structure.js

@@ -1,6 +1,6 @@
-function isWorkflowStructure(value) {
-	if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
-	let object = value;
-	return "on" in object || "name" in object || "jobs" in object;
+function isWorkflowStructure(e) {
+	if (typeof e != "object" || !e || Array.isArray(e)) return !1;
+	let t = e;
+	return "on" in t || "name" in t || "jobs" in t;
 }
 export { isWorkflowStructure };

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.3.1";
+const version = "1.4.0";
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.3.1",
+  "version": "1.4.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",

package/readme.md

@@ -2,7 +2,7 @@
 
 <img
   src="https://raw.githubusercontent.com/azat-io/actions-up/main/assets/logo.svg"
-  alt="Actions Up! logo"
+  alt="Actions Up logo"
   width="160"
   height="160"
   align="right"
@@ -19,7 +19,7 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
 ## Features
 
 - **Auto-discovery**: Scans all workflows (`.github/workflows/*.yml`) and composite actions (`.github/actions/*/action.yml`)
-- **SHA Pinning**: Updates actions to use commit SHA instead of tags for better security
+- **SHA pinning**: Updates actions to use commit SHA instead of tags for better security
 - **Batch Updates**: Update multiple actions at once
 - **Interactive Selection**: Choose which actions to update
 - **Breaking Changes Detection**: Warns about major version updates
@@ -41,7 +41,7 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
   />
   <img
     src="https://raw.githubusercontent.com/azat-io/actions-up/main/assets/example-light.webp"
-    alt="Actions Up interactive example"
+    alt="Actions Up! interactive example"
     width="820"
   />
 </picture>
@@ -209,7 +209,7 @@ jobs:
               echo "#### Option 2: Manual Update"
               echo "1. Review each update in the table above"
               echo "2. For breaking changes, click the Release Notes link to review changes"
-              echo "3. Edit the workflow files and update the version numbers"
+              echo "3. Edit the workflows and update the version numbers"
               echo "4. Test the changes in your CI/CD pipeline"
               echo ""
               echo "---"
@@ -233,7 +233,7 @@ jobs:
               echo ""
               echo "### All GitHub Actions in this repository are up to date!"
               echo ""
-              echo "No action required. Your workflow files are using the latest versions of all GitHub Actions."
+              echo "No action required. Your workflows are using the latest versions of all GitHub Actions."
             } > actions-up-report.md
 
             echo "has-updates=false" >> $GITHUB_OUTPUT
@@ -335,7 +335,7 @@ jobs:
           echo "::error:: Found ${{ steps.actions-check.outputs.update-count }} outdated GitHub Actions. Please update them before merging."
           echo ""
           echo "You can update them by running: npx actions-up"
-          echo "Or manually update the versions in your workflow files."
+          echo "Or manually update the versions in your workflows."
           exit 1
 ````
 
@@ -408,12 +408,59 @@ Or in GitHub Actions:
   run: npx actions-up --dry-run
 ```
 
+### Skipping Updates
+
+Skip updates using CLI excludes and YAML ignore comments. Excludes run first, then ignore comments.
+
+#### CLI Excludes
+
+Skip actions by name using regular expressions. Patterns are matched against the full action name (`owner/repo[/path]`).
+
+- Repeatable flag: `--exclude <regex>` (can be used multiple times)
+- Comma-separated list is supported inside a single flag
+- Forms:
+  - Plain string compiled as case-insensitive regex: `my-org/.*`
+  - Literal with flags: `/^actions\/internal-.+$/i`
+
+Examples:
+
+```bash
+npx actions-up --exclude "my-org/.*"
+npx actions-up --exclude ".*/internal-.*" --exclude "/^acme\/.+$/i"
+# or
+npx actions-up --exclude "my-org/.*, .*/internal-.*"
+```
+
+#### Ignore Comments
+
+You can skip specific actions or files using YAML comments. Ignored items are hidden in dry-run and interactive modes and are not updated with `--yes`.
+
+- Ignore whole file: `# actions-up-ignore-file`
+- Block ignore: `# actions-up-ignore-start` … `# actions-up-ignore-end`
+- Next line: `# actions-up-ignore-next-line`
+- Inline on the same line: append `# actions-up-ignore`
+
+Example:
+
+```yaml
+# actions-up-ignore-file
+
+# actions-up-ignore-next-line
+- uses: actions/checkout@v3
+
+- uses: actions/setup-node@v3 # actions-up-ignore
+
+# actions-up-ignore-start
+- uses: actions/cache@v3
+# actions-up-ignore-end
+```
+
 ## Security
 
 Actions Up promotes security best practices:
 
-- **SHA Pinning**: Uses commit SHA instead of mutable tags
-- **Version Comments**: Adds version as comment for readability
+- **SHA pinning**: Uses commit SHA instead of mutable tags
+- **Version comment**: Adds the released version next to the pinned SHA for readability
 - **No Auto-Updates**: Full control over what gets updated
 - **Breaking Change Warnings**: Alerts you to major version updates that may require configuration changes