actions-up 1.5.0 → 1.7.0

package/dist/cli/index.js

@@ -10,55 +10,57 @@ import "node:worker_threads";
 import pc from "picocolors";
 import cac from "cac";
 function run() {
-	let l = cac("actions-up");
-	l.help().version(version).option("--dir <directory>", "Custom directory name (default: .github)").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (s) => {
+	let u = cac("actions-up");
+	u.help().version(version).option("--dir <directory>", "Custom directory name (default: .github)").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--include-branches", "Also check actions pinned to branches (default: false)").option("--min-age <days>", "Minimum age in days for updates (default: 0)", { default: 0 }).option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (c) => {
 		console.info(pc.cyan("\n🚀 Actions Up!\n"));
-		let c = createSpinner("Scanning GitHub Actions...").start();
+		let l = createSpinner("Scanning GitHub Actions...").start();
 		try {
-			let l = await scanGitHubActions(process.cwd(), s.dir), u = l.actions.length, d = l.workflows.size, f = l.compositeActions.size;
-			if (c.success(`Found ${pc.yellow(u)} actions in ${pc.yellow(d)} workflows and ${pc.yellow(f)} composite actions`), u === 0) {
+			let u = await scanGitHubActions(process.cwd(), c.dir), d = u.actions.length, f = u.workflows.size, p = u.compositeActions.size;
+			if (l.success(`Found ${pc.yellow(d)} actions in ${pc.yellow(f)} workflows and ${pc.yellow(p)} composite actions`), d === 0) {
 				console.info(pc.green("\n✨ No GitHub Actions found in this repository"));
 				return;
 			}
-			let p = l.actions, m = [];
-			Array.isArray(s.exclude) ? m.push(...s.exclude) : typeof s.exclude == "string" && m.push(s.exclude);
-			let h = m.flatMap((e) => e.split(",")).map((e) => e.trim()).filter(Boolean);
-			if (h.length > 0) {
-				let { parseExcludePatterns: e } = await import("../core/filters/parse-exclude-patterns.js"), a = e(h);
-				a.length > 0 && (p = p.filter((e) => {
+			let m = u.actions, h = [];
+			Array.isArray(c.exclude) ? h.push(...c.exclude) : typeof c.exclude == "string" && h.push(c.exclude);
+			let g = h.flatMap((e) => e.split(",")).map((e) => e.trim()).filter(Boolean);
+			if (g.length > 0) {
+				let { parseExcludePatterns: e } = await import("../core/filters/parse-exclude-patterns.js"), a = e(g);
+				a.length > 0 && (m = m.filter((e) => {
 					let { name: o } = e;
 					for (let e of a) if (e.test(o)) return !1;
 					return !0;
 				}));
 			}
-			if (c = createSpinner("Checking for updates...").start(), p.length === 0) {
-				c.success("No actions to check after excludes"), console.info(pc.green("\n✨ Nothing to check after excludes\n"));
+			if (l = createSpinner("Checking for updates...").start(), m.length === 0) {
+				l.success("No actions to check after excludes"), console.info(pc.green("\n✨ Nothing to check after excludes\n"));
 				return;
 			}
-			let g = await checkUpdates(p, process.env.GITHUB_TOKEN), _ = [];
-			await Promise.all(g.map(async (e) => {
-				await shouldIgnore(e.action.file, e.action.line) || _.push(e);
+			let _ = c.includeBranches ?? !1, v = await checkUpdates(m, process.env.GITHUB_TOKEN, { includeBranches: _ }), y = [];
+			await Promise.all(v.map(async (e) => {
+				await shouldIgnore(e.action.file, e.action.line) || y.push(e);
 			}));
-			let v = _.filter((e) => e.hasUpdate), y = v.filter((e) => e.isBreaking);
-			if (v.length === 0) {
-				c.success("All actions are up to date!"), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
+			let b = y.filter((e) => e.status === "skipped"), x = y.filter((e) => e.hasUpdate), S = c.minAge * 24 * 60 * 60 * 1e3, C = Date.now();
+			x = x.filter((e) => e.publishedAt ? C - e.publishedAt.getTime() >= S : !0);
+			let w = x.filter((e) => e.isBreaking);
+			if (x.length === 0) {
+				l.success("All actions are up to date!"), b.length > 0 && printSkippedWarning(b, _), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
 				return;
 			}
-			if (c.success(`Found ${pc.yellow(v.length)} updates available${y.length > 0 ? ` (${pc.redBright(y.length)} breaking)` : ""}`), s.dryRun) {
+			if (l.success(`Found ${pc.yellow(x.length)} updates available${w.length > 0 ? ` (${pc.redBright(w.length)} breaking)` : ""}`), b.length > 0 && printSkippedWarning(b, _), c.dryRun) {
 				console.info(pc.yellow("\n📋 Dry Run - No changes will be made\n"));
-				for (let e of v) console.info(`${pc.cyan(e.action.file ?? "unknown")}:\n${e.action.name}: ${pc.redBright(e.currentVersion)} → ${pc.green(e.latestVersion)} ${e.latestSha ? pc.gray(`(${e.latestSha.slice(0, 7)})`) : ""}\n`);
-				console.info(pc.gray(`\n${v.length} actions would be updated\n`));
+				for (let e of x) console.info(`${pc.cyan(e.action.file ?? "unknown")}:\n${e.action.name}: ${pc.redBright(e.currentVersion)} → ${pc.green(e.latestVersion)} ${e.latestSha ? pc.gray(`(${e.latestSha.slice(0, 7)})`) : ""}\n`);
+				console.info(pc.gray(`\n${x.length} actions would be updated\n`));
 				return;
 			}
-			if (s.yes) {
-				let e = v.filter((e) => e.latestSha);
+			if (c.yes) {
+				let e = x.filter((e) => e.latestSha);
 				if (e.length === 0) {
 					console.info(pc.yellow("\n⚠️ No actions with SHA available for update\n"));
 					return;
 				}
 				console.info(pc.yellow(`\n🔄 Updating ${e.length} actions...\n`)), await applyUpdates(e), console.info(pc.green("\n✓ Updates applied successfully!"));
 			} else {
-				let o = await promptUpdateSelection(_);
+				let o = await promptUpdateSelection(y, { showAge: c.minAge > 0 });
 				if (!o || o.length === 0) {
 					console.info(pc.gray("\nNo updates applied"));
 					return;
@@ -66,8 +68,17 @@ function run() {
 				console.info(pc.yellow(`\n🔄 Updating ${o.length} selected actions...\n`)), await applyUpdates(o), console.info(pc.green("\n✓ Updates applied successfully!"));
 			}
 		} catch (e) {
-			c.error("Failed"), e instanceof Error && e.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(e.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), e instanceof Error ? e.message : String(e)), process.exit(1);
+			l.error("Failed"), e instanceof Error && e.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(e.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), e instanceof Error ? e.message : String(e)), process.exit(1);
 		}
-	}), l.parse();
+	}), u.parse();
+}
+function printSkippedWarning(e, a) {
+	let o = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", s = a ? "" : " (use --include-branches to check them)";
+	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${o} pinned to branches${s}`));
+	for (let a of e) {
+		let e = a.action.uses ?? `${a.action.name}@${a.currentVersion ?? "unknown"}`;
+		console.info(pc.gray(`   • ${e}`));
+	}
+	console.info("");
 }
 export { run };

package/dist/core/api/check-updates.d.ts

@@ -5,6 +5,9 @@ import { ActionUpdate } from '../../types/action-update';
  *
  * @param actions - Array of GitHub Actions to check.
  * @param token - Optional GitHub token for authentication.
+ * @param options - Additional options (e.g., include branch refs).
  * @returns Array of update information.
  */
-export declare function checkUpdates(actions: GitHubAction[], token?: string): Promise<ActionUpdate[]>;
+export declare function checkUpdates(actions: GitHubAction[], token?: string, options?: {
+    includeBranches?: boolean;
+}): Promise<ActionUpdate[]>;

package/dist/core/api/check-updates.js

@@ -1,186 +1,229 @@
 import { createGitHubClient } from "./create-github-client.js";
 import semver from "semver";
-async function checkUpdates(r, a) {
-	let c = createGitHubClient(a), l = r.filter((e) => e.type === "external");
-	if (l.length === 0) return [];
-	let u = /* @__PURE__ */ new Map();
-	for (let e of l) {
-		let n = u.get(e.name) ?? [];
-		n.push(e), u.set(e.name, n);
+async function checkUpdates(n, i, c) {
+	let l = createGitHubClient(i), u = c?.includeBranches ?? !1, d = n.filter((e) => e.type === "external" || e.type === "reusable-workflow");
+	if (d.length === 0) return [];
+	let f = /* @__PURE__ */ new Map();
+	for (let e of d) {
+		let t = f.get(e.name) ?? [];
+		t.push(e), f.set(e.name, t);
 	}
-	let d = {
+	let p = {
 		rateLimitError: null,
 		rateLimitHit: !1
-	}, f = await [...u.keys()].reduce((e, r) => e.then(async (e) => {
-		if (d.rateLimitHit) return [...e, {
+	}, m = await [...f.keys()].reduce((e, n) => e.then(async (e) => {
+		if (p.rateLimitHit) return [...e, {
+			publishedAt: null,
 			version: null,
-			actionName: r,
+			actionName: n,
 			sha: null
 		}];
-		let i = r.split("/");
-		if (i.length < 2) return [...e, {
+		let r = n.split("/");
+		if (r.length < 2) return [...e, {
+			publishedAt: null,
 			version: null,
-			actionName: r,
+			actionName: n,
 			sha: null
 		}];
-		let [a, l] = i;
-		if (!a || !l) return [...e, {
+		let [i, c] = r;
+		if (!i || !c) return [...e, {
+			publishedAt: null,
 			version: null,
-			actionName: r,
+			actionName: n,
 			sha: null
 		}];
 		try {
-			let i = u.get(r)[0]?.version;
-			if (i && !isSha(i) && !isSemverLike(i) && await c.getRefType(a, l, i) === "branch") return [...e, {
+			let r = f.get(n)[0]?.version;
+			if (r && !isSha(r) && !isSemverLike(r) && await l.getRefType(i, c, r) === "branch" && !u) return [...e, {
+				skipReason: "branch",
+				status: "skipped",
+				publishedAt: null,
 				version: null,
-				actionName: r,
+				actionName: n,
 				sha: null
 			}];
-			let d = await c.getLatestRelease(a, l);
+			let d = await l.getLatestRelease(i, c);
 			if (!d) {
-				let e = await c.getAllReleases(a, l, 1);
+				let e = await l.getAllReleases(i, c, 1);
 				d = e.find((e) => !e.isPrerelease) ?? e[0] ?? null;
 			}
 			if (d) {
-				let { version: i, sha: o } = d, u = !1;
+				let { publishedAt: r, version: o, sha: u } = d, f = !1;
 				{
-					let e = normalizeVersion(i), r = !!(i && i.trim() !== ""), a = r && /^v?\d+$/u.test(i.trim()), o = semver.valid(e);
-					u = !r || a || !o;
+					let e = normalizeVersion(o), n = !!(o && o.trim() !== ""), r = n && /^v?\d+$/u.test(o.trim()), i = semver.valid(e);
+					f = !n || r || !i;
 				}
-				if (u) {
-					let o = await c.getAllTags(a, l, 30);
-					if (o.length > 0) {
-						let u = o.filter((e) => isSemverLike(e.tag)).map((e) => ({
+				if (f) {
+					let r = await l.getAllTags(i, c, 30);
+					if (r.length > 0) {
+						let u = r.filter((e) => isSemverLike(e.tag)).map((e) => ({
 							v: semver.valid(normalizeVersion(e.tag)),
 							raw: e
 						}));
 						if (u.length > 0) {
-							u.sort((e, r) => {
-								let i = semver.rcompare(e.v, r.v);
-								if (i !== 0) return i;
-								let a = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
-								return (/\d+\.\d+/u.test(r.raw.tag) ? 1 : 0) - a;
+							u.sort((e, n) => {
+								let r = semver.rcompare(e.v, n.v);
+								if (r !== 0) return r;
+								let i = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
+								return (/\d+\.\d+/u.test(n.raw.tag) ? 1 : 0) - i;
 							});
-							let o = u[0].raw, s = semver.valid(normalizeVersion(i) ?? void 0);
-							if (!s || semver.gt(u[0].v, s) || semver.eq(u[0].v, s) && /\d+\.\d+/u.test(o.tag)) {
-								let n = o.tag, i = o.sha?.length ? o.sha : null;
-								if (!i && n) try {
-									i = await c.getTagSha(a, l, n);
+							let r = u[0].raw, s = semver.valid(normalizeVersion(o) ?? void 0);
+							if (!s || semver.gt(u[0].v, s) || semver.eq(u[0].v, s) && /\d+\.\d+/u.test(r.tag)) {
+								let t = r.tag, a = r.sha?.length ? r.sha : null;
+								if (!a && t) try {
+									a = await l.getTagSha(i, c, t);
 								} catch {}
 								return [...e, {
-									version: n,
-									sha: i,
-									actionName: r
+									version: t,
+									publishedAt: null,
+									sha: a,
+									actionName: n
 								}];
 							}
 						}
 					}
 				}
-				if (!o && i) try {
-					o = await c.getTagSha(a, l, i);
+				if (!u && o) try {
+					u = await l.getTagSha(i, c, o);
 				} catch {}
 				return [...e, {
-					actionName: r,
-					version: i,
-					sha: o
+					status: "ok",
+					publishedAt: r,
+					actionName: n,
+					version: o,
+					sha: u
 				}];
 			}
-			let f = await c.getAllTags(a, l, 30);
-			if (f.length > 0) {
-				let i = f.filter((e) => isSemverLike(e.tag)).map((e) => ({
+			let p = await l.getAllTags(i, c, 30);
+			if (p.length > 0) {
+				let r = p.filter((e) => isSemverLike(e.tag)).map((e) => ({
 					v: semver.valid(normalizeVersion(e.tag)),
 					raw: e
 				})), o;
-				i.length > 0 ? (i.sort((e, r) => {
-					let i = semver.rcompare(e.v, r.v);
-					if (i !== 0) return i;
-					let a = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
-					return (/\d+\.\d+/u.test(r.raw.tag) ? 1 : 0) - a;
-				}), o = i[0].raw) : o = f[0];
+				r.length > 0 ? (r.sort((e, n) => {
+					let r = semver.rcompare(e.v, n.v);
+					if (r !== 0) return r;
+					let i = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
+					return (/\d+\.\d+/u.test(n.raw.tag) ? 1 : 0) - i;
+				}), o = r[0].raw) : o = p[0];
 				let u = o.tag, d = o.sha?.length ? o.sha : null;
 				if (!d && u) try {
-					d = await c.getTagSha(a, l, u);
+					d = await l.getTagSha(i, c, u);
 				} catch {}
 				return [...e, {
-					actionName: r,
+					status: "ok",
+					publishedAt: null,
+					actionName: n,
 					version: u,
 					sha: d
 				}];
 			}
 			return [...e, {
+				publishedAt: null,
 				version: null,
-				actionName: r,
+				actionName: n,
 				sha: null
 			}];
-		} catch (n) {
-			return n instanceof Error && n.name === "GitHubRateLimitError" ? (d.rateLimitHit = !0, d.rateLimitError = n, [...e, {
+		} catch (t) {
+			return t instanceof Error && t.name === "GitHubRateLimitError" ? (p.rateLimitHit = !0, p.rateLimitError = t, [...e, {
+				publishedAt: null,
 				version: null,
-				actionName: r,
+				actionName: n,
 				sha: null
-			}]) : (console.warn(`Failed to check ${r}:`, n), [...e, {
+			}]) : (console.warn(`Failed to check ${n}:`, t), [...e, {
+				publishedAt: null,
 				version: null,
-				actionName: r,
+				actionName: n,
 				sha: null
 			}]);
 		}
 	}), Promise.resolve([]));
-	if (d.rateLimitError) {
-		let e = !!(a ?? process.env.GITHUB_TOKEN), n = `${d.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits"}`, r = Error(n);
-		throw r.name = "GitHubRateLimitError", r;
+	if (p.rateLimitError) {
+		let e = !!(i ?? process.env.GITHUB_TOKEN), t = `${p.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits"}`, n = Error(t);
+		throw n.name = "GitHubRateLimitError", n;
 	}
-	let p = /* @__PURE__ */ new Map();
-	for (let e of f) p.set(e.actionName, {
+	let h = /* @__PURE__ */ new Map();
+	for (let e of m) h.set(e.actionName, {
+		publishedAt: e.publishedAt,
+		actionName: e.actionName,
+		skipReason: e.skipReason,
 		version: e.version,
+		status: e.status,
 		sha: e.sha
 	});
-	let m = [];
-	for (let e of l) {
-		let n = p.get(e.name);
-		n ? m.push(createUpdate(e, n.version, n.sha)) : m.push(createUpdate(e, null, null));
+	let g = [];
+	for (let e of d) {
+		let t = h.get(e.name);
+		t ? g.push(createUpdate(e, {
+			publishedAt: t.publishedAt,
+			version: t.version,
+			sha: t.sha
+		}, {
+			skipReason: t.skipReason,
+			status: t.status
+		})) : g.push(createUpdate(e, {
+			publishedAt: null,
+			version: null,
+			sha: null
+		}));
 	}
-	return m;
+	return g;
 }
-function createUpdate(e, r, i) {
-	let s = normalizeVersion(e.version ?? ""), c = r ? normalizeVersion(r) : null, l = !1, u = !1;
-	if (s && isSha(s)) i ? l = !compareSha(s, i) : c && (l = !0);
-	else if (s && c) {
-		let r = semver.valid(s), a = semver.valid(c);
-		if (r && a) {
-			if (l = semver.lt(r, a), l) {
-				let e = semver.major(r);
-				u = semver.major(a) > e;
+function createUpdate(e, n, r = {}) {
+	let { version: s, sha: c, publishedAt: l } = n, u = e.version ?? "unknown", d = normalizeVersion(u), f = s ? normalizeVersion(s) : null, p = r.status ?? "ok", m = r.skipReason, h = !1, g = !1;
+	if (p === "skipped") return {
+		currentVersion: u,
+		isBreaking: !1,
+		hasUpdate: !1,
+		latestVersion: s,
+		publishedAt: l,
+		skipReason: m,
+		latestSha: c,
+		action: e,
+		status: p
+	};
+	if (d && isSha(d)) c ? h = !compareSha(d, c) : f && (h = !0);
+	else if (d && f) {
+		let n = semver.valid(d), r = semver.valid(f);
+		if (n && r) {
+			if (h = semver.lt(n, r), h) {
+				let e = semver.major(n);
+				g = semver.major(r) > e;
 			}
-			!l && semver.eq(r, a) && !isSha(e.version) && i && (l = !0, u = !1);
-		} else s !== c && (l = !0);
+			!h && semver.eq(n, r) && !isSha(e.version) && c && (h = !0, g = !1);
+		} else d !== f && (h = !0);
 	}
 	return {
-		currentVersion: e.version ?? "unknown",
-		latestVersion: r,
-		isBreaking: u,
-		latestSha: i,
-		hasUpdate: l,
-		action: e
+		currentVersion: u,
+		latestVersion: s,
+		publishedAt: l,
+		isBreaking: g,
+		skipReason: m,
+		latestSha: c,
+		hasUpdate: h,
+		action: e,
+		status: p
 	};
 }
-function compareSha(e, n) {
-	let r = e.replace(/^v/u, ""), i = n.replace(/^v/u, ""), a = Math.min(r.length, i.length);
-	return a < 7 ? !1 : r.slice(0, Math.max(0, a)).toLowerCase() === i.slice(0, Math.max(0, a)).toLowerCase();
+function compareSha(e, t) {
+	let n = e.replace(/^v/u, ""), r = t.replace(/^v/u, ""), i = Math.min(n.length, r.length);
+	return i < 7 ? !1 : n.slice(0, Math.max(0, i)).toLowerCase() === r.slice(0, Math.max(0, i)).toLowerCase();
 }
 function normalizeVersion(e) {
 	if (!e) return null;
-	let r = e.replace(/^v/u, "");
-	if (/^[0-9a-f]{7,40}$/iu.test(r)) return e;
-	let i = semver.coerce(r);
-	return i ? i.version : e;
+	let n = e.replace(/^v/u, "");
+	if (/^[0-9a-f]{7,40}$/iu.test(n)) return e;
+	let r = semver.coerce(n);
+	return r ? r.version : e;
 }
 function isSha(e) {
 	if (!e) return !1;
-	let n = e.replace(/^v/u, "");
-	return /^[0-9a-f]{7,40}$/iu.test(n);
+	let t = e.replace(/^v/u, "");
+	return /^[0-9a-f]{7,40}$/iu.test(t);
 }
 function isSemverLike(e) {
 	if (!e) return !1;
-	let n = e.trim();
-	return /^v?\d+(?:\.\d+){0,2}$/u.test(n);
+	let t = e.trim();
+	return /^v?\d+(?:\.\d+){0,2}$/u.test(t);
 }
 export { checkUpdates };

package/dist/core/ast/scanners/scan-composite-action-ast.js

@@ -11,6 +11,10 @@ function scanCompositeActionAst(a, o, s) {
 	let u = c.runs;
 	if (!u || !isCompositeActionRuns(u) || !u.steps || !Array.isArray(u.steps)) return [];
 	let d = findMapPair(l.value, "steps");
-	return d?.value ? extractUsesFromSteps(d.value, s, o) : [];
+	return d?.value ? extractUsesFromSteps({
+		stepsNode: d.value,
+		filePath: s,
+		content: o
+	}) : [];
 }
 export { scanCompositeActionAst };

package/dist/core/ast/scanners/scan-workflow-ast.d.ts

@@ -4,7 +4,8 @@ import { GitHubAction } from '../../../types/github-action';
  * Scans a parsed workflow YAML document for action references.
  *
  * Navigates AST structure `jobs -> <job> -> steps` and extracts `uses` entries
- * with corresponding line numbers.
+ * with corresponding line numbers. Also scans for job-level `uses` fields that
+ * indicate Reusable Workflows.
  *
  * @param document - Parsed YAML document of a workflow file.
  * @param content - Original file content.

package/dist/core/ast/scanners/scan-workflow-ast.js

@@ -1,19 +1,32 @@
 import { isWorkflowStructure } from "../../schema/workflow/is-workflow-structure.js";
+import { parseActionReference } from "../../parsing/parse-action-reference.js";
+import { getLineNumberForKey } from "../utils/get-line-number.js";
 import { isYAMLMap } from "../guards/is-yaml-map.js";
+import { isScalar } from "../guards/is-scalar.js";
 import { isNode } from "../guards/is-node.js";
 import { isPair } from "../guards/is-pair.js";
 import { extractUsesFromSteps } from "../utils/extract-uses-from-steps.js";
 import { findMapPair } from "../utils/find-map-pair.js";
-function scanWorkflowAst(o, s, c) {
-	if (!isWorkflowStructure(o.toJSON()) || !o.contents || !isYAMLMap(o.contents)) return [];
-	let l = findMapPair(o.contents, "jobs");
-	if (!l?.value || !isYAMLMap(l.value)) return [];
-	let u = [];
-	for (let e of l.value.items) {
+function scanWorkflowAst(l, u, d) {
+	if (!isWorkflowStructure(l.toJSON()) || !l.contents || !isYAMLMap(l.contents)) return [];
+	let f = findMapPair(l.contents, "jobs");
+	if (!f?.value || !isYAMLMap(f.value)) return [];
+	let p = [];
+	for (let e of f.value.items) {
 		if (!isPair(e) || !e.value || !isNode(e.value) || !isYAMLMap(e.value)) continue;
-		let o = findMapPair(e.value, "steps");
-		o?.value && u.push(...extractUsesFromSteps(o.value, c, s));
+		let l = isScalar(e.key) ? String(e.key.value) : void 0, f = findMapPair(e.value, "uses");
+		if (f?.value && f.key && isScalar(f.value)) {
+			let e = parseActionReference(String(f.value.value), d, getLineNumberForKey(u, f.key));
+			e && (l && (e.job = l), p.push(e));
+		}
+		let m = findMapPair(e.value, "steps");
+		m?.value && p.push(...extractUsesFromSteps({
+			stepsNode: m.value,
+			filePath: d,
+			content: u,
+			jobName: l
+		}));
 	}
-	return u;
+	return p;
 }
 export { scanWorkflowAst };

package/dist/core/ast/utils/extract-uses-from-steps.d.ts

@@ -1,13 +1,22 @@
 import { GitHubAction } from '../../../types/github-action';
+interface ExtractUsesOptions {
+    /** YAML sequence node containing workflow/action steps. */
+    stepsNode: unknown;
+    /** Path of the file being scanned (for metadata). */
+    filePath: string;
+    /** Name of the job containing these steps (for workflows). */
+    jobName?: string;
+    /** Original YAML file content (for line number calculation). */
+    content: string;
+}
 /**
  * Extracts GitHub Action references from a steps YAML sequence.
  *
  * Uses the AST to locate the 'uses' key for precise line numbers and the JSON
  * representation to validate the presence and type of the 'uses' field.
  *
- * @param stepsNode - YAML sequence node containing workflow/action steps.
- * @param filePath - Path of the file being scanned (for metadata).
- * @param content - Original YAML file content (for line number calculation).
+ * @param options - Options for extraction.
  * @returns List of discovered GitHub actions.
  */
-export declare function extractUsesFromSteps(stepsNode: unknown, filePath: string, content: string): GitHubAction[];
+export declare function extractUsesFromSteps(options: ExtractUsesOptions): GitHubAction[];
+export {};

package/dist/core/ast/utils/extract-uses-from-steps.js

@@ -5,18 +5,19 @@ import { isYAMLMap } from "../guards/is-yaml-map.js";
 import { isScalar } from "../guards/is-scalar.js";
 import { isNode } from "../guards/is-node.js";
 import { isPair } from "../guards/is-pair.js";
-function extractUsesFromSteps(s, c, l) {
-	if (!isYAMLSequence(s)) return [];
-	let u = [];
-	for (let o of s.items) {
+function extractUsesFromSteps(s) {
+	let { stepsNode: c, filePath: l, content: u, jobName: d } = s;
+	if (!isYAMLSequence(c)) return [];
+	let f = [];
+	for (let o of c.items) {
 		if (!isYAMLMap(o) || !isNode(o)) continue;
 		let s = o.toJSON();
 		if (typeof s != "object" || !s || Array.isArray(s)) continue;
-		let d = s;
-		if (typeof d.uses != "string") continue;
-		let f = o.items.find((e) => isPair(e) && isScalar(e.key) && e.key.value === "uses"), p = f?.key ? getLineNumberForKey(l, f.key) : 0, m = parseActionReference(d.uses, c, p);
-		m && u.push(m);
+		let c = s;
+		if (typeof c.uses != "string") continue;
+		let p = o.items.find((e) => isPair(e) && isScalar(e.key) && e.key.value === "uses"), m = p?.key ? getLineNumberForKey(u, p.key) : 0, h = parseActionReference(c.uses, l, m);
+		h && (d && (h.job = d), f.push(h));
 	}
-	return u;
+	return f;
 }
 export { extractUsesFromSteps };

package/dist/core/interactive/prompt-update-selection.d.ts

@@ -1,2 +1,7 @@
 import { ActionUpdate } from '../../types/action-update';
-export declare function promptUpdateSelection(updates: ActionUpdate[]): Promise<ActionUpdate[] | null>;
+interface PromptUpdateSelectionOptions {
+    /** Whether to show the Age column. */
+    showAge?: boolean;
+}
+export declare function promptUpdateSelection(updates: ActionUpdate[], options?: PromptUpdateSelectionOptions): Promise<ActionUpdate[] | null>;
+export {};

package/dist/core/interactive/prompt-update-selection.js

@@ -7,97 +7,118 @@ import pc from "picocolors";
 import { readFile } from "node:fs/promises";
 import enquirer from "enquirer";
 import path from "node:path";
-var MIN_ACTION_WIDTH = 56, MIN_CURRENT_WIDTH = 16;
-async function promptUpdateSelection(o) {
-	if (o.length === 0) return null;
-	let c = o.filter((e) => e.hasUpdate);
-	if (c.length === 0) return console.info(pc.green("✓ All actions are up to date!")), null;
-	let p = /* @__PURE__ */ new Map();
-	for (let [e, a] of c.entries()) {
-		let o = a.action.file ?? "unknown file", s = path.relative(path.join(process.cwd(), GITHUB_DIRECTORY), o);
-		s === "" && (s = o);
-		let c = p.get(s) ?? [];
-		c.push({
-			update: a,
+var MIN_ACTION_WIDTH = 40, MIN_JOB_WIDTH = 4, MIN_CURRENT_WIDTH = 16, MAX_VERSION_WIDTH = 7;
+async function promptUpdateSelection(l, g = {}) {
+	let { showAge: y = !1 } = g;
+	if (l.length === 0) return null;
+	let b = l.filter((e) => e.hasUpdate);
+	if (b.length === 0) return console.info(pc.green("✓ All actions are up to date!")), null;
+	let x = /* @__PURE__ */ new Map();
+	for (let [e, o] of b.entries()) {
+		let s = o.action.file ?? "unknown file", c = path.relative(path.join(process.cwd(), GITHUB_DIRECTORY), s);
+		c === "" && (c = s);
+		let l = x.get(c) ?? [];
+		l.push({
+			update: o,
 			index: e
-		}), p.set(s, c);
+		}), x.set(c, l);
 	}
-	let g = await Promise.all(c.map(async (e) => {
-		let i = formatVersionOrSha(e.currentVersion), a = e.currentVersion ?? void 0;
+	let S = await Promise.all(b.map(async (e) => {
+		let a = formatVersionOrSha(e.currentVersion), o = e.currentVersion ?? void 0, s = null, c = null;
 		if (!e.currentVersion || !isSha(e.currentVersion)) return {
-			effectiveForDiff: a,
-			display: i
+			versionForPadding: s,
+			effectiveForDiff: o,
+			shortSha: c,
+			display: a
 		};
-		let o = await tryReadInlineVersionComment(e.action.file, e.action.line);
-		if (o) {
-			let c = e.currentVersion.slice(0, 7);
-			i = `${formatVersionOrSha(o)} ${pc.gray(`(${c})`)}`, a = o;
-		}
-		return {
-			effectiveForDiff: a,
-			display: i
+		let l = await tryReadInlineVersionComment(e.action.file, e.action.line);
+		return l && (c = e.currentVersion.slice(0, 7), s = formatVersionOrSha(l), a = s, o = l), {
+			versionForPadding: s,
+			effectiveForDiff: o,
+			shortSha: c,
+			display: a
 		};
-	})), _ = [], v = stripAnsi("Action").length, y = stripAnsi("Current").length;
-	for (let [e, i] of c.entries()) {
-		let o = i.action.name, s = g[e].display;
-		v = Math.max(v, o.length), y = Math.max(y, stripAnsi(s).length);
+	})), C = [], w = stripAnsi("Action").length, T = stripAnsi("Current").length, E = stripAnsi("Job").length, D = 0, O = !1;
+	for (let [a, l] of b.entries()) {
+		let u = l.action.name, d = S[a], f = d.display, p = l.action.job ?? "–";
+		if (w = Math.max(w, u.length), T = Math.max(T, stripAnsi(f).length, d.versionForPadding && d.shortSha ? stripAnsi(`${padString(d.versionForPadding, D + 1)}${pc.gray(`(${d.shortSha})`)}`).length : 0), E = Math.max(E, p.length), l.latestVersion) {
+			let s = formatVersion(l.latestVersion, S[a]?.effectiveForDiff ?? l.currentVersion);
+			D = Math.max(D, stripAnsi(s).length);
+		}
+		let m = S[a]?.versionForPadding;
+		m && (D = Math.max(D, stripAnsi(m).length)), l.publishedAt && (O = !0);
 	}
-	let b = Math.max(v, MIN_ACTION_WIDTH), x = Math.max(y, MIN_CURRENT_WIDTH), S = [...p.keys()].toSorted();
-	for (let [i, a] of S.entries()) {
-		let o = p.get(a);
-		if (!o) {
-			console.warn(`Unexpected missing group for file: ${a}`);
+	let k = Math.max(w, MIN_ACTION_WIDTH), A = Math.max(T, MIN_CURRENT_WIDTH), j = Math.max(E, MIN_JOB_WIDTH), M = Math.min(D, MAX_VERSION_WIDTH), N = M + 1 + 9, P = y && O ? 6 : 0, F = [...x.keys()].toSorted();
+	for (let [a, o] of F.entries()) {
+		let l = x.get(o);
+		if (!l) {
+			console.warn(`Unexpected missing group for file: ${o}`);
 			continue;
 		}
-		let c = [], l = o;
-		c.push({
+		let u = [], d = l;
+		u.push({
 			current: "Current",
 			action: "Action",
 			target: "Target",
-			arrow: "❯"
+			arrow: "❯",
+			job: "Job",
+			age: "Age"
 		});
-		for (let { update: i, index: a } of l) {
-			let o = !!i.latestSha, l = g[a].display, u = g[a]?.effectiveForDiff ?? i.currentVersion, d = formatVersion(i.latestVersion, u), f = i.action.name;
-			if (i.latestSha) {
-				let e = i.latestSha.slice(0, 7);
-				d = `${d} ${pc.gray(`(${e})`)}`;
+		for (let { update: a, index: o } of d) {
+			let l = !!a.latestSha, d = S[o], f = d.display;
+			d.versionForPadding && d.shortSha && (f = `${padString(d.versionForPadding, M + 1)}${pc.gray(`(${d.shortSha})`)}`);
+			let p = d.effectiveForDiff ?? a.currentVersion, m = formatVersion(a.latestVersion, p), h = a.action.name;
+			if (a.latestSha) {
+				let e = a.latestSha.slice(0, 7);
+				m = `${padString(m, M + 1)}${pc.gray(`(${e})`)}`;
 			}
-			o || (d = pc.gray(d), l = pc.gray(l), f = pc.gray(f)), c.push({
-				action: f,
-				target: d,
+			l || (m = pc.gray(m), f = pc.gray(f), h = pc.gray(h));
+			let g = a.action.job ?? "–", _ = formatAge(a.publishedAt);
+			u.push({
+				job: l ? g : pc.gray(g),
+				age: l ? _ : pc.gray(_),
+				action: h,
+				target: m,
 				arrow: "❯",
-				current: l
+				current: f
 			});
 		}
-		let u = Math.max(b, MIN_ACTION_WIDTH), m = Math.max(x, MIN_CURRENT_WIDTH), h = [];
-		for (let [e, i] of c.entries()) {
-			let a = e === 0, o = formatTableRow(i, u, m);
-			if (a) h.push({
-				message: pc.gray(` ○ ${o}`),
+		let h = Math.max(k, MIN_ACTION_WIDTH), g = Math.max(A, MIN_CURRENT_WIDTH), _ = Math.max(j, MIN_JOB_WIDTH), v = [];
+		for (let [e, a] of u.entries()) {
+			let o = e === 0, s = formatTableRow({
+				targetWidth: N,
+				currentWidth: g,
+				actionWidth: h,
+				ageWidth: P,
+				jobWidth: _,
+				row: a
+			});
+			if (o) v.push({
+				message: pc.gray(` ○ ${s}`),
 				role: "separator",
 				indent: "",
 				name: ""
 			});
 			else {
-				let { update: i, index: a } = l[e - 1], s = !!i.latestSha, c = s && !i.isBreaking;
-				h.push({
-					message: o,
-					value: String(a),
-					name: String(a),
-					disabled: !s,
+				let { update: a, index: o } = d[e - 1], c = !!a.latestSha, l = c && !a.isBreaking;
+				v.push({
+					message: s,
+					value: String(o),
+					name: String(o),
+					disabled: !c,
 					indent: "",
-					enabled: c
+					enabled: l
 				});
 			}
 		}
-		_.push({
-			message: pc.gray(a),
-			value: `label|${a}`,
-			choices: h,
-			name: `label|${a}`,
+		C.push({
+			message: pc.gray(o),
+			value: `label|${o}`,
+			choices: v,
+			name: `label|${o}`,
 			isGroupLabel: !0,
 			enabled: !1
-		}), i < S.length - 1 && _.push({
+		}), a < F.length - 1 && C.push({
 			role: "separator",
 			message: " ",
 			name: ""
@@ -105,12 +126,12 @@ async function promptUpdateSelection(o) {
 	}
 	try {
 		let e = {
-			indicator(e, i) {
-				if (i.isGroupLabel) {
-					let e = (i.choices ?? []).filter((e) => !("role" in e)), a = e.length, o = e.filter((e) => !!e.enabled).length === a ? "●" : "○";
-					return ` ${pc.gray(o)}`;
+			indicator(e, a) {
+				if (a.isGroupLabel) {
+					let e = (a.choices ?? []).filter((e) => !("role" in e)), o = e.length, s = e.filter((e) => !!e.enabled).length === o ? "●" : "○";
+					return ` ${pc.gray(s)}`;
 				}
-				return `   ${i.enabled ? "●" : "○"}`;
+				return `   ${a.enabled ? "●" : "○"}`;
 			},
 			message: `Choose which actions to update (Press ${pc.cyan("<space>")} to select, ${pc.cyan("<a>")} to toggle all, ${pc.cyan("<i>")} to invert selection)`,
 			styles: {
@@ -131,46 +152,53 @@ async function promptUpdateSelection(o) {
 			type: "multiselect",
 			name: "selected",
 			pointer: "❯",
-			choices: _
-		}, { selected: i } = await enquirer.prompt(e), a = /* @__PURE__ */ new Set();
-		for (let e of i) {
+			choices: C
+		}, { selected: a } = await enquirer.prompt(e), o = /* @__PURE__ */ new Set();
+		for (let e of a) {
 			if (e.startsWith("label|")) {
-				let i = e.slice(6), o = p.get(i) ?? [];
-				for (let { update: e, index: i } of o) e.latestSha && a.add(i);
+				let a = e.slice(6), s = x.get(a) ?? [];
+				for (let { update: e, index: a } of s) e.latestSha && o.add(a);
 				continue;
 			}
-			let i = Number.parseInt(e, 10);
-			Number.isFinite(i) && a.add(i);
+			let a = Number.parseInt(e, 10);
+			Number.isFinite(a) && o.add(a);
 		}
-		let o = [];
-		for (let [e, i] of c.entries()) a.has(e) && i.latestSha && o.push(i);
-		return o.length === 0 ? (console.info(pc.yellow("\nNo actions selected")), null) : o;
+		let s = [];
+		for (let [e, a] of b.entries()) o.has(e) && a.latestSha && s.push(a);
+		return s.length === 0 ? (console.info(pc.yellow("\nNo actions selected")), null) : s;
 	} catch (e) {
 		if (e instanceof Error && (e.message.includes("cancelled") || e.message.includes("ESC") || e.name === "ExitPromptError")) return logSelectionCancelled(), null;
 		throw console.error(pc.red("Unexpected error during selection:"), e), e;
 	}
 }
-async function tryReadInlineVersionComment(e, i) {
+async function tryReadInlineVersionComment(e, a) {
 	try {
-		if (!e || !i || i <= 0) return null;
-		let a = (await readFile(e, "utf8")).split("\n"), o = i - 1;
-		if (o < 0 || o >= a.length) return null;
-		let s = a[o].match(/#\s*(?<version>[Vv]?\d+(?:\.\d+){0,2}(?:[+-][\w\-.]+)?)/u);
-		if (s?.groups?.version) return s.groups.version;
+		if (!e || !a || a <= 0) return null;
+		let o = (await readFile(e, "utf8")).split("\n"), s = a - 1;
+		if (s < 0 || s >= o.length) return null;
+		let c = o[s].match(/#\s*(?<version>[Vv]?\d+(?:\.\d+){0,2}(?:[+-][\w\-.]+)?)/u);
+		if (c?.groups?.version) return c.groups.version;
 	} catch {}
 	return null;
 }
-function formatTableRow(e, i, a) {
-	return [
-		padString(e.action, i),
-		padString(e.current, a),
-		e.arrow,
-		e.target
-	].join("  ").replace(/\s+$/u, "");
+function formatAge(e) {
+	if (!e) return "";
+	let a = Date.now() - e.getTime(), o = Math.floor(a / (1e3 * 60 * 60)), s = Math.floor(o / 24), c = Math.floor(s / 7), l = s % 7;
+	return c >= 1 ? l > 0 ? `${c}w ${l}d` : `${c}w` : s >= 1 ? `${s}d` : `${o}h`;
+}
+function formatTableRow(e) {
+	let { currentWidth: a, actionWidth: o, targetWidth: c, jobWidth: l, ageWidth: u, row: d } = e, f = [
+		padString(d.action, o),
+		padString(d.job, l),
+		padString(d.current, a),
+		d.arrow,
+		padString(d.target, c)
+	];
+	return u > 0 && f.push(d.age), f.join("  ").replace(/\s+$/u, "");
 }
 function isSha(e) {
-	let i = e.replace(/^v/u, "");
-	return /^[0-9a-f]{7,40}$/iu.test(i);
+	let a = e.replace(/^v/u, "");
+	return /^[0-9a-f]{7,40}$/iu.test(a);
 }
 function formatVersionOrSha(e) {
 	return e ? isSha(e) ? e.slice(0, 7) : e.replace(/^v/u, "") : pc.gray("unknown");

package/dist/core/parsing/parse-action-reference.js

@@ -24,7 +24,7 @@ function parseActionReference(e, t, n) {
 	if (!s || !c) return null;
 	for (let e of o.slice(2)) if (!e) return null;
 	return {
-		type: "external",
+		type: o.length > 2 && (i.endsWith(".yml") || i.endsWith(".yaml")) ? "reusable-workflow" : "external",
 		name: i,
 		version: a,
 		file: t,

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.5.0";
+const version = "1.7.0";
 export { version };

package/dist/types/action-update.d.ts

@@ -1,15 +1,24 @@
 import { GitHubAction } from './github-action';
 /** Update information for a GitHub Action. */
 export interface ActionUpdate {
+  /** Reason for skipping the update check. */
+  skipReason?: 'unknown' | 'branch'
+
   /** Current version string. */
   currentVersion: string | null
 
   /** Latest available version. */
   latestVersion: string | null
 
+  /** Status of the check for this action. */
+  status?: 'skipped' | 'ok'
+
   /** SHA hash of the latest version. */
   latestSha: string | null
 
+  /** Publication date of the latest version (null if unknown). */
+  publishedAt: Date | null
+
   /** The original action from scanning. */
   action: GitHubAction
 

package/dist/types/github-action.d.ts

@@ -1,7 +1,7 @@
 /** Represents a GitHub Action used in workflows or composite actions. */
 export interface GitHubAction {
   /** Type of the GitHub Action. */
-  type: 'composite' | 'external' | 'docker' | 'local'
+  type: 'reusable-workflow' | 'composite' | 'external' | 'docker' | 'local'
 
   /** Version or tag of the action (e.g., 'v1', 'main', commit SHA). */
   version?: string | null
@@ -15,6 +15,9 @@ export interface GitHubAction {
   /** Original `uses` string from workflow, if available. */
   uses?: string
 
+  /** Name of the job where this action is used (for workflows). */
+  job?: string
+
   /** Full name of the action (e.g., 'actions/checkout'). */
   name: string
 

package/dist/types/workflow-job.d.ts

@@ -1,6 +1,12 @@
 import { WorkflowStep } from './workflow-step';
 /** Represents a job in a GitHub Actions workflow. */
 export interface WorkflowJob {
+  /** Secrets passed to the reusable workflow ('inherit' or specific secrets). */
+  secrets?: Record<string, unknown> | 'inherit'
+
+  /** Input parameters passed to the reusable workflow. */
+  with?: Record<string, unknown>
+
   /** Runner environment(s) to execute this job on (e.g., 'ubuntu-latest'). */
   'runs-on'?: string[] | string
 
@@ -13,6 +19,9 @@ export interface WorkflowJob {
   /** Allow additional properties for job configuration. */
   [key: string]: unknown
 
+  /** Reusable workflow reference (mutually exclusive with 'steps'). */
+  uses?: string
+
   /** Conditional expression to determine if the job should run. */
   if?: string
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.5.0",
+  "version": "1.7.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",
@@ -41,7 +41,7 @@
     "nanospinner": "^1.2.2",
     "picocolors": "^1.1.1",
     "semver": "^7.7.3",
-    "yaml": "^2.8.1"
+    "yaml": "^2.8.2"
   },
   "engines": {
     "node": "^18.0.0 || >=20.0.0"

package/readme.md

@@ -19,6 +19,7 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
 ## Features
 
 - **Auto-discovery**: Scans all workflows (`.github/workflows/*.yml`) and composite actions (`.github/actions/*/action.yml`)
+- **Reusable Workflows**: Detects and updates reusable workflow calls at the job level
 - **SHA pinning**: Updates actions to use commit SHA instead of tags for better security
 - **Batch Updates**: Update multiple actions at once
 - **Interactive Selection**: Choose which actions to update
@@ -130,6 +131,10 @@ By default, Actions Up scans the `.github` directory. You can specify a differen
 npx actions-up --dir .gitea
 ```
 
+### Branch References
+
+By default, actions pinned to branch refs (e.g., `@main`, `@release/v1`) are skipped to avoid changing intentionally floating references. Skipped entries are listed in the output. To include them in update checks, pass `--include-branches`.
+
 ## GitHub Actions Integration
 
 ### Automated PR Checks
@@ -379,6 +384,8 @@ jobs:
 
 ## Example
 
+### Regular Actions
+
 ```yaml
 # Before
 - uses: actions/checkout@v3
@@ -389,6 +396,26 @@ jobs:
 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
 ```
 
+### Reusable Workflows
+
+Actions Up also detects and updates reusable workflow calls:
+
+```yaml
+# Before
+jobs:
+  call-workflow:
+    uses: org/repo/.github/workflows/ci.yml@v1.0.0
+    with:
+      config: production
+
+# After running actions-up
+jobs:
+  call-workflow:
+    uses: org/repo/.github/workflows/ci.yml@a1b2c3d4e5f6 # v2.0.0
+    with:
+      config: production
+```
+
 ## Advanced Usage
 
 ### Using GitHub Token for Higher Rate Limits
@@ -439,6 +466,17 @@ npx actions-up --exclude ".*/internal-.*" --exclude "/^acme\/.+$/i"
 npx actions-up --exclude "my-org/.*, .*/internal-.*"
 ```
 
+#### Filtering by Release Age
+
+By default, Actions Up shows all available updates. You can filter out recently released updates to avoid updating to versions that haven't been battle-tested yet:
+
+```bash
+# Only show updates released at least 7 days ago
+npx actions-up --min-age 7
+```
+
+When `--min-age` is set, an "Age" column appears showing how long ago each release was published (e.g., `3d`, `1w 2d`).
+
 #### Ignore Comments
 
 You can skip specific actions or files using YAML comments. Ignored items are hidden in dry-run and interactive modes and are not updated with `--yes`.