actions-up 1.6.0 → 1.8.0

package/dist/cli/index.js

@@ -10,57 +10,57 @@ import "node:worker_threads";
 import pc from "picocolors";
 import cac from "cac";
 function run() {
-	let l = cac("actions-up");
-	l.help().version(version).option("--dir <directory>", "Custom directory name (default: .github)").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--min-age <days>", "Minimum age in days for updates (default: 0)", { default: 0 }).option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (s) => {
+	let u = cac("actions-up");
+	u.help().version(version).option("--dir <directory>", "Custom directory name (default: .github)").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--include-branches", "Also check actions pinned to branches (default: false)").option("--min-age <days>", "Minimum age in days for updates (default: 0)", { default: 0 }).option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (c) => {
 		console.info(pc.cyan("\n🚀 Actions Up!\n"));
-		let c = createSpinner("Scanning GitHub Actions...").start();
+		let l = createSpinner("Scanning GitHub Actions...").start();
 		try {
-			let l = await scanGitHubActions(process.cwd(), s.dir), u = l.actions.length, d = l.workflows.size, f = l.compositeActions.size;
-			if (c.success(`Found ${pc.yellow(u)} actions in ${pc.yellow(d)} workflows and ${pc.yellow(f)} composite actions`), u === 0) {
+			let u = await scanGitHubActions(process.cwd(), c.dir), d = u.actions.length, f = u.workflows.size, p = u.compositeActions.size;
+			if (l.success(`Found ${pc.yellow(d)} actions in ${pc.yellow(f)} workflows and ${pc.yellow(p)} composite actions`), d === 0) {
 				console.info(pc.green("\n✨ No GitHub Actions found in this repository"));
 				return;
 			}
-			let p = l.actions, m = [];
-			Array.isArray(s.exclude) ? m.push(...s.exclude) : typeof s.exclude == "string" && m.push(s.exclude);
-			let h = m.flatMap((e) => e.split(",")).map((e) => e.trim()).filter(Boolean);
-			if (h.length > 0) {
-				let { parseExcludePatterns: e } = await import("../core/filters/parse-exclude-patterns.js"), a = e(h);
-				a.length > 0 && (p = p.filter((e) => {
+			let m = u.actions, h = [];
+			Array.isArray(c.exclude) ? h.push(...c.exclude) : typeof c.exclude == "string" && h.push(c.exclude);
+			let g = h.flatMap((e) => e.split(",")).map((e) => e.trim()).filter(Boolean);
+			if (g.length > 0) {
+				let { parseExcludePatterns: e } = await import("../core/filters/parse-exclude-patterns.js"), a = e(g);
+				a.length > 0 && (m = m.filter((e) => {
 					let { name: o } = e;
 					for (let e of a) if (e.test(o)) return !1;
 					return !0;
 				}));
 			}
-			if (c = createSpinner("Checking for updates...").start(), p.length === 0) {
-				c.success("No actions to check after excludes"), console.info(pc.green("\n✨ Nothing to check after excludes\n"));
+			if (l = createSpinner("Checking for updates...").start(), m.length === 0) {
+				l.success("No actions to check after excludes"), console.info(pc.green("\n✨ Nothing to check after excludes\n"));
 				return;
 			}
-			let g = await checkUpdates(p, process.env.GITHUB_TOKEN), _ = [];
-			await Promise.all(g.map(async (e) => {
-				await shouldIgnore(e.action.file, e.action.line) || _.push(e);
+			let _ = c.includeBranches ?? !1, v = await checkUpdates(m, process.env.GITHUB_TOKEN, { includeBranches: _ }), y = [];
+			await Promise.all(v.map(async (e) => {
+				await shouldIgnore(e.action.file, e.action.line) || y.push(e);
 			}));
-			let v = _.filter((e) => e.hasUpdate), y = s.minAge * 24 * 60 * 60 * 1e3, b = Date.now();
-			v = v.filter((e) => e.publishedAt ? b - e.publishedAt.getTime() >= y : !0);
-			let x = v.filter((e) => e.isBreaking);
-			if (v.length === 0) {
-				c.success("All actions are up to date!"), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
+			let b = y.filter((e) => e.status === "skipped"), x = y.filter((e) => e.hasUpdate), S = c.minAge * 24 * 60 * 60 * 1e3, C = Date.now();
+			x = x.filter((e) => e.publishedAt ? C - e.publishedAt.getTime() >= S : !0);
+			let w = x.filter((e) => e.isBreaking);
+			if (x.length === 0) {
+				l.success("All actions are up to date!"), b.length > 0 && printSkippedWarning(b, _), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
 				return;
 			}
-			if (c.success(`Found ${pc.yellow(v.length)} updates available${x.length > 0 ? ` (${pc.redBright(x.length)} breaking)` : ""}`), s.dryRun) {
+			if (l.success(`Found ${pc.yellow(x.length)} updates available${w.length > 0 ? ` (${pc.redBright(w.length)} breaking)` : ""}`), b.length > 0 && printSkippedWarning(b, _), c.dryRun) {
 				console.info(pc.yellow("\n📋 Dry Run - No changes will be made\n"));
-				for (let e of v) console.info(`${pc.cyan(e.action.file ?? "unknown")}:\n${e.action.name}: ${pc.redBright(e.currentVersion)} → ${pc.green(e.latestVersion)} ${e.latestSha ? pc.gray(`(${e.latestSha.slice(0, 7)})`) : ""}\n`);
-				console.info(pc.gray(`\n${v.length} actions would be updated\n`));
+				for (let e of x) console.info(`${pc.cyan(e.action.file ?? "unknown")}:\n${e.action.name}: ${pc.redBright(e.currentVersion)} → ${pc.green(e.latestVersion)} ${e.latestSha ? pc.gray(`(${e.latestSha.slice(0, 7)})`) : ""}\n`);
+				console.info(pc.gray(`\n${x.length} actions would be updated\n`));
 				return;
 			}
-			if (s.yes) {
-				let e = v.filter((e) => e.latestSha);
+			if (c.yes) {
+				let e = x.filter((e) => e.latestSha);
 				if (e.length === 0) {
 					console.info(pc.yellow("\n⚠️ No actions with SHA available for update\n"));
 					return;
 				}
 				console.info(pc.yellow(`\n🔄 Updating ${e.length} actions...\n`)), await applyUpdates(e), console.info(pc.green("\n✓ Updates applied successfully!"));
 			} else {
-				let o = await promptUpdateSelection(_, { showAge: s.minAge > 0 });
+				let o = await promptUpdateSelection(x, { showAge: c.minAge > 0 });
 				if (!o || o.length === 0) {
 					console.info(pc.gray("\nNo updates applied"));
 					return;
@@ -68,8 +68,17 @@ function run() {
 				console.info(pc.yellow(`\n🔄 Updating ${o.length} selected actions...\n`)), await applyUpdates(o), console.info(pc.green("\n✓ Updates applied successfully!"));
 			}
 		} catch (e) {
-			c.error("Failed"), e instanceof Error && e.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(e.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), e instanceof Error ? e.message : String(e)), process.exit(1);
+			l.error("Failed"), e instanceof Error && e.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(e.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), e instanceof Error ? e.message : String(e)), process.exit(1);
 		}
-	}), l.parse();
+	}), u.parse();
+}
+function printSkippedWarning(e, a) {
+	let o = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", s = a ? "" : " (use --include-branches to check them)";
+	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${o} pinned to branches${s}`));
+	for (let a of e) {
+		let e = a.action.uses ?? `${a.action.name}@${a.currentVersion ?? "unknown"}`;
+		console.info(pc.gray(`   • ${e}`));
+	}
+	console.info("");
 }
 export { run };

package/dist/core/api/check-updates.d.ts

@@ -5,6 +5,9 @@ import { ActionUpdate } from '../../types/action-update';
  *
  * @param actions - Array of GitHub Actions to check.
  * @param token - Optional GitHub token for authentication.
+ * @param options - Additional options (e.g., include branch refs).
  * @returns Array of update information.
  */
-export declare function checkUpdates(actions: GitHubAction[], token?: string): Promise<ActionUpdate[]>;
+export declare function checkUpdates(actions: GitHubAction[], token?: string, options?: {
+    includeBranches?: boolean;
+}): Promise<ActionUpdate[]>;

package/dist/core/api/check-updates.js

@@ -1,18 +1,18 @@
 import { createGitHubClient } from "./create-github-client.js";
 import semver from "semver";
-async function checkUpdates(n, i) {
-	let c = createGitHubClient(i), l = n.filter((e) => e.type === "external" || e.type === "reusable-workflow");
-	if (l.length === 0) return [];
-	let u = /* @__PURE__ */ new Map();
-	for (let e of l) {
-		let t = u.get(e.name) ?? [];
-		t.push(e), u.set(e.name, t);
+async function checkUpdates(n, i, c) {
+	let l = createGitHubClient(i), u = c?.includeBranches ?? !1, d = n.filter((e) => e.type === "external" || e.type === "reusable-workflow");
+	if (d.length === 0) return [];
+	let f = /* @__PURE__ */ new Map();
+	for (let e of d) {
+		let t = f.get(e.name) ?? [];
+		t.push(e), f.set(e.name, t);
 	}
-	let d = {
+	let p = {
 		rateLimitError: null,
 		rateLimitHit: !1
-	}, f = await [...u.keys()].reduce((e, n) => e.then(async (e) => {
-		if (d.rateLimitHit) return [...e, {
+	}, m = await [...f.keys()].reduce((e, n) => e.then(async (e) => {
+		if (p.rateLimitHit) return [...e, {
 			publishedAt: null,
 			version: null,
 			actionName: n,
@@ -25,24 +25,26 @@ async function checkUpdates(n, i) {
 			actionName: n,
 			sha: null
 		}];
-		let [i, l] = r;
-		if (!i || !l) return [...e, {
+		let [i, c] = r;
+		if (!i || !c) return [...e, {
 			publishedAt: null,
 			version: null,
 			actionName: n,
 			sha: null
 		}];
 		try {
-			let r = u.get(n)[0]?.version;
-			if (r && !isSha(r) && !isSemverLike(r) && await c.getRefType(i, l, r) === "branch") return [...e, {
+			let r = f.get(n)[0]?.version;
+			if (r && !isSha(r) && !isSemverLike(r) && await l.getRefType(i, c, r) === "branch" && !u) return [...e, {
+				skipReason: "branch",
+				status: "skipped",
 				publishedAt: null,
 				version: null,
 				actionName: n,
 				sha: null
 			}];
-			let d = await c.getLatestRelease(i, l);
+			let d = await l.getLatestRelease(i, c);
 			if (!d) {
-				let e = await c.getAllReleases(i, l, 1);
+				let e = await l.getAllReleases(i, c, 1);
 				d = e.find((e) => !e.isPrerelease) ?? e[0] ?? null;
 			}
 			if (d) {
@@ -52,7 +54,7 @@ async function checkUpdates(n, i) {
 					f = !n || r || !i;
 				}
 				if (f) {
-					let r = await c.getAllTags(i, l, 30);
+					let r = await l.getAllTags(i, c, 30);
 					if (r.length > 0) {
 						let u = r.filter((e) => isSemverLike(e.tag)).map((e) => ({
 							v: semver.valid(normalizeVersion(e.tag)),
@@ -69,7 +71,7 @@ async function checkUpdates(n, i) {
 							if (!s || semver.gt(u[0].v, s) || semver.eq(u[0].v, s) && /\d+\.\d+/u.test(r.tag)) {
 								let t = r.tag, a = r.sha?.length ? r.sha : null;
 								if (!a && t) try {
-									a = await c.getTagSha(i, l, t);
+									a = await l.getTagSha(i, c, t);
 								} catch {}
 								return [...e, {
 									version: t,
@@ -82,18 +84,19 @@ async function checkUpdates(n, i) {
 					}
 				}
 				if (!u && o) try {
-					u = await c.getTagSha(i, l, o);
+					u = await l.getTagSha(i, c, o);
 				} catch {}
 				return [...e, {
+					status: "ok",
 					publishedAt: r,
 					actionName: n,
 					version: o,
 					sha: u
 				}];
 			}
-			let f = await c.getAllTags(i, l, 30);
-			if (f.length > 0) {
-				let r = f.filter((e) => isSemverLike(e.tag)).map((e) => ({
+			let p = await l.getAllTags(i, c, 30);
+			if (p.length > 0) {
+				let r = p.filter((e) => isSemverLike(e.tag)).map((e) => ({
 					v: semver.valid(normalizeVersion(e.tag)),
 					raw: e
 				})), o;
@@ -102,12 +105,13 @@ async function checkUpdates(n, i) {
 					if (r !== 0) return r;
 					let i = /\d+\.\d+/u.test(e.raw.tag) ? 1 : 0;
 					return (/\d+\.\d+/u.test(n.raw.tag) ? 1 : 0) - i;
-				}), o = r[0].raw) : o = f[0];
+				}), o = r[0].raw) : o = p[0];
 				let u = o.tag, d = o.sha?.length ? o.sha : null;
 				if (!d && u) try {
-					d = await c.getTagSha(i, l, u);
+					d = await l.getTagSha(i, c, u);
 				} catch {}
 				return [...e, {
+					status: "ok",
 					publishedAt: null,
 					actionName: n,
 					version: u,
@@ -121,7 +125,7 @@ async function checkUpdates(n, i) {
 				sha: null
 			}];
 		} catch (t) {
-			return t instanceof Error && t.name === "GitHubRateLimitError" ? (d.rateLimitHit = !0, d.rateLimitError = t, [...e, {
+			return t instanceof Error && t.name === "GitHubRateLimitError" ? (p.rateLimitHit = !0, p.rateLimitError = t, [...e, {
 				publishedAt: null,
 				version: null,
 				actionName: n,
@@ -134,52 +138,71 @@ async function checkUpdates(n, i) {
 			}]);
 		}
 	}), Promise.resolve([]));
-	if (d.rateLimitError) {
-		let e = !!(i ?? process.env.GITHUB_TOKEN), t = `${d.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits"}`, n = Error(t);
+	if (p.rateLimitError) {
+		let e = !!(i ?? process.env.GITHUB_TOKEN), t = `${p.rateLimitError.message || "GitHub API rate limit exceeded."}\n${e ? "Wait for reset or reduce request rate." : "Please set GITHUB_TOKEN environment variable to increase the limit.\nSee: https://github.com/azat-io/actions-up?tab=readme-ov-file#using-github-token-for-higher-rate-limits"}`, n = Error(t);
 		throw n.name = "GitHubRateLimitError", n;
 	}
-	let p = /* @__PURE__ */ new Map();
-	for (let e of f) p.set(e.actionName, {
+	let h = /* @__PURE__ */ new Map();
+	for (let e of m) h.set(e.actionName, {
 		publishedAt: e.publishedAt,
+		actionName: e.actionName,
+		skipReason: e.skipReason,
 		version: e.version,
+		status: e.status,
 		sha: e.sha
 	});
-	let m = [];
-	for (let e of l) {
-		let t = p.get(e.name);
-		t ? m.push(createUpdate(e, {
+	let g = [];
+	for (let e of d) {
+		let t = h.get(e.name);
+		t ? g.push(createUpdate(e, {
 			publishedAt: t.publishedAt,
 			version: t.version,
 			sha: t.sha
-		})) : m.push(createUpdate(e, {
+		}, {
+			skipReason: t.skipReason,
+			status: t.status
+		})) : g.push(createUpdate(e, {
 			publishedAt: null,
 			version: null,
 			sha: null
 		}));
 	}
-	return m;
+	return g;
 }
-function createUpdate(e, n) {
-	let { version: r, sha: s, publishedAt: c } = n, l = normalizeVersion(e.version ?? ""), u = r ? normalizeVersion(r) : null, d = !1, f = !1;
-	if (l && isSha(l)) s ? d = !compareSha(l, s) : u && (d = !0);
-	else if (l && u) {
-		let n = semver.valid(l), r = semver.valid(u);
+function createUpdate(e, n, r = {}) {
+	let { version: s, sha: c, publishedAt: l } = n, u = e.version ?? "unknown", d = normalizeVersion(u), f = s ? normalizeVersion(s) : null, p = r.status ?? "ok", m = r.skipReason, h = !1, g = !1;
+	if (p === "skipped") return {
+		currentVersion: u,
+		isBreaking: !1,
+		hasUpdate: !1,
+		latestVersion: s,
+		publishedAt: l,
+		skipReason: m,
+		latestSha: c,
+		action: e,
+		status: p
+	};
+	if (d && isSha(d)) c ? h = !compareSha(d, c) : f && (h = !0);
+	else if (d && f) {
+		let n = semver.valid(d), r = semver.valid(f);
 		if (n && r) {
-			if (d = semver.lt(n, r), d) {
+			if (h = semver.lt(n, r), h) {
 				let e = semver.major(n);
-				f = semver.major(r) > e;
+				g = semver.major(r) > e;
 			}
-			!d && semver.eq(n, r) && !isSha(e.version) && s && (d = !0, f = !1);
-		} else l !== u && (d = !0);
+			!h && semver.eq(n, r) && !isSha(e.version) && c && (h = !0, g = !1);
+		} else d !== f && (h = !0);
 	}
 	return {
-		currentVersion: e.version ?? "unknown",
-		latestVersion: r,
-		publishedAt: c,
-		isBreaking: f,
-		latestSha: s,
-		hasUpdate: d,
-		action: e
+		currentVersion: u,
+		latestVersion: s,
+		publishedAt: l,
+		isBreaking: g,
+		skipReason: m,
+		latestSha: c,
+		hasUpdate: h,
+		action: e,
+		status: p
 	};
 }
 function compareSha(e, t) {

package/dist/core/ast/update/apply-updates.js

@@ -27,8 +27,11 @@ async function applyUpdates(n) {
 				console.error(`Invalid SHA format: ${e.latestSha}`);
 				continue;
 			}
-			let a = r ? String.raw`(?=[^\S\r\n]|$|#)` : "", o = new RegExp(String.raw`(^\s*-?\s*uses:\s*)(['"]?)(${n})@${r}\2${a}([^\S\r\n]*#[^\r\n]*)?`, "gm"), s = `$1$2$3@${e.latestSha}$2 # ${e.latestVersion}`;
-			i = i.replace(o, s);
+			let a = String.raw`['"]?\buses\b['"]?\s*:\s*`, o = String.raw`(?:^[^\S\n]*(?:-[^\S\n]*)?|[{\[,][^\S\n]*)` + a, s = new RegExp(String.raw`(?<prefix>${o})` + String.raw`(?<quote>['"]?)` + String.raw`(?<name>${n})@${r}` + String.raw`\k<quote>` + String.raw`(?<after>[ \t\]}{,]*)` + String.raw`(?<comment>[^\S\r\n]*#[^\r\n]*)?`, "gm");
+			i = i.replace(s, (t, ...n) => {
+				let i = n.at(-3), a = n.at(-2), o = n.at(-1), s = a.indexOf("\n", i + t.length), c = (s === -1 ? a.slice(i + t.length) : a.slice(i + t.length, s)).trim().length > 0, l = o.after.endsWith(" ") ? "" : " ", u = c && !o.comment && r !== "" ? "" : `${l}# ${e.latestVersion}`;
+				return `${`${o.prefix}${o.quote}${o.name}`}@${`${e.latestSha}${o.quote}${o.after}${u}`}`;
+			});
 		}
 		await writeFile(n, i, "utf8");
 	});

package/dist/core/interactive/prompt-update-selection.js

@@ -39,14 +39,14 @@ async function promptUpdateSelection(l, g = {}) {
 			display: a
 		};
 	})), C = [], w = stripAnsi("Action").length, T = stripAnsi("Current").length, E = stripAnsi("Job").length, D = 0, O = !1;
-	for (let [a, s] of b.entries()) {
-		let c = s.action.name, l = S[a].display, u = s.action.job ?? "–";
-		if (w = Math.max(w, c.length), T = Math.max(T, stripAnsi(l).length), E = Math.max(E, u.length), s.latestVersion) {
-			let c = formatVersion(s.latestVersion, S[a]?.effectiveForDiff ?? s.currentVersion);
-			D = Math.max(D, stripAnsi(c).length);
+	for (let [a, l] of b.entries()) {
+		let u = l.action.name, d = S[a], f = d.display, p = l.action.job ?? "–";
+		if (w = Math.max(w, u.length), T = Math.max(T, stripAnsi(f).length, d.versionForPadding && d.shortSha ? stripAnsi(`${padString(d.versionForPadding, D + 1)}${pc.gray(`(${d.shortSha})`)}`).length : 0), E = Math.max(E, p.length), l.latestVersion) {
+			let s = formatVersion(l.latestVersion, S[a]?.effectiveForDiff ?? l.currentVersion);
+			D = Math.max(D, stripAnsi(s).length);
 		}
-		let d = S[a]?.versionForPadding;
-		d && (D = Math.max(D, stripAnsi(d).length)), s.publishedAt && (O = !0);
+		let m = S[a]?.versionForPadding;
+		m && (D = Math.max(D, stripAnsi(m).length)), l.publishedAt && (O = !0);
 	}
 	let k = Math.max(w, MIN_ACTION_WIDTH), A = Math.max(T, MIN_CURRENT_WIDTH), j = Math.max(E, MIN_JOB_WIDTH), M = Math.min(D, MAX_VERSION_WIDTH), N = M + 1 + 9, P = y && O ? 6 : 0, F = [...x.keys()].toSorted();
 	for (let [a, o] of F.entries()) {

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.6.0";
+const version = "1.8.0";
 export { version };

package/dist/types/action-update.d.ts

@@ -1,12 +1,18 @@
 import { GitHubAction } from './github-action';
 /** Update information for a GitHub Action. */
 export interface ActionUpdate {
+  /** Reason for skipping the update check. */
+  skipReason?: 'unknown' | 'branch'
+
   /** Current version string. */
   currentVersion: string | null
 
   /** Latest available version. */
   latestVersion: string | null
 
+  /** Status of the check for this action. */
+  status?: 'skipped' | 'ok'
+
   /** SHA hash of the latest version. */
   latestSha: string | null
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.6.0",
+  "version": "1.8.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",
@@ -41,7 +41,7 @@
     "nanospinner": "^1.2.2",
     "picocolors": "^1.1.1",
     "semver": "^7.7.3",
-    "yaml": "^2.8.1"
+    "yaml": "^2.8.2"
   },
   "engines": {
     "node": "^18.0.0 || >=20.0.0"

package/readme.md

@@ -131,6 +131,10 @@ By default, Actions Up scans the `.github` directory. You can specify a differen
 npx actions-up --dir .gitea
 ```
 
+### Branch References
+
+By default, actions pinned to branch refs (e.g., `@main`, `@release/v1`) are skipped to avoid changing intentionally floating references. Skipped entries are listed in the output. To include them in update checks, pass `--include-branches`.
+
 ## GitHub Actions Integration
 
 ### Automated PR Checks