actions-up 1.9.0 → 1.10.0

package/dist/cli/index.js

@@ -1,4 +1,7 @@
+import { readInlineVersionComment } from "../core/versions/read-inline-version-comment.js";
+import { isSha } from "../core/versions/is-sha.js";
 import { promptUpdateSelection } from "../core/interactive/prompt-update-selection.js";
+import { getUpdateLevel } from "../core/versions/get-update-level.js";
 import { applyUpdates } from "../core/ast/update/apply-updates.js";
 import { shouldIgnore } from "../core/ignore/should-ignore.js";
 import { checkUpdates } from "../core/api/check-updates.js";
@@ -10,75 +13,106 @@ import "node:worker_threads";
 import pc from "picocolors";
 import cac from "cac";
 function run() {
-	let u = cac("actions-up");
-	u.help().version(version).option("--dir <directory>", "Custom directory name (default: .github)").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--include-branches", "Also check actions pinned to branches (default: false)").option("--min-age <days>", "Minimum age in days for updates (default: 0)", { default: 0 }).option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (c) => {
+	let h = cac("actions-up");
+	h.help().version(version).option("--dir <directory>", "Custom directory name (default: .github)").option("--dry-run", "Preview changes without applying them").option("--exclude <regex>", "Exclude actions by regex (repeatable)").option("--include-branches", "Also check actions pinned to branches (default: false)").option("--min-age <days>", "Minimum age in days for updates (default: 0)", { default: 0 }).option("--mode <mode>", "Update mode: major, minor, or patch (default: major)", { default: "major" }).option("--yes, -y", "Skip all confirmations").command("", "Update GitHub Actions").action(async (p) => {
 		console.info(pc.cyan("\n🚀 Actions Up!\n"));
-		let l = createSpinner("Scanning GitHub Actions...").start();
+		let m = createSpinner("Scanning GitHub Actions...").start();
 		try {
-			let u = await scanGitHubActions(process.cwd(), c.dir), d = u.actions.length, f = u.workflows.size, p = u.compositeActions.size;
-			if (l.success(`Found ${pc.yellow(d)} actions in ${pc.yellow(f)} workflows and ${pc.yellow(p)} composite actions`), d === 0) {
+			let h = await scanGitHubActions(process.cwd(), p.dir), g = h.actions.length, _ = h.workflows.size, v = h.compositeActions.size;
+			if (m.success(`Found ${pc.yellow(g)} actions in ${pc.yellow(_)} workflows and ${pc.yellow(v)} composite actions`), g === 0) {
 				console.info(pc.green("\n✨ No GitHub Actions found in this repository"));
 				return;
 			}
-			let m = u.actions, h = [];
-			Array.isArray(c.exclude) ? h.push(...c.exclude) : typeof c.exclude == "string" && h.push(c.exclude);
-			let g = h.flatMap((e) => e.split(",")).map((e) => e.trim()).filter(Boolean);
-			if (g.length > 0) {
-				let { parseExcludePatterns: e } = await import("../core/filters/parse-exclude-patterns.js"), a = e(g);
-				a.length > 0 && (m = m.filter((e) => {
-					let { name: o } = e;
-					for (let e of a) if (e.test(o)) return !1;
+			let y = h.actions, b = [];
+			Array.isArray(p.exclude) ? b.push(...p.exclude) : typeof p.exclude == "string" && b.push(p.exclude);
+			let x = b.flatMap((e) => e.split(",")).map((e) => e.trim()).filter(Boolean);
+			if (x.length > 0) {
+				let { parseExcludePatterns: e } = await import("../core/filters/parse-exclude-patterns.js"), s = e(x);
+				s.length > 0 && (y = y.filter((e) => {
+					let { name: c } = e;
+					for (let e of s) if (e.test(c)) return !1;
 					return !0;
 				}));
 			}
-			if (l = createSpinner("Checking for updates...").start(), m.length === 0) {
-				l.success("No actions to check after excludes"), console.info(pc.green("\n✨ Nothing to check after excludes\n"));
+			if (m = createSpinner("Checking for updates...").start(), y.length === 0) {
+				m.success("No actions to check after excludes"), console.info(pc.green("\n✨ Nothing to check after excludes\n"));
 				return;
 			}
-			let _ = c.includeBranches ?? !1, v = await checkUpdates(m, process.env.GITHUB_TOKEN, { includeBranches: _ }), y = [];
-			await Promise.all(v.map(async (e) => {
-				await shouldIgnore(e.action.file, e.action.line) || y.push(e);
+			let S = p.includeBranches ?? !1, C = await checkUpdates(y, process.env.GITHUB_TOKEN, { includeBranches: S }), w = [];
+			await Promise.all(C.map(async (e) => {
+				await shouldIgnore(e.action.file, e.action.line) || w.push(e);
 			}));
-			let b = y.filter((e) => e.status === "skipped"), x = y.filter((e) => e.hasUpdate), S = c.minAge * 24 * 60 * 60 * 1e3, C = Date.now();
-			x = x.filter((e) => e.publishedAt ? C - e.publishedAt.getTime() >= S : !0);
-			let w = x.filter((e) => e.isBreaking);
-			if (x.length === 0) {
-				l.success("All actions are up to date!"), b.length > 0 && printSkippedWarning(b, _), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
+			let T = w.filter((e) => e.status === "skipped"), E = w.filter((e) => e.hasUpdate), D = p.minAge * 24 * 60 * 60 * 1e3, O = Date.now();
+			E = E.filter((e) => e.publishedAt ? O - e.publishedAt.getTime() >= D : !0);
+			let k = normalizeUpdateMode(p.mode), A = [];
+			if (k !== "major") {
+				let c = /* @__PURE__ */ new Map(), u = await Promise.all(E.map(async (u) => {
+					let d = u.currentVersion;
+					if (isSha(u.currentVersion)) {
+						let s = await readInlineVersionComment(u.action.file, u.action.line, c);
+						s && (d = s);
+					}
+					let f = getUpdateLevel(d, u.latestVersion);
+					return {
+						allowed: k === "minor" ? f === "minor" || f === "patch" || f === "none" : f === "patch" || f === "none",
+						update: u
+					};
+				})), d = [];
+				for (let e of u) e.allowed ? d.push(e.update) : A.push(e.update);
+				E = d;
+			}
+			let j = E.filter((e) => e.isBreaking);
+			if (E.length === 0) {
+				m.success("All actions are up to date!"), T.length > 0 && printSkippedWarning(T, S), A.length > 0 && printModeWarning(A, k), console.info(pc.green("\n✨ Everything is already at the latest version!\n"));
 				return;
 			}
-			if (l.success(`Found ${pc.yellow(x.length)} updates available${w.length > 0 ? ` (${pc.redBright(w.length)} breaking)` : ""}`), b.length > 0 && printSkippedWarning(b, _), c.dryRun) {
+			if (m.success(`Found ${pc.yellow(E.length)} updates available${j.length > 0 ? ` (${pc.redBright(j.length)} breaking)` : ""}`), T.length > 0 && printSkippedWarning(T, S), A.length > 0 && printModeWarning(A, k), p.dryRun) {
 				console.info(pc.yellow("\n📋 Dry Run - No changes will be made\n"));
-				for (let e of x) console.info(`${pc.cyan(e.action.file ?? "unknown")}:\n${e.action.name}: ${pc.redBright(e.currentVersion)} → ${pc.green(e.latestVersion)} ${e.latestSha ? pc.gray(`(${e.latestSha.slice(0, 7)})`) : ""}\n`);
-				console.info(pc.gray(`\n${x.length} actions would be updated\n`));
+				for (let e of E) console.info(`${pc.cyan(e.action.file ?? "unknown")}:\n${e.action.name}: ${pc.redBright(e.currentVersion)} → ${pc.green(e.latestVersion)} ${e.latestSha ? pc.gray(`(${e.latestSha.slice(0, 7)})`) : ""}\n`);
+				console.info(pc.gray(`\n${E.length} actions would be updated\n`));
 				return;
 			}
-			if (c.yes) {
-				let e = x.filter((e) => e.latestSha);
+			if (p.yes) {
+				let e = E.filter((e) => e.latestSha);
 				if (e.length === 0) {
 					console.info(pc.yellow("\n⚠️ No actions with SHA available for update\n"));
 					return;
 				}
 				console.info(pc.yellow(`\n🔄 Updating ${e.length} actions...\n`)), await applyUpdates(e), console.info(pc.green("\n✓ Updates applied successfully!"));
 			} else {
-				let o = await promptUpdateSelection(x, { showAge: c.minAge > 0 });
-				if (!o || o.length === 0) {
+				(T.length > 0 || A.length > 0) && console.info("");
+				let e = await promptUpdateSelection(E, { showAge: p.minAge > 0 });
+				if (!e || e.length === 0) {
 					console.info(pc.gray("\nNo updates applied"));
 					return;
 				}
-				console.info(pc.yellow(`\n🔄 Updating ${o.length} selected actions...\n`)), await applyUpdates(o), console.info(pc.green("\n✓ Updates applied successfully!"));
+				console.info(pc.yellow(`\n🔄 Updating ${e.length} selected actions...\n`)), await applyUpdates(e), console.info(pc.green("\n✓ Updates applied successfully!"));
 			}
 		} catch (e) {
-			l.error("Failed"), e instanceof Error && e.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(e.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), e instanceof Error ? e.message : String(e)), process.exit(1);
+			m.error("Failed"), e instanceof Error && e.name === "GitHubRateLimitError" ? (console.error(pc.yellow("\n⚠️ Rate Limit Exceeded\n")), console.error(e.message), console.error(pc.gray("\nExample: GITHUB_TOKEN=ghp_xxxx actions-up\n"))) : console.error(pc.redBright("\nError:"), e instanceof Error ? e.message : String(e)), process.exit(1);
 		}
-	}), u.parse();
+	}), h.parse();
 }
-function printSkippedWarning(e, a) {
-	let o = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", s = a ? "" : " (use --include-branches to check them)";
-	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${o} pinned to branches${s}`));
-	for (let a of e) {
-		let e = a.action.uses ?? `${a.action.name}@${a.currentVersion ?? "unknown"}`;
+function printModeWarning(e, s) {
+	if (e.length === 0) return;
+	let c = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", l = s === "minor" ? "major" : "major/minor";
+	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${c} due to ${l} updates`));
+	for (let s of e) {
+		let e = s.action.uses ?? `${s.action.name}@${s.currentVersion ?? "unknown"}`;
 		console.info(pc.gray(`   • ${e}`));
 	}
-	console.info("");
+}
+function printSkippedWarning(e, s) {
+	let c = new Intl.PluralRules("en-US", { type: "cardinal" }).select(e.length) === "one" ? "action" : "actions", l = s ? "" : " (use --include-branches to check them)";
+	console.info(pc.yellow(`\n⚠️  Skipped ${e.length} ${c} pinned to branches${l}`));
+	for (let s of e) {
+		let e = s.action.uses ?? `${s.action.name}@${s.currentVersion ?? "unknown"}`;
+		console.info(pc.gray(`   • ${e}`));
+	}
+}
+function normalizeUpdateMode(e) {
+	let s = (e ?? "major").toLowerCase();
+	if (s === "major" || s === "minor" || s === "patch") return s;
+	throw Error(`Invalid mode "${e}". Expected "major", "minor", or "patch".`);
 }
 export { run };

package/dist/core/interactive/prompt-update-selection.js

@@ -1,62 +1,63 @@
+import { readInlineVersionComment } from "../versions/read-inline-version-comment.js";
 import { formatVersion } from "./format-version.js";
 import { GITHUB_DIRECTORY } from "../constants.js";
+import { isSha } from "../versions/is-sha.js";
 import { stripAnsi } from "./strip-ansi.js";
 import { padString } from "./pad-string.js";
 import "node:worker_threads";
 import pc from "picocolors";
-import { readFile } from "node:fs/promises";
 import enquirer from "enquirer";
 import path from "node:path";
 var MIN_ACTION_WIDTH = 40, MIN_JOB_WIDTH = 4, MIN_CURRENT_WIDTH = 16, MAX_VERSION_WIDTH = 7;
-async function promptUpdateSelection(l, g = {}) {
-	let { showAge: y = !1 } = g;
-	if (l.length === 0) return null;
-	let b = l.filter((e) => e.hasUpdate);
+async function promptUpdateSelection(g, v = {}) {
+	let { showAge: y = !1 } = v;
+	if (g.length === 0) return null;
+	let b = g.filter((t) => t.hasUpdate);
 	if (b.length === 0) return console.info(pc.green("✓ All actions are up to date!")), null;
 	let x = /* @__PURE__ */ new Map();
-	for (let [e, o] of b.entries()) {
-		let s = o.action.file ?? "unknown file", c = path.relative(path.join(process.cwd(), GITHUB_DIRECTORY), s);
-		c === "" && (c = s);
-		let l = x.get(c) ?? [];
-		l.push({
-			update: o,
-			index: e
-		}), x.set(c, l);
+	for (let [t, i] of b.entries()) {
+		let o = i.action.file ?? "unknown file", s = path.relative(path.join(process.cwd(), GITHUB_DIRECTORY), o);
+		s === "" && (s = o);
+		let c = x.get(s) ?? [];
+		c.push({
+			update: i,
+			index: t
+		}), x.set(s, c);
 	}
-	let S = await Promise.all(b.map(async (e) => {
-		let a = formatVersionOrSha(e.currentVersion), o = e.currentVersion ?? void 0, s = null, c = null;
-		if (!e.currentVersion || !isSha(e.currentVersion)) return {
-			versionForPadding: s,
-			effectiveForDiff: o,
-			shortSha: c,
+	let S = await Promise.all(b.map(async (i) => {
+		let a = formatVersionOrSha(i.currentVersion), s = i.currentVersion ?? void 0, c = null, l = null;
+		if (!i.currentVersion || !isSha(i.currentVersion)) return {
+			versionForPadding: c,
+			effectiveForDiff: s,
+			shortSha: l,
 			display: a
 		};
-		let l = await tryReadInlineVersionComment(e.action.file, e.action.line);
-		return l && (c = e.currentVersion.slice(0, 7), s = formatVersionOrSha(l), a = s, o = l), {
-			versionForPadding: s,
-			effectiveForDiff: o,
-			shortSha: c,
+		let u = await readInlineVersionComment(i.action.file, i.action.line);
+		return u && (l = i.currentVersion.slice(0, 7), c = formatVersionOrSha(u), a = c, s = u), {
+			versionForPadding: c,
+			effectiveForDiff: s,
+			shortSha: l,
 			display: a
 		};
 	})), C = [], w = stripAnsi("Action").length, T = stripAnsi("Current").length, E = stripAnsi("Job").length, D = 0, O = !1;
-	for (let [a, l] of b.entries()) {
-		let u = l.action.name, d = S[a], f = d.display, p = l.action.job ?? "–";
-		if (w = Math.max(w, u.length), T = Math.max(T, stripAnsi(f).length, d.versionForPadding && d.shortSha ? stripAnsi(`${padString(d.versionForPadding, D + 1)}${pc.gray(`(${d.shortSha})`)}`).length : 0), E = Math.max(E, p.length), l.latestVersion) {
-			let s = formatVersion(l.latestVersion, S[a]?.effectiveForDiff ?? l.currentVersion);
-			D = Math.max(D, stripAnsi(s).length);
+	for (let [t, a] of b.entries()) {
+		let o = a.action.name, u = S[t], d = u.display, f = a.action.job ?? "–";
+		if (w = Math.max(w, o.length), T = Math.max(T, stripAnsi(d).length, u.versionForPadding && u.shortSha ? stripAnsi(`${padString(u.versionForPadding, D + 1)}${pc.gray(`(${u.shortSha})`)}`).length : 0), E = Math.max(E, f.length), a.latestVersion) {
+			let o = formatVersion(a.latestVersion, S[t]?.effectiveForDiff ?? a.currentVersion);
+			D = Math.max(D, stripAnsi(o).length);
 		}
-		let m = S[a]?.versionForPadding;
-		m && (D = Math.max(D, stripAnsi(m).length)), l.publishedAt && (O = !0);
+		let p = S[t]?.versionForPadding;
+		p && (D = Math.max(D, stripAnsi(p).length)), a.publishedAt && (O = !0);
 	}
 	let k = Math.max(w, MIN_ACTION_WIDTH), A = Math.max(T, MIN_CURRENT_WIDTH), j = Math.max(E, MIN_JOB_WIDTH), M = Math.min(D, MAX_VERSION_WIDTH), N = M + 1 + 9, P = y && O ? 6 : 0, F = [...x.keys()].toSorted();
-	for (let [a, o] of F.entries()) {
-		let l = x.get(o);
-		if (!l) {
-			console.warn(`Unexpected missing group for file: ${o}`);
+	for (let [t, a] of F.entries()) {
+		let o = x.get(a);
+		if (!o) {
+			console.warn(`Unexpected missing group for file: ${a}`);
 			continue;
 		}
-		let u = [], d = l;
-		u.push({
+		let s = [], u = o;
+		s.push({
 			current: "Current",
 			action: "Action",
 			target: "Target",
@@ -64,74 +65,74 @@ async function promptUpdateSelection(l, g = {}) {
 			job: "Job",
 			age: "Age"
 		});
-		for (let { update: a, index: o } of d) {
-			let l = !!a.latestSha, d = S[o], f = d.display;
-			d.versionForPadding && d.shortSha && (f = `${padString(d.versionForPadding, M + 1)}${pc.gray(`(${d.shortSha})`)}`);
-			let p = d.effectiveForDiff ?? a.currentVersion, m = formatVersion(a.latestVersion, p), h = a.action.name;
-			if (a.latestSha) {
-				let e = a.latestSha.slice(0, 7);
-				m = `${padString(m, M + 1)}${pc.gray(`(${e})`)}`;
+		for (let { update: t, index: a } of u) {
+			let o = !!t.latestSha, u = S[a], d = u.display;
+			u.versionForPadding && u.shortSha && (d = `${padString(u.versionForPadding, M + 1)}${pc.gray(`(${u.shortSha})`)}`);
+			let f = u.effectiveForDiff ?? t.currentVersion, p = formatVersion(t.latestVersion, f), m = t.action.name;
+			if (t.latestSha) {
+				let i = t.latestSha.slice(0, 7);
+				p = `${padString(p, M + 1)}${pc.gray(`(${i})`)}`;
 			}
-			l || (m = pc.gray(m), f = pc.gray(f), h = pc.gray(h));
-			let g = a.action.job ?? "–", _ = formatAge(a.publishedAt);
-			u.push({
-				job: l ? g : pc.gray(g),
-				age: l ? _ : pc.gray(_),
-				action: h,
-				target: m,
+			o || (p = pc.gray(p), d = pc.gray(d), m = pc.gray(m));
+			let h = t.action.job ?? "–", g = formatAge(t.publishedAt);
+			s.push({
+				job: o ? h : pc.gray(h),
+				age: o ? g : pc.gray(g),
+				action: m,
+				target: p,
 				arrow: "❯",
-				current: f
+				current: d
 			});
 		}
-		let h = Math.max(k, MIN_ACTION_WIDTH), g = Math.max(A, MIN_CURRENT_WIDTH), _ = Math.max(j, MIN_JOB_WIDTH), v = [];
-		for (let [e, a] of u.entries()) {
-			let o = e === 0, s = formatTableRow({
+		let d = Math.max(k, MIN_ACTION_WIDTH), h = Math.max(A, MIN_CURRENT_WIDTH), g = Math.max(j, MIN_JOB_WIDTH), _ = [];
+		for (let [t, i] of s.entries()) {
+			let a = t === 0, o = formatTableRow({
 				targetWidth: N,
-				currentWidth: g,
-				actionWidth: h,
+				currentWidth: h,
+				actionWidth: d,
 				ageWidth: P,
-				jobWidth: _,
-				row: a
+				jobWidth: g,
+				row: i
 			});
-			if (o) v.push({
-				message: pc.gray(` ○ ${s}`),
+			if (a) _.push({
+				message: pc.gray(` ○ ${o}`),
 				role: "separator",
 				indent: "",
 				name: ""
 			});
 			else {
-				let { update: a, index: o } = d[e - 1], c = !!a.latestSha, l = c && !a.isBreaking;
-				v.push({
-					message: s,
-					value: String(o),
-					name: String(o),
-					disabled: !c,
+				let { update: i, index: a } = u[t - 1], s = !!i.latestSha, c = s && !i.isBreaking;
+				_.push({
+					message: o,
+					value: String(a),
+					name: String(a),
+					disabled: !s,
 					indent: "",
-					enabled: l
+					enabled: c
 				});
 			}
 		}
 		C.push({
-			message: pc.gray(o),
-			value: `label|${o}`,
-			choices: v,
-			name: `label|${o}`,
+			message: pc.gray(a),
+			value: `label|${a}`,
+			choices: _,
+			name: `label|${a}`,
 			isGroupLabel: !0,
 			enabled: !1
-		}), a < F.length - 1 && C.push({
+		}), t < F.length - 1 && C.push({
 			role: "separator",
 			message: " ",
 			name: ""
 		});
 	}
 	try {
-		let e = {
-			indicator(e, a) {
-				if (a.isGroupLabel) {
-					let e = (a.choices ?? []).filter((e) => !("role" in e)), o = e.length, s = e.filter((e) => !!e.enabled).length === o ? "●" : "○";
-					return ` ${pc.gray(s)}`;
+		let t = {
+			indicator(t, i) {
+				if (i.isGroupLabel) {
+					let t = (i.choices ?? []).filter((t) => !("role" in t)), a = t.length, o = t.filter((t) => !!t.enabled).length === a ? "●" : "○";
+					return ` ${pc.gray(o)}`;
 				}
-				return `   ${a.enabled ? "●" : "○"}`;
+				return `   ${i.enabled ? "●" : "○"}`;
 			},
 			message: `Choose which actions to update (Press ${pc.cyan("<space>")} to select, ${pc.cyan("<a>")} to toggle all, ${pc.cyan("<i>")} to invert selection)`,
 			styles: {
@@ -153,55 +154,41 @@ async function promptUpdateSelection(l, g = {}) {
 			name: "selected",
 			pointer: "❯",
 			choices: C
-		}, { selected: a } = await enquirer.prompt(e), o = /* @__PURE__ */ new Set();
-		for (let e of a) {
-			if (e.startsWith("label|")) {
-				let a = e.slice(6), s = x.get(a) ?? [];
-				for (let { update: e, index: a } of s) e.latestSha && o.add(a);
+		}, { selected: i } = await enquirer.prompt(t), a = /* @__PURE__ */ new Set();
+		for (let t of i) {
+			if (t.startsWith("label|")) {
+				let i = t.slice(6), o = x.get(i) ?? [];
+				for (let { update: t, index: i } of o) t.latestSha && a.add(i);
 				continue;
 			}
-			let a = Number.parseInt(e, 10);
-			Number.isFinite(a) && o.add(a);
+			let i = Number.parseInt(t, 10);
+			Number.isFinite(i) && a.add(i);
 		}
-		let s = [];
-		for (let [e, a] of b.entries()) o.has(e) && a.latestSha && s.push(a);
-		return s.length === 0 ? (console.info(pc.yellow("\nNo actions selected")), null) : s;
-	} catch (e) {
-		if (e instanceof Error && (e.message.includes("cancelled") || e.message.includes("ESC") || e.name === "ExitPromptError")) return logSelectionCancelled(), null;
-		throw console.error(pc.red("Unexpected error during selection:"), e), e;
+		let o = [];
+		for (let [t, i] of b.entries()) a.has(t) && i.latestSha && o.push(i);
+		return o.length === 0 ? (console.info(pc.yellow("\nNo actions selected")), null) : o;
+	} catch (t) {
+		if (t instanceof Error && (t.message.includes("cancelled") || t.message.includes("ESC") || t.name === "ExitPromptError")) return logSelectionCancelled(), null;
+		throw console.error(pc.red("Unexpected error during selection:"), t), t;
 	}
 }
-async function tryReadInlineVersionComment(e, a) {
-	try {
-		if (!e || !a || a <= 0) return null;
-		let o = (await readFile(e, "utf8")).split("\n"), s = a - 1;
-		if (s < 0 || s >= o.length) return null;
-		let c = o[s].match(/#\s*(?<version>[Vv]?\d+(?:\.\d+){0,2}(?:[+-][\w\-.]+)?)/u);
-		if (c?.groups?.version) return c.groups.version;
-	} catch {}
-	return null;
-}
-function formatAge(e) {
-	if (!e) return "";
-	let a = Date.now() - e.getTime(), o = Math.floor(a / (1e3 * 60 * 60)), s = Math.floor(o / 24), c = Math.floor(s / 7), l = s % 7;
-	return c >= 1 ? l > 0 ? `${c}w ${l}d` : `${c}w` : s >= 1 ? `${s}d` : `${o}h`;
+function formatAge(t) {
+	if (!t) return "";
+	let i = Date.now() - t.getTime(), a = Math.floor(i / (1e3 * 60 * 60)), o = Math.floor(a / 24), s = Math.floor(o / 7), c = o % 7;
+	return s >= 1 ? c > 0 ? `${s}w ${c}d` : `${s}w` : o >= 1 ? `${o}d` : `${a}h`;
 }
-function formatTableRow(e) {
-	let { currentWidth: a, actionWidth: o, targetWidth: c, jobWidth: l, ageWidth: u, row: d } = e, f = [
-		padString(d.action, o),
-		padString(d.job, l),
-		padString(d.current, a),
-		d.arrow,
-		padString(d.target, c)
+function formatTableRow(t) {
+	let { currentWidth: i, actionWidth: a, targetWidth: o, jobWidth: s, ageWidth: l, row: u } = t, d = [
+		padString(u.action, a),
+		padString(u.job, s),
+		padString(u.current, i),
+		u.arrow,
+		padString(u.target, o)
 	];
-	return u > 0 && f.push(d.age), f.join("  ").replace(/\s+$/u, "");
-}
-function isSha(e) {
-	let a = e.replace(/^v/u, "");
-	return /^[0-9a-f]{7,40}$/iu.test(a);
+	return l > 0 && d.push(u.age), d.join("  ").replace(/\s+$/u, "");
 }
-function formatVersionOrSha(e) {
-	return e ? isSha(e) ? e.slice(0, 7) : e.replace(/^v/u, "") : pc.gray("unknown");
+function formatVersionOrSha(t) {
+	return t ? isSha(t) ? t.slice(0, 7) : t.replace(/^v/u, "") : pc.gray("unknown");
 }
 function logSelectionCancelled() {
 	console.info(`\r\u001B[K${pc.yellow("Selection cancelled")}`);

package/dist/core/versions/get-update-level.d.ts

@@ -0,0 +1,11 @@
+/** Update level for a version change. */
+type UpdateLevel = 'unknown' | 'major' | 'minor' | 'patch' | 'none';
+/**
+ * Determine the update level between two version strings.
+ *
+ * @param currentVersion - Current version string.
+ * @param latestVersion - Latest version string.
+ * @returns Update level for the change.
+ */
+export declare function getUpdateLevel(currentVersion: undefined | string | null, latestVersion: undefined | string | null): UpdateLevel;
+export {};

package/dist/core/versions/get-update-level.js

@@ -0,0 +1,23 @@
+import semver from "semver";
+function getUpdateLevel(t, r) {
+	if (!t || !r) return "unknown";
+	let i = normalizeVersion(t), a = normalizeVersion(r);
+	if (!i || !a) return "unknown";
+	if (semver.eq(i, a)) return "none";
+	let o = semver.diff(i, a);
+	if (!o) return "none";
+	switch (o) {
+		case "premajor":
+		case "major": return "major";
+		case "preminor":
+		case "minor": return "minor";
+		case "prepatch":
+		case "patch": return "patch";
+		default: return "unknown";
+	}
+}
+function normalizeVersion(t) {
+	let n = semver.coerce(t);
+	return n ? n.version : null;
+}
+export { getUpdateLevel };

package/dist/core/versions/is-sha.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Check if a string is a Git SHA hash.
+ *
+ * @param value - String to check.
+ * @returns True if the string is a SHA hash.
+ */
+export declare function isSha(value: undefined | string | null): boolean;

package/dist/core/versions/is-sha.js

@@ -0,0 +1,6 @@
+function isSha(e) {
+	if (!e) return !1;
+	let t = e.replace(/^v/u, "");
+	return /^[0-9a-f]{7,40}$/iu.test(t);
+}
+export { isSha };

package/dist/core/versions/read-inline-version-comment.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Best-effort extraction of version number from an inline comment on the same
+ * line as `uses:`. Expected shape after update is, for example: `uses:
+ * actions/checkout@<sha> # v5.0.0`.
+ *
+ * Only used when the current reference is a SHA. Returns null if not found.
+ *
+ * @param filePath - Absolute path to the YAML file.
+ * @param lineNumber - 1-based line number of the `uses:` key.
+ * @param cache - Optional cache of file contents by path.
+ * @returns Extracted version (e.g., `v5.0.0`) or null when not present.
+ */
+export declare function readInlineVersionComment(filePath: undefined | string, lineNumber: undefined | number, cache?: Map<string, string>): Promise<string | null>;

package/dist/core/versions/read-inline-version-comment.js

@@ -0,0 +1,14 @@
+import { readFile } from "node:fs/promises";
+async function readInlineVersionComment(t, n, r) {
+	try {
+		if (!t || !n || n <= 0) return null;
+		let i = r?.get(t);
+		i === void 0 && (i = await readFile(t, "utf8"), r && r.set(t, i));
+		let a = i.split("\n"), o = n - 1;
+		if (o < 0 || o >= a.length) return null;
+		let s = a[o].match(/#\s*(?<version>[Vv]?\d+(?:\.\d+){0,2}(?:[+-][\w\-.]+)?)/u);
+		if (s?.groups?.version) return s.groups.version;
+	} catch {}
+	return null;
+}
+export { readInlineVersionComment };

package/dist/package.js

@@ -1,2 +1,2 @@
-const version = "1.9.0";
+const version = "1.10.0";
 export { version };

package/dist/types/update-mode.d.ts

@@ -0,0 +1,2 @@
+/** Allowed update modes for filtering actions. */
+export type UpdateMode = 'major' | 'minor' | 'patch'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "actions-up",
-  "version": "1.9.0",
+  "version": "1.10.0",
   "description": "Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning",
   "keywords": [
     "github-actions",
@@ -40,7 +40,7 @@
     "enquirer": "^2.4.1",
     "nanospinner": "^1.2.2",
     "picocolors": "^1.1.1",
-    "semver": "^7.7.3",
+    "semver": "^7.7.4",
     "yaml": "^2.8.2"
   },
   "engines": {

package/readme.md

@@ -49,18 +49,7 @@ Interactively upgrade and pin actions to exact commit SHAs for secure, reproduci
 
 ## Why
 
-### The Problem
-
-Keeping GitHub Actions updated is a critical but tedious task:
-
-- **Security Risk**: Using outdated actions with known vulnerabilities
-- **Manual Hell**: Checking dozens of actions across multiple workflows by hand
-- **Version Tags Are Mutable**: v1 or v2 tags can change without notice, breaking reproducibility
-- **Time Sink**: Hours spent on maintenance that could be used for actual development
-
-### The Solution
-
-Actions Up transforms a painful manual process into a delightful experience:
+Keeping GitHub Actions updated is critical and time-consuming. Actions Up scans all workflows, highlights available updates, and can pin actions to SHAs for reproducibility.
 
 | Without Actions Up             | With Actions Up                  |
 | :----------------------------- | :------------------------------- |
@@ -68,6 +57,18 @@ Actions Up transforms a painful manual process into a delightful experience:
 | Risk using vulnerable versions | SHA pinning for maximum security |
 | 30+ minutes per repository     | Under 1 minute total             |
 
+### Security Motivation
+
+GitHub Actions run arbitrary code in your CI. If a job has secrets available, any action used in that job can read the environment and exfiltrate those secrets. A compromised action or a mutable version tag is a direct path to leakage.
+
+Actions Up reduces risk by:
+
+- Pinning actions to commit SHAs to prevent tag hijacking
+- Making outdated actions visible and showing exactly what runs in CI
+- Warning about major updates so you can review changes before applying them
+
+Note: secrets are available on `push`, `workflow_dispatch`, `schedule`, and `pull_request_target` triggers (and on fork PRs if explicitly enabled). Always scope workflow permissions to the minimum required.
+
 ## Installation
 
 Quick use (no installation)
@@ -135,6 +136,15 @@ npx actions-up --dir .gitea
 
 By default, actions pinned to branch refs (e.g., `@main`, `@release/v1`) are skipped to avoid changing intentionally floating references. Skipped entries are listed in the output. To include them in update checks, pass `--include-branches`.
 
+### Update Mode
+
+By default, Actions Up allows major updates. Use `--mode` to limit updates:
+
+```bash
+npx actions-up --mode minor
+npx actions-up --mode patch
+```
+
 ## GitHub Actions Integration
 
 ### Automated PR Checks
@@ -154,6 +164,10 @@ jobs:
   check-actions:
     name: Check for GHA updates
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -168,7 +182,10 @@ jobs:
 
       - name: Run actions-up check
         id: actions-check
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          set -euo pipefail
           echo "## GitHub Actions Update Check" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
 
@@ -178,7 +195,7 @@ jobs:
 
           # Run actions-up and capture output
           echo "Running actions-up to check for updates..."
-          actions-up --dry-run > actions-up-raw.txt 2>&1 || true
+          actions-up --dry-run > actions-up-raw.txt 2>&1
 
           # Parse the output to detect updates
           if grep -q "→" actions-up-raw.txt; then
@@ -254,7 +271,7 @@ jobs:
           fi
 
       - name: Comment PR with updates
-        if: github.event_name == 'pull_request'
+        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
         uses: actions/github-script@v7
         with:
           script: |
@@ -354,34 +371,6 @@ jobs:
 
 </details>
 
-### Scheduled Checks
-
-You can also set up scheduled checks to stay informed about updates:
-
-```yaml
-name: Weekly Actions Update Check
-
-on:
-  schedule:
-    - cron: '0 9 * * 1' # Every Monday at 9 AM
-  workflow_dispatch: # Allow manual triggers
-
-jobs:
-  check-updates:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-      - run: npm install -g actions-up
-      - run: |
-          if actions-up --dry-run | grep -q "→"; then
-            echo "Updates available! Run 'npx actions-up' to update."
-            exit 1
-          fi
-```
-
 ## Example
 
 ### Regular Actions
@@ -418,20 +407,12 @@ jobs:
 
 ## Advanced Usage
 
-### Using GitHub Token for Higher Rate Limits
-
-While Actions Up works without authentication, providing a GitHub token increases API rate limits from 60 to 5000 requests per hour, useful for large projects:
+### GitHub Token
 
-[Create a GitHub Personal Access Token](https://github.com/settings/tokens/new?scopes=public_repo&description=actions-up).
-
-- For public repositories: Select `public_repo` scope
-- For private repositories: Select `repo` scope
-
-Set the token as an environment variable:
+Use `GITHUB_TOKEN` (or a PAT) to raise API rate limits from 60 to 5000 requests/hour.
 
 ```bash
-export GITHUB_TOKEN=your_token_here
-npx actions-up
+GITHUB_TOKEN=your_token_here npx actions-up
 ```
 
 Or in GitHub Actions:
@@ -445,48 +426,17 @@ Or in GitHub Actions:
 
 ### Skipping Updates
 
-Skip updates using CLI excludes and YAML ignore comments. Excludes run first, then ignore comments.
-
-#### CLI Excludes
-
-Skip actions by name using regular expressions. Patterns are matched against the full action name (`owner/repo[/path]`).
-
-- Repeatable flag: `--exclude <regex>` (can be used multiple times)
-- Comma-separated list is supported inside a single flag
-- Forms:
-  - Plain string compiled as case-insensitive regex: `my-org/.*`
-  - Literal with flags: `/^actions\/internal-.+$/i`
-
-Examples:
+Use CLI excludes or YAML ignore comments.
 
 ```bash
-npx actions-up --exclude "my-org/.*"
-npx actions-up --exclude ".*/internal-.*" --exclude "/^acme\/.+$/i"
-# or
-npx actions-up --exclude "my-org/.*, .*/internal-.*"
+npx actions-up --exclude "my-org/.*" --exclude ".*/internal-.*"
 ```
 
-#### Filtering by Release Age
-
-By default, Actions Up shows all available updates. You can filter out recently released updates to avoid updating to versions that haven't been battle-tested yet:
-
 ```bash
-# Only show updates released at least 7 days ago
 npx actions-up --min-age 7
 ```
 
-When `--min-age` is set, an "Age" column appears showing how long ago each release was published (e.g., `3d`, `1w 2d`).
-
-#### Ignore Comments
-
-You can skip specific actions or files using YAML comments. Ignored items are hidden in dry-run and interactive modes and are not updated with `--yes`.
-
-- Ignore whole file: `# actions-up-ignore-file`
-- Block ignore: `# actions-up-ignore-start` … `# actions-up-ignore-end`
-- Next line: `# actions-up-ignore-next-line`
-- Inline on the same line: append `# actions-up-ignore`
-
-Example:
+Ignore comments (file/block/next-line/inline):
 
 ```yaml
 # actions-up-ignore-file
@@ -501,23 +451,14 @@ Example:
 # actions-up-ignore-end
 ```
 
-## Security
-
-Actions Up promotes security best practices:
-
-- **SHA pinning**: Uses commit SHA instead of mutable tags
-- **Version comment**: Adds the released version next to the pinned SHA for readability
-- **No Auto-Updates**: Full control over what gets updated
-- **Breaking Change Warnings**: Alerts you to major version updates that may require configuration changes
-
-## CI/CD Best Practices
+## Why Actions Up?
 
-When using Actions Up in your CI/CD pipeline:
+Interactive CLI for developers who want control over GitHub Actions updates.
 
-1. **Start with warnings**: Begin by running checks without failing builds to gauge the update frequency
-2. **Regular updates**: Schedule weekly or monthly update PRs rather than blocking every PR
-3. **Team education**: Ensure your team understands the security benefits of keeping actions updated
-4. **Gradual adoption**: Roll out to a few repositories first before organization-wide deployment
+- **vs. Dependabot/Renovate:** Dependabot and Renovate update via pull requests; Actions Up is an interactive CLI with explicit SHA pinning.
+- **vs. pinact:** pinact is a CLI to pin and update Actions and reusable workflows; Actions Up adds interactive selection and major update warnings.
+- **Zero-config:** `npx actions-up` runs immediately.
+- **Breaking change warnings:** Major updates are flagged before applying.
 
 ## Contributing