npm - actionspack - Versions diffs - 0.0.0 → 0.1.1 - Mend

actionspack 0.0.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/LICENSE +21 -0
package/README.md +166 -0
package/dist/cli.d.mts +1 -0
package/dist/cli.mjs +86 -0
package/dist/commands-CPJczWTq.mjs +1329 -0
package/dist/index.d.mts +108 -0
package/dist/index.mjs +2 -0
package/package.json +62 -8
package/index.js +0 -1

package/dist/commands-CPJczWTq.mjs ADDED Viewed

@@ -0,0 +1,1329 @@
+import { execFile } from "node:child_process";
+import { promisify, styleText } from "node:util";
+import { access, mkdir, readFile, readdir, writeFile } from "node:fs/promises";
+import path from "node:path";
+import { Evaluator, Lexer, Parser, data } from "@actions/expressions";
+import { Binary, ContextAccess, FunctionCall, Grouping, IndexAccess, Literal, Logical, Star, Unary } from "@actions/expressions/ast";
+import { truthy } from "@actions/expressions/result";
+import { parse, stringify } from "yaml";
+import { createHash } from "node:crypto";
+import process from "node:process";
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { ACTION_ROOT } from "@actions/workflow-parser/actions/action-constants";
+import { JSONObjectReader } from "@actions/workflow-parser/templates/json-object-reader";
+import { TemplateSchema } from "@actions/workflow-parser/templates/schema/index";
+import { TemplateContext, TemplateValidationErrors } from "@actions/workflow-parser/templates/template-context";
+import { readTemplate } from "@actions/workflow-parser/templates/template-reader";
+import { isBasicExpression, isBoolean, isMapping, isNumber, isSequence, isString } from "@actions/workflow-parser/templates/tokens/type-guards";
+import { NoOperationTraceWriter } from "@actions/workflow-parser/templates/trace-writer";
+import { WORKFLOW_ROOT } from "@actions/workflow-parser/workflows/workflow-constants";
+import { YamlObjectReader } from "@actions/workflow-parser/workflows/yaml-object-reader";
+import { Buffer } from "node:buffer";
+import { tmpdir } from "node:os";
+//#region src/utils/expression.ts
+const EXPRESSION_CONTEXTS = [
+	"env",
+	"github",
+	"inputs",
+	"job",
+	"matrix",
+	"needs",
+	"runner",
+	"secrets",
+	"steps",
+	"strategy",
+	"vars"
+];
+function parseExpression(expression) {
+	return new Parser(new Lexer(expression).lex().tokens, EXPRESSION_CONTEXTS, []).parse();
+}
+function expressionBody(value) {
+	if (!value.startsWith("${{") || !value.endsWith("}}")) return;
+	return value.slice(3, -2).trim();
+}
+function staticExpression(expr, values = {}) {
+	const evaluated = evaluateStaticExpression(expr, values);
+	if (evaluated) return evaluated;
+	if (expr instanceof Logical) return simplifyLogicalExpression(expr, values, (item) => printExpression(item, values)).static;
+}
+function simplifyLogicalExpression(expr, values, printExpression) {
+	const op = expr.operator.lexeme;
+	const pending = [];
+	let lastStatic;
+	for (const arg of expr.args) {
+		const staticArg = staticExpression(arg, values);
+		const text = staticArg?.text ?? printExpression(arg);
+		if (!staticArg) {
+			pending.push(text);
+			continue;
+		}
+		lastStatic = staticArg;
+		if (pending.length === 0) {
+			if (op === "&&" && !staticArg.truthy) return {
+				static: staticArg,
+				text
+			};
+			if (op === "&&" && staticArg.truthy) continue;
+			if (op === "||" && staticArg.truthy) return {
+				static: staticArg,
+				text
+			};
+			if (op === "||" && !staticArg.truthy) continue;
+		}
+		pending.push(text);
+	}
+	if (pending.length === 0 && lastStatic) return {
+		static: lastStatic,
+		text: lastStatic.text
+	};
+	if (pending.length === 1) return { text: pending[0] };
+	return { text: pending.join(` ${op} `) };
+}
+function staticIfExpression(expression) {
+	try {
+		const value = staticExpression(parseExpression(expression));
+		if (value?.value === true) return true;
+		if (value?.value === false) return false;
+		if (value?.value === "") return "";
+		return;
+	} catch {
+		return;
+	}
+}
+function printExpression(expr, values) {
+	const staticValue = staticExpression(expr, values);
+	if (staticValue) return staticValue.text;
+	if (expr instanceof Binary) return `${printExpression(expr.left, values)} ${expr.operator.lexeme} ${printExpression(expr.right, values)}`;
+	if (expr instanceof ContextAccess) return expr.name.lexeme;
+	if (expr instanceof FunctionCall) return printFunctionExpression(expr, values);
+	if (expr instanceof Grouping) return `(${printExpression(expr.group, values)})`;
+	if (expr instanceof IndexAccess) {
+		const replacement = replacementForIndexAccess(expr, values);
+		if (replacement !== void 0) return replacement;
+		return printIndexAccess(expr, values);
+	}
+	if (expr instanceof Literal) return expr.token.lexeme;
+	if (expr instanceof Logical) return simplifyLogicalExpression(expr, values, (item) => printExpression(item, values)).text;
+	if (expr instanceof Star) return "*";
+	if (expr instanceof Unary) return `${expr.operator.lexeme}${printExpression(expr.expr, values)}`;
+	throw new Error("Unsupported expression node");
+}
+function literalString(expr) {
+	if (typeof expr.token.value === "string") return expr.token.value;
+	const literal = expr.literal;
+	return typeof literal.value === "string" ? literal.value : "";
+}
+function valueForIndexAccess(expr, values) {
+	if (!(expr instanceof IndexAccess)) return;
+	return hasValueForIndexAccess(expr, values) ? values[indexAccessKey(expr)] : void 0;
+}
+function quoteExpressionString(value) {
+	return `'${value.replaceAll("'", "''")}'`;
+}
+function valueLiteral(value) {
+	if (value === void 0 || value === null) return "null";
+	if (typeof value === "boolean") return value ? "true" : "false";
+	if (typeof value === "number") return String(value);
+	if (typeof value === "string") return quoteExpressionString(value);
+	return `fromJson(${quoteExpressionString(JSON.stringify(value))})`;
+}
+function evaluateStaticExpression(expr, values) {
+	if (!canEvaluateExpression(expr, values)) return;
+	try {
+		const data = new Evaluator(expr, expressionContext(values)).evaluate();
+		return {
+			data,
+			text: dataLiteral(data),
+			truthy: truthy(data),
+			value: dataValue(data)
+		};
+	} catch {
+		return;
+	}
+}
+function hasValueForIndexAccess(expr, values) {
+	const key = indexAccessKey(expr);
+	return key !== void 0 && Object.hasOwn(values, key);
+}
+function indexAccessKey(expr) {
+	if (!(expr.expr instanceof ContextAccess) || !(expr.index instanceof Literal)) return;
+	const root = expr.expr.name.lexeme;
+	if (root !== "inputs" && root !== "secrets") return;
+	const name = literalString(expr.index);
+	return name ? `${root}.${name}` : void 0;
+}
+function canEvaluateExpression(expr, values) {
+	if (expr instanceof Binary) return canEvaluateExpression(expr.left, values) && canEvaluateExpression(expr.right, values);
+	if (expr instanceof ContextAccess) return Object.hasOwn(values, expr.name.lexeme);
+	if (expr instanceof FunctionCall) return expr.args.every((arg) => canEvaluateExpression(arg, values));
+	if (expr instanceof Grouping) return canEvaluateExpression(expr.group, values);
+	if (expr instanceof IndexAccess) return hasStaticValueForIndexAccess(expr, values) || canEvaluateExpression(expr.expr, values) && canEvaluateExpression(expr.index, values);
+	if (expr instanceof Literal) return true;
+	if (expr instanceof Logical) return expr.args.every((arg) => canEvaluateExpression(arg, values));
+	if (expr instanceof Star) return false;
+	if (expr instanceof Unary) return canEvaluateExpression(expr.expr, values);
+	return false;
+}
+function expressionContext(values) {
+	const roots = /* @__PURE__ */ new Map();
+	const pairs = [];
+	for (const [key, value] of Object.entries(values)) {
+		const [root, ...rest] = key.split(".");
+		if (!root) continue;
+		if (rest.length === 0) {
+			pairs.push({
+				key: root,
+				value: toExpressionData(value)
+			});
+			continue;
+		}
+		const name = rest.join(".");
+		const entries = roots.get(root) ?? /* @__PURE__ */ new Map();
+		entries.set(name, value);
+		roots.set(root, entries);
+	}
+	for (const [root, entries] of roots) pairs.push({
+		key: root,
+		value: new data.Dictionary(...[...entries].map(([key, value]) => ({
+			key,
+			value: toExpressionData(value)
+		})))
+	});
+	return new data.Dictionary(...pairs);
+}
+function toExpressionData(value) {
+	if (value === void 0 || value === null) return new data.Null();
+	if (typeof value === "boolean") return new data.BooleanData(value);
+	if (typeof value === "number") return new data.NumberData(value);
+	if (typeof value === "string") return new data.StringData(value);
+	if (Array.isArray(value)) return new data.Array(...value.map((item) => toExpressionData(item)));
+	if (typeof value === "object") return new data.Dictionary(...Object.entries(value).map(([key, item]) => ({
+		key,
+		value: toExpressionData(item)
+	})));
+	return new data.Null();
+}
+function dataValue(value) {
+	if (value instanceof data.Array) return value.values().map((item) => dataValue(item));
+	if (value instanceof data.BooleanData) return value.value;
+	if (value instanceof data.Dictionary) return Object.fromEntries(value.pairs().map((pair) => [pair.key, dataValue(pair.value)]));
+	if (value instanceof data.Null) return null;
+	if (value instanceof data.NumberData) return value.value;
+	if (value instanceof data.StringData) return value.value;
+	return null;
+}
+function dataLiteral(value) {
+	return valueLiteral(dataValue(value));
+}
+function replacementForIndexAccess(expr, values) {
+	if (!hasValueForIndexAccess(expr, values)) return;
+	const value = valueForIndexAccess(expr, values);
+	if (typeof value === "string") {
+		const body = expressionBody(value.trim());
+		if (body !== void 0) return `(${body})`;
+	}
+	return valueLiteral(value);
+}
+function hasStaticValueForIndexAccess(expr, values) {
+	if (!hasValueForIndexAccess(expr, values)) return false;
+	const value = valueForIndexAccess(expr, values);
+	return typeof value !== "string" || expressionBody(value.trim()) === void 0;
+}
+function printIndexAccess(expr, values) {
+	const target = printExpression(expr.expr, values);
+	if (expr.index instanceof Literal) return expr.index.token.value === void 0 ? `${target}.${expr.index.token.lexeme}` : `${target}[${expr.index.token.lexeme}]`;
+	return `${target}[${printExpression(expr.index, values)}]`;
+}
+function printFunctionExpression(expr, values) {
+	const format = printFormatExpression(expr, values);
+	if (format) return format;
+	return `${expr.functionName.lexeme}(${expr.args.map((arg) => printExpression(arg, values)).join(", ")})`;
+}
+function printFormatExpression(expr, values) {
+	if (expr.functionName.lexeme.toLowerCase() !== "format") return;
+	const [formatArg, ...args] = expr.args;
+	if (!formatArg) return;
+	const format = staticExpression(formatArg, values);
+	if (typeof format?.value !== "string") return;
+	const simplified = simplifyFormatString(format.value, args.map((arg) => ({
+		static: staticExpression(arg, values),
+		text: printExpression(arg, values)
+	})));
+	if (!simplified) return;
+	if (simplified.args.length === 0) return quoteExpressionString(simplified.format);
+	return `format(${quoteExpressionString(simplified.format)}, ${simplified.args.join(", ")})`;
+}
+function simplifyFormatString(format, args) {
+	const nextArgs = [];
+	let nextFormat = "";
+	let index = 0;
+	while (index < format.length) {
+		const char = format[index];
+		const nextChar = format[index + 1];
+		if (char === "{" && nextChar === "{") {
+			nextFormat += "{{";
+			index += 2;
+			continue;
+		}
+		if (char === "}" && nextChar === "}") {
+			nextFormat += "}}";
+			index += 2;
+			continue;
+		}
+		if (char !== "{") {
+			nextFormat += char;
+			index += 1;
+			continue;
+		}
+		const end = format.indexOf("}", index + 1);
+		if (end === -1) return;
+		const rawIndex = /^\d+/u.exec(format.slice(index + 1, end))?.[0];
+		if (!rawIndex) return;
+		const arg = args[Number(rawIndex)];
+		if (!arg) return;
+		if (arg.static) nextFormat += escapeFormatLiteral(arg.static.data.coerceString());
+		else {
+			const nextIndex = nextArgs.push(arg.text) - 1;
+			nextFormat += `{${nextIndex}}`;
+		}
+		index = end + 1;
+	}
+	nextFormat = nextFormat.trim();
+	return {
+		args: nextArgs,
+		format: nextFormat
+	};
+}
+function escapeFormatLiteral(value) {
+	return value.replaceAll("{", "{{").replaceAll("}", "}}");
+}
+//#endregion
+//#region src/utils/yaml.ts
+function parseYamlMap(source, file) {
+	const value = parse(source);
+	if (!isRecord(value)) throw new TypeError(`${file} must contain a YAML mapping`);
+	return value;
+}
+function stringifyYaml(value) {
+	return stringify(value, {
+		lineWidth: 0,
+		minContentWidth: 0,
+		singleQuote: true
+	});
+}
+function stringifyWorkflowYaml(value) {
+	return formatWorkflowYaml(stringifyYaml(normalizeWorkflowYamlValue(value)));
+}
+function isRecord(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function asRecord(value) {
+	return isRecord(value) ? value : void 0;
+}
+function asArray(value) {
+	return Array.isArray(value) ? value : [];
+}
+function formatWorkflowYaml(source) {
+	const lines = source.trimEnd().split("\n");
+	const output = [];
+	let stepsIndent;
+	let stepItemIndent;
+	for (const line of lines) {
+		const indent = leadingSpaces(line);
+		const trimmed = line.trim();
+		const isTopLevelKey = indent === 0 && /^[\w-]+:/u.test(line);
+		if (stepsIndent !== void 0 && trimmed && indent <= stepsIndent) {
+			pushBlankLine(output);
+			stepsIndent = void 0;
+			stepItemIndent = void 0;
+		}
+		if (isTopLevelKey && output.length > 0) pushBlankLine(output);
+		if (stepsIndent !== void 0 && stepItemIndent !== void 0 && indent === stepItemIndent && trimmed.startsWith("- ")) pushBlankLine(output);
+		output.push(line);
+		if (/^steps:\s*$/u.test(trimmed)) {
+			stepsIndent = indent;
+			stepItemIndent = void 0;
+			continue;
+		}
+		if (stepsIndent !== void 0 && indent > stepsIndent && trimmed.startsWith("- ")) stepItemIndent ??= indent;
+	}
+	return `${output.join("\n")}\n`;
+}
+function leadingSpaces(value) {
+	return value.length - value.trimStart().length;
+}
+function pushBlankLine(lines) {
+	if (lines.length > 0 && lines.at(-1) !== "") lines.push("");
+}
+function normalizeWorkflowYamlValue(value) {
+	if (Array.isArray(value)) return value.map((item) => normalizeWorkflowYamlValue(item));
+	if (isRecord(value)) return Object.fromEntries(Object.entries(value).map(([key, item]) => [key, normalizeWorkflowYamlValue(item)]));
+	if (value === "true") return true;
+	if (value === "false") return false;
+	return value;
+}
+//#endregion
+//#region src/optimizer.ts
+function optimizeJob(job) {
+	const next = { ...job };
+	if (isEmptyNeeds(next.needs)) delete next.needs;
+	if (staticIfValue(next.if) === true) delete next.if;
+	return next;
+}
+function optimizeStep(stepValue) {
+	const step = asRecord(stepValue);
+	if (!step) return stepValue;
+	const ifValue = staticIfValue(step.if);
+	if (ifValue === false || ifValue === "") return;
+	if (ifValue === true) {
+		const next = { ...step };
+		delete next.if;
+		return next;
+	}
+	return stepValue;
+}
+function optimizeJobs(jobs) {
+	return Object.fromEntries(Object.entries(jobs).map(([jobId, jobValue]) => {
+		const job = asRecord(jobValue);
+		return [jobId, job ? optimizeJob(job) : jobValue];
+	}));
+}
+function staticIfValue(value) {
+	if (value === true || value === false || value === "") return value;
+	if (typeof value !== "string") return;
+	const trimmed = value.trim();
+	return staticIfExpression(expressionBody(trimmed) ?? trimmed);
+}
+function isEmptyNeeds(value) {
+	return Array.isArray(value) && value.length === 0;
+}
+//#endregion
+//#region src/utils/workflow-parser.ts
+const workflowParserEntry = fileURLToPath(import.meta.resolve("@actions/workflow-parser"));
+const workflowParserDist = path.dirname(workflowParserEntry);
+let actionSchema;
+let workflowSchema;
+function parseWorkflowMap(source, file) {
+	return parseTemplateMap(WORKFLOW_ROOT, workflowSchemaForParser(), source, file);
+}
+function parseActionMap(source, file) {
+	return parseTemplateMap(ACTION_ROOT, actionSchemaForParser(), source, file);
+}
+function parseTemplateMap(root, schema, source, file) {
+	const result = parseTemplate(root, schema, source, file);
+	throwOnTemplateErrors(result, file);
+	if (!result.value) return {};
+	const value = templateTokenToValue(result.value);
+	if (!value || typeof value !== "object" || Array.isArray(value)) throw new TypeError(`${file} must be a YAML mapping`);
+	return value;
+}
+function parseActionTemplate(source, file) {
+	return parseTemplate(ACTION_ROOT, actionSchemaForParser(), source, file);
+}
+function parseTemplate(root, schema, source, file) {
+	const context = new TemplateContext(new TemplateValidationErrors(), schema, new NoOperationTraceWriter());
+	const fileId = context.getFileId(file);
+	const reader = new YamlObjectReader(fileId, source);
+	if (reader.errors.length > 0) {
+		for (const error of reader.errors) context.error(fileId, error.message, error.range);
+		return {
+			context,
+			value: void 0
+		};
+	}
+	return {
+		context,
+		value: readTemplate(context, root, reader, fileId)
+	};
+}
+function throwOnTemplateErrors(result, file) {
+	const errors = result.context.errors.getErrors();
+	if (errors.length > 0) throw new Error(`${file}: ${errors.map((error) => error.message).join("\n")}`);
+}
+function templateTokenToValue(token) {
+	if (isMapping(token)) return Object.fromEntries([...token].map((pair) => [String(templateTokenToValue(pair.key)), templateTokenToValue(pair.value)]));
+	if (isSequence(token)) return [...token].map((item) => templateTokenToValue(item));
+	if (isString(token) || isNumber(token) || isBoolean(token)) return token.value;
+	if (isBasicExpression(token)) return token.toString();
+	return token.toJSON();
+}
+function workflowSchemaForParser() {
+	workflowSchema ??= loadSchema("workflow-v1.0.min.json");
+	return workflowSchema;
+}
+function actionSchemaForParser() {
+	actionSchema ??= loadSchema("action-v1.0.min.json");
+	return actionSchema;
+}
+function loadSchema(name) {
+	const file = path.join(workflowParserDist, name);
+	return TemplateSchema.load(new JSONObjectReader(void 0, readFileSync(file, "utf8")));
+}
+//#endregion
+//#region src/utils/fs.ts
+const LOCKFILE_PATH = ".github/workflow.lock.yml";
+const DEFAULT_SOURCE_DIR = ".github/workflows/src";
+const DEFAULT_OUTPUT_DIR = ".github/workflows";
+function resolveCwd(cwd) {
+	return cwd ? path.resolve(cwd) : process.cwd();
+}
+async function fileExists(file) {
+	try {
+		await access(file);
+		return true;
+	} catch {
+		return false;
+	}
+}
+async function readYamlFile(file) {
+	return parseYamlMap(await readFile(file, "utf8"), file);
+}
+async function readWorkflowFile(file) {
+	return parseWorkflowMap(await readFile(file, "utf8"), file);
+}
+async function writeYamlFile(file, value) {
+	await mkdir(path.dirname(file), { recursive: true });
+	await writeFile(file, stringifyYaml(value), "utf8");
+}
+async function discoverConfig(cwd, overrides = {}) {
+	const root = resolveCwd(cwd);
+	const configPath = path.join(root, "actionspack.yml");
+	let config;
+	if (await fileExists(configPath)) {
+		const rawConfig = await readYamlFile(configPath);
+		config = {
+			entries: (Array.isArray(rawConfig.entries) ? rawConfig.entries : []).map((entry) => {
+				if (!entry || typeof entry !== "object" || Array.isArray(entry)) throw new TypeError("actionspack.yml entries must be mappings");
+				const source = Reflect.get(entry, "source");
+				const output = Reflect.get(entry, "output");
+				if (typeof source !== "string" || typeof output !== "string") throw new TypeError("actionspack.yml entries require source and output");
+				return {
+					source,
+					output
+				};
+			}),
+			external: normalizeStringList(rawConfig.external)
+		};
+	} else config = await discoverDefaultConfig(root);
+	return {
+		...config,
+		...normalizeConfigOverrides(overrides)
+	};
+}
+async function discoverDefaultConfig(root) {
+	const sourceDir = path.join(root, DEFAULT_SOURCE_DIR);
+	if (!await fileExists(sourceDir)) return {
+		entries: [],
+		external: []
+	};
+	return {
+		external: [],
+		entries: (await readdir(sourceDir)).filter((name) => name.endsWith(".yml") || name.endsWith(".yaml")).toSorted().map((name) => ({
+			source: path.posix.join(DEFAULT_SOURCE_DIR, name),
+			output: path.posix.join(DEFAULT_OUTPUT_DIR, name.replace(/\.ya?ml$/u, ".yml"))
+		}))
+	};
+}
+function normalizeConfigOverrides(overrides) {
+	return {
+		...overrides.entries ? { entries: overrides.entries } : {},
+		...overrides.external ? { external: overrides.external } : {}
+	};
+}
+function normalizeStringList(value) {
+	if (typeof value === "string") return [value];
+	if (!Array.isArray(value)) return [];
+	return value.filter((item) => typeof item === "string");
+}
+function readWorkflowEntry(root, entry) {
+	return readWorkflowFile(path.join(root, entry.source));
+}
+function emptyLockfile() {
+	return {
+		lockfileVersion: 1,
+		entries: {},
+		packages: {}
+	};
+}
+async function readLockfile(cwd) {
+	const root = resolveCwd(cwd);
+	const file = path.join(root, LOCKFILE_PATH);
+	if (!await fileExists(file)) return emptyLockfile();
+	const value = await readYamlFile(file);
+	return {
+		lockfileVersion: 1,
+		entries: normalizeRecord(value.entries),
+		packages: normalizeRecord(value.packages)
+	};
+}
+async function writeLockfile(cwd, lockfile) {
+	await writeYamlFile(path.join(resolveCwd(cwd), LOCKFILE_PATH), lockfile);
+}
+async function writeWorkflow(cwd, output, workflow) {
+	const file = path.join(resolveCwd(cwd), output);
+	await mkdir(path.dirname(file), { recursive: true });
+	await writeFile(file, stringifyWorkflowYaml(workflow), "utf8");
+}
+function normalizeRecord(value) {
+	if (!value || typeof value !== "object" || Array.isArray(value)) return {};
+	return value;
+}
+//#endregion
+//#region src/utils/github.ts
+var HttpGitHubClient = class {
+	#cacheDir;
+	#token;
+	constructor(token = process.env.GITHUB_TOKEN, cacheDir = path.join(tmpdir(), "actionspack-github-cache")) {
+		this.#cacheDir = cacheDir;
+		this.#token = token;
+	}
+	async resolveRef(owner, repo, ref) {
+		if (/^[a-f0-9]{40}$/iu.test(ref)) return ref;
+		const candidates = [
+			`heads/${ref}`,
+			`tags/${ref}`,
+			ref
+		];
+		for (const candidate of candidates) {
+			const sha = (await this.#request(`/repos/${owner}/${repo}/git/ref/${candidate}`))?.object?.sha;
+			if (sha) return sha;
+		}
+		throw new Error(`Unable to resolve ${owner}/${repo}@${ref}`);
+	}
+	async readFile(owner, repo, ref, filePath) {
+		const cacheFile = this.#cacheFile(owner, repo, ref, filePath);
+		const cached = await readFile(cacheFile, "utf8").catch(() => void 0);
+		if (cached !== void 0) return cached;
+		const response = await this.#request(`/repos/${owner}/${repo}/contents/${encodeURIComponentPath(filePath)}?ref=${ref}`, true);
+		if (!response) return;
+		if (response.encoding !== "base64" || typeof response.content !== "string") throw new Error(`Unexpected GitHub content response for ${owner}/${repo}/${filePath}@${ref}`);
+		const content = Buffer.from(response.content, "base64").toString("utf8");
+		await mkdir(path.dirname(cacheFile), { recursive: true });
+		await writeFile(cacheFile, content, "utf8");
+		return content;
+	}
+	#cacheFile(owner, repo, ref, filePath) {
+		return path.join(this.#cacheDir, owner, repo, ref, ...filePath.split("/"));
+	}
+	async #request(pathname, allowNotFound = false) {
+		const headers = {
+			accept: "application/vnd.github+json",
+			"user-agent": "actionspack",
+			"x-github-api-version": "2022-11-28"
+		};
+		if (this.#token) headers.authorization = `Bearer ${this.#token}`;
+		const response = await fetch(`https://api.github.com${pathname}`, { headers });
+		if (response.status === 404 && allowNotFound) return;
+		if (!response.ok) throw new Error(`GitHub API request failed: ${response.status} ${response.statusText}`);
+		return await response.json();
+	}
+};
+function encodeURIComponentPath(filePath) {
+	return filePath.split("/").map(encodeURIComponent).join("/");
+}
+//#endregion
+//#region src/utils/ref.ts
+const REMOTE_USES_RE = /^[\w.-]+\/[\w.-]+(?:\/[^@\s]+)?@[^@\s]+$/;
+function packageKey(owner, repo, path) {
+	return path && path !== "." ? `github:${owner}/${repo}/${path}` : `github:${owner}/${repo}`;
+}
+function isRemoteUses(value) {
+	return typeof value === "string" && REMOTE_USES_RE.test(value);
+}
+function isPinnedRemoteUses(value) {
+	return isRemoteUses(value) && /@[a-f0-9]{40}$/iu.test(value);
+}
+function parseRemoteUses(value, kind = "action") {
+	const atIndex = value.lastIndexOf("@");
+	if (atIndex <= 0 || atIndex === value.length - 1) throw new Error(`Malformed remote reference: ${value}`);
+	const ref = value.slice(atIndex + 1);
+	const parts = value.slice(0, atIndex).split("/");
+	if (parts.length < 2 || !parts[0] || !parts[1]) throw new Error(`Malformed remote reference: ${value}`);
+	const owner = parts[0];
+	const repo = parts[1];
+	const path = parts.length > 2 ? parts.slice(2).join("/") : ".";
+	const inferredKind = path.startsWith(".github/workflows/") ? "reusable-workflow" : kind;
+	return {
+		owner,
+		repo,
+		path,
+		ref,
+		package: packageKey(owner, repo, path),
+		kind: inferredKind
+	};
+}
+function matchesPackageSelector(key, selector) {
+	const normalized = selector.startsWith("github:") ? selector : `github:${selector}`;
+	return key === normalized || key.startsWith(`${normalized}/`) || key.includes(`:${selector}/`);
+}
+function matchesExternalSelector(remote, selector) {
+	const value = selector.replace(/^github:/u, "");
+	const fullName = `${remote.owner}/${remote.repo}`;
+	const withPath = `${fullName}/${remote.path}`;
+	const packageSelector = `github:${value}`;
+	return remote.package === selector || remote.package === packageSelector || fullName === value || withPath === value || remote.package.startsWith(`${packageSelector}/`);
+}
+function pinnedUses(remote, resolved) {
+	return `${remote.path === "." ? `${remote.owner}/${remote.repo}` : `${remote.owner}/${remote.repo}/${remote.path}`}@${resolved}`;
+}
+//#endregion
+//#region src/scan.ts
+async function scan(options = {}) {
+	const cwd = resolveCwd(options.cwd);
+	const config = await discoverConfig(cwd, options);
+	const previous = await readLockfile(cwd);
+	const github = options.github ?? new HttpGitHubClient();
+	const lockfile = {
+		lockfileVersion: 1,
+		entries: {},
+		packages: { ...previous.packages }
+	};
+	const queue = [];
+	for (const entry of config.entries) {
+		const dependencies = collectWorkflowDependencies(await readWorkflowEntry(cwd, entry), entry.source);
+		lockfile.entries[entry.source] = {
+			output: entry.output,
+			dependencies: dependencies.map(toLockDependency)
+		};
+		queue.push(...dependencies);
+	}
+	await resolveQueue(lockfile, queue, previous, github, options.refreshPackages ?? /* @__PURE__ */ new Set(), {
+		external: config.external,
+		stderr: options.stderr,
+		stdout: options.stdout
+	});
+	lockfile.packages = prunePackages(lockfile);
+	await writeLockfile(cwd, lockfile);
+	return {
+		lockfile,
+		entries: config.entries
+	};
+}
+function collectWorkflowDependencies(workflow, source) {
+	const dependencies = [];
+	const jobs = asRecord(workflow.jobs);
+	if (!jobs) return dependencies;
+	for (const [jobId, jobValue] of Object.entries(jobs)) {
+		const job = asRecord(jobValue);
+		if (!job) continue;
+		if (typeof job.uses === "string") {
+			if (isRemoteUses(job.uses)) dependencies.push(toDependency(job.uses, "reusable-workflow", `${source}#jobs.${jobId}.uses`));
+			continue;
+		}
+		dependencies.push(...collectStepDependencies(asArray(job.steps), `${source}#jobs.${jobId}.steps`));
+	}
+	return uniqueDependencies(dependencies);
+}
+function collectStepDependencies(steps, foundAtPrefix) {
+	const dependencies = [];
+	for (const [index, stepValue] of steps.entries()) {
+		const step = asRecord(stepValue);
+		if (!step || typeof step.uses !== "string") continue;
+		if (isRemoteUses(step.uses)) dependencies.push(toDependency(step.uses, "action", `${foundAtPrefix}[${index}].uses`));
+	}
+	return uniqueDependencies(dependencies);
+}
+async function resolveQueue(lockfile, queue, previous, github, refreshPackages, context) {
+	const seen = /* @__PURE__ */ new Set();
+	const resolvedRefs = /* @__PURE__ */ new Map();
+	const warnings = /* @__PURE__ */ new Set();
+	while (queue.length > 0) {
+		const dependency = queue.shift();
+		const shouldRefresh = refreshPackages.has(dependency.package);
+		const previousPackage = previous.packages[dependency.package];
+		const resolved = previousPackage?.resolved && !shouldRefresh ? previousPackage.resolved : await resolveDependencyRef(dependency, github, context, resolvedRefs);
+		const seenKey = `${dependency.package}@${resolved}`;
+		if (seen.has(seenKey)) continue;
+		const scanned = await scanRemotePackage(dependency.remote, resolved, github, context, warnings);
+		lockfile.packages[dependency.package] = {
+			...scanned,
+			requested: dependency.requested,
+			resolved
+		};
+		seen.add(seenKey);
+		queue.push(...scanned.dependencies.map((item) => ({
+			...item,
+			remote: parseRemoteUsesFromDependency(item)
+		})));
+	}
+}
+async function scanRemotePackage(remote, resolved, github, context, warnings) {
+	if (remote.kind === "reusable-workflow") {
+		if (isExternal(remote, context.external)) {
+			context.stdout?.write(`External ${remote.owner}/${remote.repo}/${remote.path}@${resolved}\n`);
+			return externalPackage(remote, "external-workflow");
+		}
+		const content = await github.readFile(remote.owner, remote.repo, resolved, remote.path);
+		if (!content) throw new Error(`Missing reusable workflow ${remote.owner}/${remote.repo}/${remote.path}@${resolved}`);
+		const dependencies = collectWorkflowDependencies(parseWorkflowMap(content, remote.path), `${remote.owner}/${remote.repo}/${remote.path}`);
+		return {
+			source: "github",
+			owner: remote.owner,
+			repo: remote.repo,
+			path: remote.path,
+			type: "reusable-workflow",
+			contentDigest: digest(content),
+			dependencies: dependencies.map(toLockDependency)
+		};
+	}
+	if (isExternal(remote, context.external)) {
+		context.stdout?.write(`External ${remote.owner}/${remote.repo}/${remote.path}@${resolved}\n`);
+		return externalPackage(remote, "external-action");
+	}
+	const metadata = await readActionMetadata(github, remote, resolved);
+	const runs = asRecord(parseActionMap(metadata.content, `${remote.path}/action.yml`).runs);
+	const using = typeof runs?.using === "string" ? runs.using.toLowerCase() : void 0;
+	if (using !== "composite") {
+		warnOnce(context, warnings, `Unsupported action type for ${remote.owner}/${remote.repo}/${remote.path}@${resolved}: ${using ?? "unknown"}; marking external`);
+		return {
+			...externalPackage(remote, "external-action"),
+			contentDigest: digest(metadata.content)
+		};
+	}
+	const dependencies = collectStepDependencies(asArray(runs?.steps), `${remote.owner}/${remote.repo}/${remote.path}#runs.steps`);
+	return {
+		source: "github",
+		owner: remote.owner,
+		repo: remote.repo,
+		path: remote.path,
+		type: "composite",
+		contentDigest: digest(metadata.content),
+		dependencies: dependencies.map(toLockDependency)
+	};
+}
+function resolveDependencyRef(dependency, github, context, resolvedRefs) {
+	const key = `${dependency.package}@${dependency.requested}`;
+	const resolved = resolvedRefs.get(key);
+	if (resolved) return Promise.resolve(resolved);
+	context.stdout?.write(`Resolving ${dependency.remote.owner}/${dependency.remote.repo}${dependency.remote.path === "." ? "" : `/${dependency.remote.path}`}@${dependency.requested}\n`);
+	return github.resolveRef(dependency.remote.owner, dependency.remote.repo, dependency.requested).then((value) => {
+		resolvedRefs.set(key, value);
+		return value;
+	});
+}
+function warnOnce(context, warnings, message) {
+	if (warnings.has(message)) return;
+	warnings.add(message);
+	context.stderr?.write(`${styleText("yellow", `Warning: ${message}`)}\n`);
+}
+function isExternal(remote, selectors) {
+	return selectors.some((selector) => matchesExternalSelector(remote, selector));
+}
+function externalPackage(remote, type) {
+	return {
+		source: "github",
+		owner: remote.owner,
+		repo: remote.repo,
+		path: remote.path,
+		type,
+		external: true,
+		contentDigest: "external",
+		dependencies: []
+	};
+}
+async function readActionMetadata(github, remote, resolved) {
+	const base = remote.path === "." ? "" : `${remote.path.replace(/\/$/u, "")}/`;
+	for (const name of ["action.yml", "action.yaml"]) {
+		const metadataPath = `${base}${name}`;
+		const content = await github.readFile(remote.owner, remote.repo, resolved, metadataPath);
+		if (content) return {
+			path: metadataPath,
+			content
+		};
+	}
+	throw new Error(`Missing action metadata for ${remote.owner}/${remote.repo}/${remote.path}@${resolved}`);
+}
+function parseRemoteUsesFromDependency(dependency) {
+	const match = /^github:([^/]+)\/([^/]+)(?:\/(.+))?$/u.exec(dependency.package);
+	if (!match) throw new Error(`Unsupported package key: ${dependency.package}`);
+	const [, owner, repo, packagePath] = match;
+	const remotePath = packagePath ?? ".";
+	const kind = remotePath.startsWith(".github/workflows/") ? "reusable-workflow" : "action";
+	return {
+		owner,
+		repo,
+		path: remotePath,
+		ref: dependency.requested,
+		package: dependency.package,
+		kind
+	};
+}
+function toDependency(value, kind, foundAt) {
+	const remote = parseRemoteUses(value, kind);
+	return {
+		package: remote.package,
+		requested: remote.ref,
+		foundAt,
+		remote
+	};
+}
+function toLockDependency(dependency) {
+	return {
+		package: dependency.package,
+		requested: dependency.requested,
+		...dependency.resolved ? { resolved: dependency.resolved } : {},
+		...dependency.foundAt ? { foundAt: dependency.foundAt } : {}
+	};
+}
+function uniqueDependencies(dependencies) {
+	const seen = /* @__PURE__ */ new Set();
+	return dependencies.filter((dependency) => {
+		const key = `${dependency.package}@${dependency.requested}`;
+		if (seen.has(key)) return false;
+		seen.add(key);
+		return true;
+	});
+}
+function prunePackages(lockfile) {
+	const reachable = /* @__PURE__ */ new Set();
+	const visit = (dependency) => {
+		if (reachable.has(dependency.package)) return;
+		const item = lockfile.packages[dependency.package];
+		if (!item) return;
+		reachable.add(dependency.package);
+		item.dependencies.forEach(visit);
+	};
+	for (const entry of Object.values(lockfile.entries)) entry.dependencies.forEach(visit);
+	return Object.fromEntries([...reachable].toSorted().map((key) => [key, lockfile.packages[key]]));
+}
+function digest(content) {
+	return `sha256:${createHash("sha256").update(content).digest("hex")}`;
+}
+//#endregion
+//#region src/utils/substitute.ts
+function substituteValue(value, values, key) {
+	if (typeof value === "string") {
+		const next = substituteString(value, values);
+		return key === "run" && typeof next === "string" ? next.trim() : next;
+	}
+	if (Array.isArray(value)) return value.map((item) => substituteValue(item, values));
+	if (isRecord(value)) return Object.fromEntries(Object.entries(value).map(([key, item]) => [key, substituteValue(item, values, key)]));
+	return value;
+}
+function substituteString(value, values) {
+	if (!value.includes("${{")) return value;
+	const expression = parseCompositeRunExpression(value);
+	if (!expression) return value;
+	try {
+		const expr = parseExpression(expression);
+		const replacement = directReplacement(expr, values);
+		if (replacement !== void 0) return replacement;
+		const simplified = printExpression(expr, values);
+		const staticValue = staticExpression(parseExpression(simplified), values);
+		return staticValue ? staticValue.value : `\${{ ${simplified} }}`;
+	} catch {
+		return value;
+	}
+}
+function normalizeInputValue(value) {
+	if (value === void 0 || value === null) return "";
+	return value;
+}
+function parseCompositeRunExpression(value) {
+	const expression = expressionBody(value.trim());
+	if (expression !== void 0) return expression;
+	const result = parseActionTemplate(`runs:
+  using: composite
+  steps:
+    - run: ${JSON.stringify(value)}
+`, "actionspack-substitute/action.yml");
+	if (!result.value) return;
+	const token = findToken(result.value, [
+		"runs",
+		"steps",
+		"0",
+		"run"
+	]);
+	return token && isBasicExpression(token) ? token.expression : void 0;
+}
+function findToken(token, path) {
+	if (path.length === 0) return token;
+	const [head, ...rest] = path;
+	if (isMapping(token)) {
+		const next = token.find(head);
+		return next ? findToken(next, rest) : void 0;
+	}
+	if (isSequence(token)) {
+		const index = Number(head);
+		return Number.isInteger(index) ? findToken(token.get(index), rest) : void 0;
+	}
+}
+function directReplacement(expr, values) {
+	return valueForIndexAccess(expr, values);
+}
+//#endregion
+//#region src/pack.ts
+async function pack(options = {}) {
+	if ((await discoverConfig(resolveCwd(options.cwd), options)).entries.length === 0) throw new Error("No workflow source files found in .github/workflows/src");
+	return packScanned(await scan(options), options);
+}
+async function packScanned(scanResult, options = {}) {
+	const cwd = resolveCwd(options.cwd);
+	const github = options.github ?? new HttpGitHubClient();
+	for (const entry of scanResult.entries) {
+		const packed = await packWorkflow(await readWorkflowEntry(cwd, entry), scanResult.lockfile, github);
+		assertNoRemoteUses(packed, entry.output);
+		await writeWorkflow(cwd, entry.output, packed);
+	}
+	options.stdout?.write(`Packed ${scanResult.entries.length} workflow${scanResult.entries.length === 1 ? "" : "s"}\n`);
+	return scanResult;
+}
+async function verify(options = {}) {
+	const cwd = resolveCwd(options.cwd);
+	const config = await discoverConfig(cwd, options);
+	const lockfile = await readLockfile(cwd);
+	const github = options.github ?? new HttpGitHubClient();
+	for (const entry of config.entries) {
+		const expected = await packWorkflow(await readWorkflowEntry(cwd, entry), lockfile, github);
+		assertNoRemoteUses(expected, entry.output);
+		if (await readFile(path.join(cwd, entry.output), "utf8").catch(() => {
+			throw new Error(`Missing generated workflow: ${entry.output}`);
+		}) !== stringifyWorkflowYaml(expected)) throw new Error(`Generated workflow is stale: ${entry.output}`);
+	}
+	return {
+		lockfile,
+		entries: config.entries
+	};
+}
+async function packWorkflow(workflow, lockfile, github) {
+	const packed = substituteValue(structuredClone(workflow), {});
+	const jobs = asRecord(packed.jobs);
+	if (!jobs) return packed;
+	const nextJobs = {};
+	const needsReplacements = {};
+	for (const [jobId, jobValue] of Object.entries(jobs)) {
+		const job = asRecord(jobValue);
+		if (!job) {
+			nextJobs[jobId] = jobValue;
+			continue;
+		}
+		if (typeof job.uses === "string") {
+			if (!isRemoteUses(job.uses)) throw new Error(`Local reusable workflows are not transformed yet: jobs.${jobId}.uses`);
+			const remote = parseRemoteUses(job.uses, "reusable-workflow");
+			const item = requirePackage(lockfile, remote);
+			if (item.external) {
+				nextJobs[jobId] = {
+					...job,
+					uses: pinnedUses(remote, item.resolved)
+				};
+				continue;
+			}
+			const inlined = await inlineReusableWorkflow(jobId, job, lockfile, github);
+			Object.assign(nextJobs, inlined.jobs);
+			needsReplacements[jobId] = inlined.jobIds;
+			continue;
+		}
+		nextJobs[jobId] = await packJob(job, lockfile, github);
+	}
+	packed.jobs = optimizeJobs(rewritePackedNeeds(nextJobs, needsReplacements));
+	return substituteValue(packed, {});
+}
+async function packJob(job, lockfile, github) {
+	const next = { ...job };
+	next.steps = await packSteps(asArray(job.steps), lockfile, github);
+	return optimizeJob(next);
+}
+async function packSteps(steps, lockfile, github) {
+	const packed = [];
+	for (const stepValue of steps) {
+		const step = asRecord(stepValue);
+		if (!step || typeof step.uses !== "string") {
+			const next = optimizeStep(substituteValue(stepValue, {}));
+			if (next !== void 0) packed.push(next);
+			continue;
+		}
+		if (!isRemoteUses(step.uses)) {
+			const next = optimizeStep(stepValue);
+			if (next !== void 0) packed.push(next);
+			continue;
+		}
+		packed.push(...await inlineCompositeStep(step, lockfile, github));
+	}
+	return packed;
+}
+async function inlineCompositeStep(callerStep, lockfile, github) {
+	const remote = parseRemoteUses(String(callerStep.uses), "action");
+	const item = requirePackage(lockfile, remote);
+	if (item.type !== "composite") {
+		if (item.external) return [{
+			...callerStep,
+			uses: pinnedUses(remote, item.resolved)
+		}];
+		throw new Error(`Expected composite action for ${callerStep.uses}`);
+	}
+	const metadata = await readActionMetadata(github, item, item.resolved);
+	const action = parseActionMap(metadata.content, metadata.path);
+	if (asRecord(action.outputs) && typeof callerStep.id === "string") throw new Error(`Composite action outputs are not supported for step id ${callerStep.id}`);
+	const values = collectActionInputValues(action, callerStep, String(callerStep.uses));
+	return (await packSteps(substituteValue(asArray(asRecord(action.runs).steps), values), lockfile, github)).map((stepValue, index) => optimizeStep(applyCallerStepFields(stepValue, callerStep, index))).filter((stepValue) => stepValue !== void 0);
+}
+async function inlineReusableWorkflow(callerJobId, callerJob, lockfile, github) {
+	const item = requirePackage(lockfile, parseRemoteUses(String(callerJob.uses), "reusable-workflow"));
+	if (item.type !== "reusable-workflow") throw new Error(`Expected reusable workflow for ${callerJob.uses}`);
+	if (callerJob.secrets === "inherit") throw new Error(`secrets: inherit is not supported for ${callerJobId}`);
+	rejectUnsupportedReusableCallerKeys(callerJob, callerJobId);
+	const content = await github.readFile(item.owner, item.repo, item.resolved, item.path);
+	if (!content) throw new Error(`Missing reusable workflow ${item.owner}/${item.repo}/${item.path}@${item.resolved}`);
+	const workflow = parseWorkflowMap(content, item.path);
+	const call = workflowCallConfig(workflow);
+	if (!call) throw new Error(`Reusable workflow ${String(callerJob.uses)} must use workflow_call`);
+	if (asRecord(call.outputs)) throw new Error(`Reusable workflow outputs are not supported for ${callerJobId}`);
+	const values = collectReusableValues(call, callerJob, callerJobId);
+	const remoteJobs = asRecord(workflow.jobs);
+	if (!remoteJobs) throw new Error(`Reusable workflow has no jobs: ${String(callerJob.uses)}`);
+	const copied = {};
+	const copiedJobIds = Object.keys(remoteJobs).map((remoteJobId) => `${callerJobId}-${remoteJobId}`);
+	for (const [remoteJobId, remoteJobValue] of Object.entries(remoteJobs)) {
+		const remoteJob = asRecord(remoteJobValue);
+		if (!remoteJob) throw new Error(`Reusable workflow job must be a mapping: ${remoteJobId}`);
+		if (remoteJob.uses) throw new Error(`Nested reusable workflows are not supported: ${callerJobId}-${remoteJobId}`);
+		const transformed = await packJob(substituteValue(remoteJob, values), lockfile, github);
+		transformed.needs = rewriteReusableNeeds(remoteJob.needs, callerJob.needs, callerJobId);
+		copied[`${callerJobId}-${remoteJobId}`] = optimizeJob(transformed);
+	}
+	return {
+		jobIds: copiedJobIds,
+		jobs: copied
+	};
+}
+function collectActionInputValues(action, callerStep, uses) {
+	const values = {};
+	const supplied = asRecord(callerStep.with) ?? {};
+	const inputs = asRecord(action.inputs) ?? {};
+	for (const [name, inputValue] of Object.entries(inputs)) {
+		const input = asRecord(inputValue) ?? {};
+		const suppliedValue = supplied[name];
+		const defaultValue = input.default;
+		const required = input.required === true || input.required === "true";
+		if (suppliedValue === void 0 && defaultValue === void 0 && required) throw new Error(`Missing required input ${name} for ${uses}`);
+		values[`inputs.${name}`] = normalizeInputValue(suppliedValue ?? defaultValue);
+	}
+	for (const [name, value] of Object.entries(supplied)) values[`inputs.${name}`] = normalizeInputValue(value);
+	return values;
+}
+function collectReusableValues(call, callerJob, jobId) {
+	const values = {};
+	const supplied = asRecord(callerJob.with) ?? {};
+	const inputs = asRecord(call.inputs) ?? {};
+	for (const [name, inputValue] of Object.entries(inputs)) {
+		const input = asRecord(inputValue) ?? {};
+		const suppliedValue = supplied[name];
+		const defaultValue = input.default;
+		const required = input.required === true || input.required === "true";
+		if (suppliedValue === void 0 && defaultValue === void 0 && required) throw new Error(`Missing required workflow input ${name} for ${jobId}`);
+		values[`inputs.${name}`] = normalizeInputValue(suppliedValue ?? defaultValue);
+	}
+	for (const [name, value] of Object.entries(supplied)) values[`inputs.${name}`] = normalizeInputValue(value);
+	const secrets = asRecord(callerJob.secrets) ?? {};
+	const declaredSecrets = asRecord(call.secrets) ?? {};
+	for (const name of Object.keys(declaredSecrets)) {
+		if (secrets[name] === void 0) {
+			const declaration = asRecord(declaredSecrets[name]);
+			if (declaration?.required === true || declaration?.required === "true") throw new Error(`Missing required workflow secret ${name} for ${jobId}`);
+			continue;
+		}
+		values[`secrets.${name}`] = normalizeInputValue(secrets[name]);
+	}
+	return values;
+}
+function applyCallerStepFields(stepValue, callerStep, index) {
+	const step = asRecord(stepValue);
+	if (!step) return stepValue;
+	const next = { ...step };
+	if (index === 0 && typeof callerStep.name === "string" && typeof next.name !== "string") next.name = callerStep.name;
+	if (callerStep.if !== void 0) next.if = next.if === void 0 ? callerStep.if : `(${String(callerStep.if)}) && (${String(next.if)})`;
+	if (asRecord(callerStep.env)) next.env = {
+		...asRecord(callerStep.env),
+		...asRecord(next.env)
+	};
+	return next;
+}
+function rewriteReusableNeeds(remoteNeeds, callerNeeds, callerJobId) {
+	const rewrite = (value) => `${callerJobId}-${value}`;
+	const rewrittenRemoteNeeds = typeof remoteNeeds === "string" ? rewrite(remoteNeeds) : Array.isArray(remoteNeeds) ? remoteNeeds.map((item) => rewrite(String(item))) : [];
+	const needs = [...typeof callerNeeds === "string" ? [callerNeeds] : Array.isArray(callerNeeds) ? callerNeeds : [], ...rewrittenRemoteNeeds];
+	return needs.length > 0 ? needs : void 0;
+}
+function rewritePackedNeeds(jobs, replacements) {
+	if (Object.keys(replacements).length === 0) return jobs;
+	return Object.fromEntries(Object.entries(jobs).map(([jobId, jobValue]) => {
+		const job = asRecord(jobValue);
+		if (!job) return [jobId, jobValue];
+		return [jobId, optimizeJob({
+			...job,
+			needs: rewriteNeedsValue(job.needs, replacements)
+		})];
+	}));
+}
+function rewriteNeedsValue(value, replacements) {
+	if (value === void 0) return;
+	const originalIsString = typeof value === "string";
+	const rewritten = (originalIsString ? [value] : Array.isArray(value) ? value.map(String) : []).flatMap((need) => replacements[need] ?? [need]);
+	const unique = [...new Set(rewritten)];
+	if (unique.length === 0) return;
+	return originalIsString && unique.length === 1 ? unique[0] : unique;
+}
+function workflowCallConfig(workflow) {
+	const on = Reflect.get(workflow, "on");
+	if (on === "workflow_call") return {};
+	if (Array.isArray(on) && on.includes("workflow_call")) return {};
+	const onMap = asRecord(on);
+	if (!onMap) return;
+	const call = onMap.workflow_call;
+	if (call === null) return {};
+	return asRecord(call) ?? {};
+}
+function rejectUnsupportedReusableCallerKeys(callerJob, jobId) {
+	const allowed = new Set([
+		"uses",
+		"with",
+		"secrets",
+		"needs",
+		"if",
+		"permissions",
+		"name"
+	]);
+	for (const key of Object.keys(callerJob)) if (!allowed.has(key)) throw new Error(`Unsupported reusable workflow caller key jobs.${jobId}.${key}`);
+}
+function requirePackage(lockfile, remote) {
+	const item = lockfile.packages[remote.package];
+	if (!item) throw new Error(`Missing lockfile package for ${remote.package}`);
+	return item;
+}
+function assertNoRemoteUses(value, file = "workflow") {
+	const visit = (item, trail) => {
+		if (Array.isArray(item)) {
+			item.forEach((child, index) => visit(child, `${trail}[${index}]`));
+			return;
+		}
+		const record = asRecord(item);
+		if (!record) return;
+		if (isRemoteUses(record.uses) && !isPinnedRemoteUses(record.uses)) throw new Error(`Packed workflow contains remote action reference at ${file}${trail}.uses: ${record.uses}`);
+		for (const [key, child] of Object.entries(record)) visit(child, `${trail}.${key}`);
+	};
+	visit(value, "");
+}
+//#endregion
+//#region src/commands.ts
+const execFileAsync = promisify(execFile);
+async function update(options = {}) {
+	const cwd = resolveCwd(options.cwd);
+	const refreshPackages = selectRefreshPackages(await readLockfile(cwd), options.packageName);
+	const scanResult = await scan({
+		...options,
+		cwd,
+		refreshPackages
+	});
+	if (!options.lockfileOnly) await packScanned(scanResult, options);
+}
+async function tree(options = {}) {
+	const lockfile = await readLockfile(options.cwd);
+	const lines = [];
+	for (const [source, entry] of Object.entries(lockfile.entries)) {
+		lines.push(source);
+		appendDependencyTree(lines, lockfile, entry.dependencies, "");
+	}
+	const output = `${lines.join("\n")}\n`;
+	options.stdout?.write(output);
+	return output;
+}
+async function why(packageName, options = {}) {
+	const lockfile = await readLockfile(options.cwd);
+	const matches = new Set(Object.keys(lockfile.packages).filter((key) => matchesPackageSelector(key, packageName)));
+	if (matches.size === 0) throw new Error(`Package is not in the lockfile: ${packageName}`);
+	const paths = [];
+	for (const [source, entry] of Object.entries(lockfile.entries)) for (const dependency of entry.dependencies) collectWhyPaths(lockfile, dependency, matches, [source], paths);
+	const output = paths.length === 0 ? `${packageName} is not reachable\n` : `${packageName} is used by:\n\n${paths.map(formatPath).join("\n\n")}\n`;
+	options.stdout?.write(output);
+	return output;
+}
+async function diff(options = {}) {
+	const cwd = resolveCwd(options.cwd);
+	const current = await readLockfile(cwd);
+	const result = diffLockfiles(await readHeadLockfile(cwd), current);
+	if (options.json) {
+		options.stdout?.write(`${JSON.stringify(result, null, 2)}\n`);
+		return result;
+	}
+	const output = formatDiff(result);
+	options.stdout?.write(output);
+	return output;
+}
+function selectRefreshPackages(lockfile, selector) {
+	const keys = Object.keys(lockfile.packages);
+	if (!selector) return new Set(keys);
+	const selected = keys.filter((key) => matchesPackageSelector(key, selector));
+	if (selected.length === 0) throw new Error(`Package is not in the lockfile: ${selector}`);
+	return new Set(selected);
+}
+function appendDependencyTree(lines, lockfile, dependencies, prefix) {
+	dependencies.forEach((dependency, index) => {
+		const last = index === dependencies.length - 1;
+		const item = lockfile.packages[dependency.package];
+		const label = item ? `${item.owner}/${item.repo}${item.path === "." ? "" : `/${item.path}`}@${item.requested} (${item.resolved})` : `${dependency.package}@${dependency.requested}`;
+		lines.push(`${prefix}${last ? "└─" : "├─"} ${label}`);
+		if (item) appendDependencyTree(lines, lockfile, item.dependencies, `${prefix}${last ? "   " : "│  "}`);
+	});
+}
+function collectWhyPaths(lockfile, dependency, matches, current, paths) {
+	const item = lockfile.packages[dependency.package];
+	const label = item ? `${item.owner}/${item.repo}${item.path === "." ? "" : `/${item.path}`}` : dependency.package;
+	const next = [...current, label];
+	if (matches.has(dependency.package)) paths.push(next);
+	item?.dependencies.forEach((child) => collectWhyPaths(lockfile, child, matches, next, paths));
+}
+function formatPath(path) {
+	return path.map((item, index) => `${"   ".repeat(index)}${index === 0 ? item : `└─ ${item}`}`).join("\n");
+}
+async function readHeadLockfile(cwd) {
+	try {
+		const { stdout } = await execFileAsync("git", ["show", `HEAD:${LOCKFILE_PATH}`], { cwd });
+		const { parse } = await import("yaml");
+		return parse(stdout) ?? {
+			lockfileVersion: 1,
+			entries: {},
+			packages: {}
+		};
+	} catch {
+		return {
+			lockfileVersion: 1,
+			entries: {},
+			packages: {}
+		};
+	}
+}
+function diffLockfiles(previous, current) {
+	const previousKeys = new Set(Object.keys(previous.packages));
+	const currentKeys = new Set(Object.keys(current.packages));
+	return {
+		added: [...currentKeys].filter((key) => !previousKeys.has(key)).toSorted(),
+		removed: [...previousKeys].filter((key) => !currentKeys.has(key)).toSorted(),
+		changed: [...currentKeys].filter((key) => previousKeys.has(key)).flatMap((key) => {
+			const oldPackage = previous.packages[key];
+			const newPackage = current.packages[key];
+			const dependencyChanged = stringifyYaml(oldPackage.dependencies) !== stringifyYaml(newPackage.dependencies);
+			if (oldPackage.resolved === newPackage.resolved && !dependencyChanged) return [];
+			return [{
+				package: key,
+				oldResolved: oldPackage.resolved,
+				newResolved: newPackage.resolved,
+				dependencyChanged
+			}];
+		}).toSorted((a, b) => a.package.localeCompare(b.package))
+	};
+}
+function formatDiff(result) {
+	const lines = [];
+	for (const item of result.changed) {
+		lines.push(item.package, `old: ${item.oldResolved}`, `new: ${item.newResolved}`);
+		if (item.dependencyChanged) lines.push("transitive changes: changed");
+		lines.push("");
+	}
+	if (result.added.length > 0) lines.push("added:", ...result.added.map((item) => `- ${item}`), "");
+	if (result.removed.length > 0) lines.push("removed:", ...result.removed.map((item) => `- ${item}`), "");
+	if (lines.length === 0) return "No lockfile changes\n";
+	return `${lines.join("\n").trimEnd()}\n`;
+}
+//#endregion
+export { why as a, packWorkflow as c, collectWorkflowDependencies as d, scan as f, update as i, verify as l, diffLockfiles as n, assertNoRemoteUses as o, tree as r, pack as s, diff as t, collectStepDependencies as u };