actionspack 0.1.1 → 0.1.3

package/README.md

@@ -13,6 +13,23 @@ It currently supports inlining composite actions and safely transformable
 reusable workflows. JavaScript and Docker actions are pinned as external
 dependencies instead of being bundled.
 
+## Why actionspack?
+
+GitHub Actions workflows often depend on reusable workflows and actions from
+other repositories. You may want to author those dependencies with convenient
+floating refs like `@main` in `.github/workflows/src/`, but generated workflows
+should be reproducible and reviewable.
+
+`actionspack` gives workflows a lockfile mechanism similar to `pnpm`. It locks
+remote workflows and actions in `.github/workflow.lock.yml`, inlines everything
+that can be transformed safely into the local repository, and pins anything that
+cannot be inlined to a fixed SHA.
+
+To update workflow and action dependencies, run `actionspack update`
+periodically. The updated lockfile and generated workflows are normal repository
+files, so `git diff` shows exactly which dependencies changed and what generated
+workflow output changed.
+
 ## Install
 
 ```bash
@@ -49,6 +66,16 @@ npx actionspack
 Generated workflows are safe to commit. Existing lockfile SHAs are reused until
 you explicitly run `actionspack update`.
 
+When you want to refresh workflow/action dependencies:
+
+```bash
+npx actionspack update
+git diff
+```
+
+Review the dependency SHA changes in `.github/workflow.lock.yml` and the
+resulting generated workflow changes before committing.
+
 ## Commands
 
 ```bash

package/dist/cli.mjs

@@ -1,20 +1,16 @@
 #!/usr/bin/env node
-import { a as why, f as scan, i as update, l as verify, r as tree, s as pack, t as diff } from "./commands-CPJczWTq.mjs";
+import { a as why, f as scan, i as update, l as verify, r as tree, s as pack, t as diff } from "./commands-4KKgssQI.mjs";
 import { styleText } from "node:util";
 import process from "node:process";
 import { cac } from "cac";
+//#region package.json
+var name = "actionspack";
+var version = "0.1.3";
 //#endregion
 //#region src/cli.ts
-const cli = cac("actionspack");
+const cli = cac(name);
 async function main() {
-	cli.command("", "Pack workflows").option("--entry <source:output>", "Use an explicit source/output workflow mapping").option("--external <selector>", "Pin a workflow or action without bundling it").action(async (flags) => {
-		await pack({
-			...normalizeConfigFlags(flags),
-			stderr: process.stderr,
-			stdout: process.stdout
-		});
-	});
-	cli.command("pack", "Pack workflows").option("--entry <source:output>", "Use an explicit source/output workflow mapping").option("--external <selector>", "Pin a workflow or action without bundling it").action(async (flags) => {
+	cli.command("", "Pack workflows").alias("pack").option("--entry <source:output>", "Use an explicit source/output workflow mapping").option("--external <selector>", "Pin a workflow or action without bundling it").action(async (flags) => {
 		await pack({
 			...normalizeConfigFlags(flags),
 			stderr: process.stderr,
@@ -53,7 +49,7 @@ async function main() {
 	cli.command("verify", "Verify lockfile and packed workflows").action(async () => {
 		await verify();
 	});
-	cli.help();
+	cli.version(version).help();
 	cli.parse(process.argv, { run: false });
 	await cli.runMatchedCommand();
 }

package/dist/{commands-CPJczWTq.mjs → commands-4KKgssQI.mjs}

@@ -909,6 +909,8 @@ function substituteString(value, values) {
 		const expr = parseExpression(expression);
 		const replacement = directReplacement(expr, values);
 		if (replacement !== void 0) return replacement;
+		const evaluated = staticExpression(expr, values);
+		if (evaluated) return evaluated.value;
 		const simplified = printExpression(expr, values);
 		const staticValue = staticExpression(parseExpression(simplified), values);
 		return staticValue ? staticValue.value : `\${{ ${simplified} }}`;
@@ -1261,11 +1263,15 @@ function appendDependencyTree(lines, lockfile, dependencies, prefix) {
 	dependencies.forEach((dependency, index) => {
 		const last = index === dependencies.length - 1;
 		const item = lockfile.packages[dependency.package];
-		const label = item ? `${item.owner}/${item.repo}${item.path === "." ? "" : `/${item.path}`}@${item.requested} (${item.resolved})` : `${dependency.package}@${dependency.requested}`;
+		const label = item ? formatPackageTreeLabel(item) : `${dependency.package}@${dependency.requested}`;
 		lines.push(`${prefix}${last ? "└─" : "├─"} ${label}`);
 		if (item) appendDependencyTree(lines, lockfile, item.dependencies, `${prefix}${last ? "   " : "│  "}`);
 	});
 }
+function formatPackageTreeLabel(item) {
+	const requested = `${`${item.owner}/${item.repo}${item.path === "." ? "" : `/${item.path}`}`}@${item.requested}`;
+	return item.requested === item.resolved ? requested : `${requested} (${item.resolved})`;
+}
 function collectWhyPaths(lockfile, dependency, matches, current, paths) {
 	const item = lockfile.packages[dependency.package];
 	const label = item ? `${item.owner}/${item.repo}${item.path === "." ? "" : `/${item.path}`}` : dependency.package;

package/dist/index.mjs

@@ -1,2 +1,2 @@
-import { a as why, c as packWorkflow, d as collectWorkflowDependencies, f as scan, i as update, l as verify, n as diffLockfiles, o as assertNoRemoteUses, r as tree, s as pack, t as diff, u as collectStepDependencies } from "./commands-CPJczWTq.mjs";
+import { a as why, c as packWorkflow, d as collectWorkflowDependencies, f as scan, i as update, l as verify, n as diffLockfiles, o as assertNoRemoteUses, r as tree, s as pack, t as diff, u as collectStepDependencies } from "./commands-4KKgssQI.mjs";
 export { assertNoRemoteUses, collectStepDependencies, collectWorkflowDependencies, diff, diffLockfiles, pack, packWorkflow, scan, tree, update, verify, why };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "actionspack",
   "type": "module",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Lockfile-first GitHub Actions workflow packer",
   "author": "Kevin Deng <sxzz@sxzz.moe>",
   "license": "MIT",