JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 3322
  • Score
    100M100P100Q116510F
  • License MIT

Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning

Package Exports

  • actions-up
  • actions-up/package.json

Readme

Actions Up!

Actions Up! logo

Version Code Coverage GitHub License

Actions Up scans your workflows and composite actions to discover every referenced GitHub Action, then checks for newer releases.

Interactively upgrade and pin actions to exact commit SHAs for secure, reproducible CI and low‑friction maintenance.

Features

  • Auto-discovery: Scans all workflows (.github/workflows/*.yml) and composite actions (.github/actions/*/action.yml)
  • SHA Pinning: Updates actions to use commit SHA instead of tags for better security
  • Batch Updates: Update multiple actions at once
  • Interactive Selection: Choose which actions to update
  • Breaking Changes Detection: Warns about major version updates
  • Fast & Efficient: Parallel processing with optimized API calls


Actions Up interactive example

Why

The Problem

Keeping GitHub Actions updated is a critical but tedious task:

  • Security Risk: Using outdated actions with known vulnerabilities
  • Manual Hell: Checking dozens of actions across multiple workflows by hand
  • Version Tags Are Mutable: v1 or v2 tags can change without notice, breaking reproducibility
  • Time Sink: Hours spent on maintenance that could be used for actual development

The Solution

Actions Up transforms a painful manual process into a delightful experience:

Without Actions Up With Actions Up
Check each action manually Scan all workflows in seconds
Risk using vulnerable versions SHA pinning for maximum security
30+ minutes per repository Under 1 minute total

Installation

Quick use (no installation)

npx actions-up

Global installation

npm install -g actions-up

Per-project

npm install --save-dev actions-up

Usage

Interactive Mode (Default)

Run in your repository root:

npx actions-up

This will:

  1. Scan all .github/workflows/*.yml and .github/actions/*/action.yml files
  2. Check for available updates
  3. Show an interactive list to select updates
  4. Apply selected updates with SHA pinning

Auto-Update Mode

Skip all prompts and update everything:

npx actions-up --yes
# or
npx actions-up -y

Example

# Before
- uses: actions/checkout@v3
- uses: actions/setup-node@v3

# After running actions-up
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

Advanced Usage

Using GitHub Token for Higher Rate Limits

While Actions Up works without authentication, providing a GitHub token increases API rate limits from 60 to 5000 requests per hour, useful for large projects:

Create a GitHub Personal Access Token.

  • For public repositories: Select public_repo scope
  • For private repositories: Select repo scope

Security

Actions Up promotes security best practices:

  • SHA Pinning: Uses commit SHA instead of mutable tags
  • Version Comments: Adds version as comment for readability
  • No Auto-Updates: Full control over what gets updated

Contributing

See Contributing Guide.

License

MIT © Azat S.