azat-io
actions-up
TypeScript

๐ŸŒŠ Interactive CLI tool to update GitHub Actions to latest versions with SHA pinning

Last updated Jul 8, 2026
607
Stars
18
Forks
2
Issues
+4
Stars/day
Attention Score
89
Language breakdown
No language data available.
โ–ธ Files click to expand
README

Actions Up!

Actions Up logo

Version Code Coverage GitHub License

Actions Up scans your workflows and composite actions to discover every referenced GitHub Action, then checks for newer releases.

Interactively upgrade and pin actions to exact commit SHAs for secure, reproducible CI, or preserve tag-style references when you need to stay on tags.

Features

  • Auto-discovery: Scans all workflows (.github/workflows/*.yml) and
composite actions (.github/actions/*/action.yml and root action.yml/action.yaml)
  • Reusable Workflows: Detects and updates reusable workflow calls at the job
level
  • Flexible update styles: Use SHA pinning by default, or preserve tag-style
references with --style preserve
  • Batch Updates: Update multiple actions at once
  • Interactive Selection: Choose which actions to update
  • Breaking Changes Detection: Warns about major version updates
  • Fast & Efficient: Optimized API usage with deduped lookups
  • CI/CD Integration: Use in GitHub Actions workflows for automated PR checks
###


Actions Up! interactive example

Why

Keeping GitHub Actions updated is critical and time-consuming. Actions Up scans all workflows, highlights available updates, and can pin actions to SHAs for reproducibility.

| Without Actions Up | With Actions Up | | :----------------------------- | :------------------------------- | | Check each action manually | Scan all workflows in seconds | | Risk using vulnerable versions | SHA pinning for maximum security | | 30+ minutes per repository | Under 1 minute total |

Security Motivation

GitHub Actions run arbitrary code in your CI. If a job has secrets available, any action used in that job can read the environment and exfiltrate those secrets. A compromised action or a mutable version tag is a direct path to leakage.

Actions Up reduces risk by:

  • Pinning actions to commit SHAs to prevent tag hijacking
  • Making outdated actions visible and showing exactly what runs in CI
  • Warning about major updates so you can review changes before applying them
Note: secrets are available on push, workflow_dispatch, schedule, and pullrequesttarget triggers (and on fork PRs if explicitly enabled). Always scope workflow permissions to the minimum required.

Installation

Quick use (no installation)

npx actions-up

Global installation

npm install -g actions-up

Per-project

npm install --save-dev actions-up

Alternatively, you can install Actions Up with Homebrew

brew install actions-up

Usage

Interactive Mode (Default)

Run in your repository root:

npx actions-up

This will:

  • Scan all .github/workflows/.yml and .github/actions//action.yml files,
plus root action.yml/action.yaml
  • Check for available updates
  • Show an interactive list to select updates
  • Apply selected updates with SHA pinning by default

Auto-Update Mode

Skip all prompts and update everything:

npx actions-up --yes

or

npx actions-up -y

Dry Run Mode

Check for updates without making any changes:

npx actions-up --dry-run

JSON Mode

Output a machine-readable JSON report instead of the interactive UI:

npx actions-up --json

--json is report-only: it never writes files, skips the interactive prompt, and cannot be combined with --yes.

Custom Directory

By default, Actions Up scans .github.

Use --dir to choose another directory, and pass it multiple times to scan several directories:

npx actions-up --dir .gitea
npx actions-up --dir .github --dir ./other/.github

Recursive Scanning

Use --recursive (-r) to scan YAML workflow/composite-action files recursively in the selected directories:

npx actions-up -r
npx actions-up --dir ./gh-repo-defaults -r

When --recursive is used without --dir, Actions Up scans from the current directory (.).

Branch References

By default, actions pinned to branch refs (e.g., @main, @release/v1) are skipped to avoid changing intentionally floating references. Skipped entries are listed in the output. To include them in update checks, pass --include-branches.

Quiet Mode

Use --quiet (-q) to hide the skipped and blocked-update warnings (for example, actions intentionally pinned to branches). Other output โ€” results, applied updates, and errors โ€” is unchanged.

npx actions-up --yes --quiet

Update Mode

By default, Actions Up allows major updates. Use --mode to limit updates:

npx actions-up --mode minor
npx actions-up --mode patch

In minor and patch modes, Actions Up tries to find the newest compatible tag first (for example, from @v4 in minor mode it will choose the latest v4.x.y). If no compatible version exists, that action is skipped.

Update Style

By default, Actions Up writes updates as pinned SHAs:

npx actions-up --style sha

Use --style preserve to keep the current reference style:

npx actions-up --style preserve

preserve keeps tag references on tags and SHA references on SHAs. Tag refs also keep their granularity, so actions/checkout@v5 updates to actions/checkout@v6, while actions/checkout@v5.0 updates to actions/checkout@v6.0. A SHA-pinned action continues updating to the latest resolved SHA.

GitHub Actions Integration

Automated PR Checks

You can integrate Actions Up into your CI/CD pipeline to automatically check for outdated actions on every pull request. This helps maintain security and ensures your team stays aware of available updates.

Create .github/workflows/check-actions-updates.yml.

yaml
name: Check for outdated GitHub Actions
on:
  pull_request:
    types: [edited, opened, synchronize, reopened]

jobs: check-actions: name: Check for GHA updates runs-on: ubuntu-latest permissions: contents: read pull-requests: write issues: write steps: - name: Checkout repository uses: actions/checkout@v4

- name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '20'

- name: Install actions-up run: npm install -g actions-up

- name: Run actions-up check id: actions-check env: GITHUBTOKEN: ${{ secrets.GITHUBTOKEN }} run: | set -euo pipefail echo "## GitHub Actions Update Check" >> $GITHUBSTEPSUMMARY echo "" >> $GITHUBSTEPSUMMARY

# Run actions-up and capture machine-readable output echo "Running actions-up to check for updates..." actions-up --json > actions-up-report.json

UPDATE_COUNT=$(node -pe "JSON.parse(require('node:fs').readFileSync('actions-up-report.json', 'utf8')).summary.totalUpdates")

# Create formatted output if [ &quot;$UPDATE_COUNT&quot; -gt 0 ]; then echo &quot;Found $UPDATECOUNT GitHub Actions with available updates&quot; &gt;&gt; $GITHUBSTEP_SUMMARY echo &quot;&quot; &gt;&gt; $GITHUBSTEPSUMMARY echo &quot;&lt;details&gt;&quot; &gt;&gt; $GITHUBSTEPSUMMARY echo &quot;&lt;summary&gt;Click to see JSON report&lt;/summary&gt;&quot; &gt;&gt; $GITHUBSTEPSUMMARY echo &quot;&quot; &gt;&gt; $GITHUBSTEPSUMMARY echo &#39;</code></pre>json' >> $GITHUBSTEPSUMMARY cat actions-up-report.json >> $GITHUBSTEPSUMMARY echo '<pre><code class="lang-">&#39; &gt;&gt; $GITHUBSTEPSUMMARY echo &quot;&lt;/details&gt;&quot; &gt;&gt; $GITHUBSTEPSUMMARY

# Create detailed markdown report with better formatting node --input-type=module &lt;&lt;&#39;EOF&#39; import { readFileSync, writeFileSync } from &#39;node:fs&#39;

let report = JSON.parse(readFileSync(&#39;actions-up-report.json&#39;, &#39;utf8&#39;)) let lines = [ &#39;## GitHub Actions Update Report&#39;, &#39;&#39;, &#39;### Summary&#39;, - Updates available: ${report.summary.totalUpdates}, &#39;&#39;, &#39;### Updates&#39;, &#39;&#39;, ]

for (let update of report.updates) { let file = update.action.file ?? &#39;unknown&#39; let currentVersion = update.currentVersion ?? &#39;unknown&#39; let latestVersion = update.latestVersion ?? &#39;unknown&#39; lines.push( - \${update.action.name}\ in \${file}\: \${currentVersion}\ โ†’ \${latestVersion}\, ) }

lines.push(&#39;&#39;) lines.push(&#39;Run npx actions-up locally to review and apply updates.&#39;)

writeFileSync(&#39;actions-up-report.md&#39;, lines.join(&#39;\n&#39;)) EOF

echo &quot;has-updates=true&quot; &gt;&gt; $GITHUB_OUTPUT echo &quot;update-count=$UPDATECOUNT&quot; &gt;&gt; $GITHUBOUTPUT else echo &quot;All GitHub Actions are up to date!&quot; &gt;&gt; $GITHUBSTEPSUMMARY

{ echo &quot;## GitHub Actions Update Report&quot; echo &quot;&quot; echo &quot;### All GitHub Actions in this repository are up to date!&quot; echo &quot;&quot; echo &quot;No action required. Your workflows are using the latest versions of all GitHub Actions.&quot; } &gt; actions-up-report.md

echo &quot;has-updates=false&quot; &gt;&gt; $GITHUB_OUTPUT echo &quot;update-count=0&quot; &gt;&gt; $GITHUB_OUTPUT fi

- name: Comment PR with updates if: github.eventname == &#39;pullrequest&#39; &amp;&amp; github.event.pullrequest.head.repo.fullname == github.repository uses: actions/github-script@v7 with: script: | const fs = require(&#39;fs&#39;); const report = fs.readFileSync(&#39;actions-up-report.md&#39;, &#39;utf8&#39;); const hasUpdates = &#39;${{ steps.actions-check.outputs.has-updates }}&#39; === &#39;true&#39;;

// Check if we already commented const comments = await github.paginate(github.rest.issues.listComments, { owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number });

const botComment = comments.find(comment =&gt; comment.user.type === &#39;Bot&#39; &amp;&amp; comment.body.includes(&#39;GitHub Actions Update Report&#39;) );

const commentBody = ${report}

--- Generated by actions-up | Last check: ${new Date().toISOString()};

// Only comment if there are updates or if we previously commented if (hasUpdates || botComment) { if (botComment) { // Update existing comment await github.rest.issues.updateComment({ owner: context.repo.owner, repo: context.repo.repo, comment_id: botComment.id, body: commentBody }); console.log(&#39;Updated existing comment&#39;); } else { // Create new comment only if there are updates await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, body: commentBody }); console.log(&#39;Created new comment&#39;); } } else { console.log(&#39;No updates found and no previous comment exists - skipping comment&#39;); }

// Add or update PR labels based on status const labels = await github.rest.issues.listLabelsOnIssue({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number });

const hasOutdatedLabel = labels.data.some(label =&gt; label.name === &#39;outdated-actions&#39;);

if (hasUpdates &amp;&amp; !hasOutdatedLabel) { // Add label if updates are found try { await github.rest.issues.addLabels({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, labels: [&#39;outdated-actions&#39;] }); console.log(&#39;Added outdated-actions label&#39;); } catch (error) { console.log(&#39;Could not add label (might not exist in repo):&#39;, error.message); } } else if (!hasUpdates &amp;&amp; hasOutdatedLabel) { // Remove label if no updates try { await github.rest.issues.removeLabel({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, name: &#39;outdated-actions&#39; }); console.log(&#39;Removed outdated-actions label&#39;); } catch (error) { console.log(&#39;Could not remove label:&#39;, error.message); } }

- name: Fail if outdated actions found if: steps.actions-check.outputs.has-updates == &#39;true&#39; run: | echo &quot;::error:: Found ${{ steps.actions-check.outputs.update-count }} outdated GitHub Actions. Please update them before merging.&quot; echo &quot;&quot; echo &quot;You can update them by running: npx actions-up&quot; echo &quot;Or manually update the versions in your workflows.&quot; exit 1</code></pre>

Example

Regular Actions

# Before
  • uses: actions/checkout@v3
  • uses: actions/setup-node@v3

After running actions-up

  • uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
  • uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

Reusable Workflows

Actions Up also detects and updates reusable workflow calls:

# Before
jobs:
  call-workflow:
    uses: org/repo/.github/workflows/ci.yml@v1.0.0
    with:
      config: production

After running actions-up

jobs: call-workflow: uses: org/repo/.github/workflows/ci.yml@a1b2c3d4e5f6 # v2.0.0 with: config: production

Advanced Usage

GitHub Token

Use GITHUB_TOKEN (or a PAT) to raise API rate limits from 60 to 5000 requests/hour.

GITHUBTOKEN=yourtoken_here npx actions-up

Or in GitHub Actions:

- name: Check for updates
  env:
    GITHUBTOKEN: ${{ secrets.GITHUBTOKEN }}
  run: npx actions-up --json

Skipping Updates

Use CLI excludes or YAML ignore comments.

npx actions-up --exclude "my-org/." --exclude "./internal-.*"

Updates released less than 1 day ago are skipped by default. This cool-down protects against supply-chain attacks through freshly published releases. Use --min-age to change the threshold, or set it to 0 to disable the cool-down:

npx actions-up --min-age 7

Ignore comments (file/block/next-line/inline):

# actions-up-ignore-file

actions-up-ignore-next-line

  • uses: actions/checkout@v3
  • uses: actions/setup-node@v3 # actions-up-ignore

actions-up-ignore-start

  • uses: actions/cache@v3

actions-up-ignore-end

Why Actions Up?

Interactive CLI for developers who want control over GitHub Actions updates.

  • vs. Dependabot/Renovate: Dependabot and Renovate update via pull requests;
Actions Up is an interactive CLI with explicit SHA pinning by default and an opt-in preserve mode for tag users.
  • vs. pinact: pinact is a CLI to pin and update Actions and reusable
workflows; Actions Up adds interactive selection and major update warnings.
  • Zero-config: npx actions-up runs immediately.
  • Breaking change warnings: Major updates are flagged before applying.

Contributing

See Contributing Guide.

License

MIT © Azat S.

๐Ÿ”— More in this category

ยฉ 2026 GitRepoTrend ยท azat-io/actions-up ยท Updated daily from GitHub