feat: force update all actions to latest major version, add --disable-release-bump flag#18707
Merged
feat: force update all actions to latest major version, add --disable-release-bump flag#18707
Conversation
…-release-bump flag Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Refactor update command to force update all actions
feat: force update all actions to latest major version, add --disable-release-bump flag
Feb 27, 2026
Contributor
|
@copilot run "update" on the repo |
Contributor
Author
Ran Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Contributor
There was a problem hiding this comment.
Pull request overview
Extends gh aw update action-version updating to force-bump all referenced GitHub Actions (not just actions/*) to the latest major version by default, and introduces --disable-release-bump to revert to the prior “only force-bump core actions” behavior.
Changes:
- Added
--disable-release-bumpflag to the update command and threaded it throughRunUpdateWorkflows. - Updated
UpdateActionsand workflow-file scanning to support “force bump all orgs” vs “only force bump core actions” behavior. - Expanded action reference matching from
actions/*toorg/repo@refin workflow.mdfiles and updated unit tests accordingly.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/cli/upgrade_command.go | Updated callsite to new UpdateActions signature. |
| pkg/cli/update_command.go | Added --disable-release-bump flag; updated RunUpdateWorkflows wiring and logging. |
| pkg/cli/update_command_test.go | Updated tests for new RunUpdateWorkflows / UpdateActions signatures. |
| pkg/cli/update_actions_test.go | Updated/refined tests and added coverage for “all orgs updated when allowMajor”. |
| pkg/cli/update_actions.go | Implemented new release-bump behavior, broadened action ref regex, and added allowMajor gating for workflow ref updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+474
to
478
| // Requires the org to start with an alphanumeric character and contain only alphanumeric, | ||
| // hyphens, or underscores (no dots, matching GitHub's org naming rules) to exclude local | ||
| // paths (e.g. "./..."). Repository names may additionally contain dots. | ||
| // Captures: (1) indentation+uses prefix, (2) repo path, (3) SHA or version tag, | ||
| // (4) optional version comment (e.g., "v6.0.2" from "# v6.0.2"), (5) trailing whitespace. |
There was a problem hiding this comment.
actionRefPattern’s doc comment doesn’t match what the regex actually captures/permits. In particular, capture group (1) is only uses:\s+ (indentation is not included), and the org pattern currently allows underscores even though the comment states it follows GitHub org naming rules (and explicitly calls out allowed characters). Please either adjust the comment to reflect the actual regex, or tighten the regex to match the documented constraints so future changes don’t rely on incorrect assumptions.
Suggested change
| // Requires the org to start with an alphanumeric character and contain only alphanumeric, | |
| // hyphens, or underscores (no dots, matching GitHub's org naming rules) to exclude local | |
| // paths (e.g. "./..."). Repository names may additionally contain dots. | |
| // Captures: (1) indentation+uses prefix, (2) repo path, (3) SHA or version tag, | |
| // (4) optional version comment (e.g., "v6.0.2" from "# v6.0.2"), (5) trailing whitespace. | |
| // Requires the org segment to start with an alphanumeric character and contain only | |
| // alphanumeric characters, hyphens, or underscores (no dots) to exclude local paths | |
| // (e.g. "./..."). This is slightly looser than GitHub's org naming rules, which disallow | |
| // underscores. Repository and subpath segments may additionally contain dots. | |
| // Captures: (1) the "uses:" prefix plus following whitespace (no leading indentation), | |
| // (2) the repo path (org/repo[/subpath...]), (3) the SHA or version tag, | |
| // (4) an optional version comment (e.g., "v6.0.2" from "# v6.0.2"), (5) trailing whitespace. |
Comment on lines
597
to
620
| @@ -600,7 +616,7 @@ func updateActionRefsInContent(content string, cache map[string]latestReleaseRes | |||
| cacheKey := repo + "|" + currentVersion | |||
| result, cached := cache[cacheKey] | |||
| if !cached { | |||
| latestVersion, latestSHA, err := getLatestActionReleaseFn(repo, currentVersion, true, verbose) | |||
| latestVersion, latestSHA, err := getLatestActionReleaseFn(repo, currentVersion, effectiveAllowMajor, verbose) | |||
| if err != nil { | |||
There was a problem hiding this comment.
updateActionRefsInContent will treat any non-SHA ref as a “version tag” and attempt to resolve it via releases. That means refs like uses: owner/repo@main (or other non-semver branch names) can be rewritten to the latest semver release tag, because getLatestActionRelease() treats an unparsable currentVersion as “pick the highest semver release” regardless of allowMajor. This becomes much more likely now that the pattern matches all orgs. Consider explicitly skipping non-semver, non-SHA refs (e.g., only update when ref looks like a semver tag), or changing getLatestActionRelease() to not jump to the highest semver when allowMajor is false and the current ref isn’t semver.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
gh aw updateonly force-bumpedactions/*core actions to the latest major version. This extends that behavior to all orgs and adds--disable-release-bumpto revert to the previous behavior.Behavior changes
gh aw update): all actions inactions-lock.jsonand allorg/repo@versionreferences in workflow.mdfiles are updated to the latest major version, regardless of orggh aw update --disable-release-bump: reverts to old behavior — onlyactions/*is force-bumped; other orgs respect the--majorflagImplementation
actionRefPatternextended fromactions/[repo]@...to[org]/[repo]@...(org must start with alphanumeric, excluding local./paths)UpdateActions: newdisableReleaseBump boolparam;effectiveAllowMajor = !disableReleaseBump || allowMajor || isCoreAction(repo)updateActionRefsInContent: newallowMajor boolparam; skips non-core refs whenallowMajor=falseUpdateActionsInWorkflowFiles: passes!disableReleaseBumpasallowMajordownstreamupgrade_command.goupdated to use the newUpdateActionssignature (keeps force-all default)Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go node t-10�� k/gh-aw/gh-aw/.github/workflows/brave.md go /usr/bin/git Vp4i/XjBOFxMgj7ygit GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json l 8177614/b385/vet.cfg GOINSECURE GOMOD GOMODCACHE go env -json l 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE 1/x64/bin/node(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2253-28710/test-4002222553/.github/workflows GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 8177614/b425/_pkg_.a GOPROXY ache/node/24.13.1/x64/bin/node GOSUMDB b/gh-aw/pkg/time-c 64/bin/go git t-33�� sistency_WithImports128271125/001/main.md config ache/node/24.13.1/x64/bin/node remote.origin.urgit GO111MODULE 64/bin/go 8177614/b425/importcfg(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha user.name Test User /usr/bin/git "prettier" --chegit sh 64/bin/go git init�� 64/bin/go go /opt/hostedtoolcache/node/24.13.1/x64/bin/node -json GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.13.1/x64/bin/node(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha vaScript3159717178/001/test-fron-test.timeout=10m0s GO111MODULE /opt/hostedtoolcache/go/1.25.0/x-test.short=true GOINSECURE GOMOD GOMODCACHE go env runs/20260227-152253-28710/test-3819704438/.github/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env runs/20260227-152253-28710/test-723541812/.github/workflows GO111MODULE .cfg l GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha user.name Test User /usr/bin/git prettier --check 64/bin/go git conf�� user.email test@example.com /usr/bin/git ub/workflows -e 64/bin/go git(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3998177614/b390/importcfg -pack /tmp/go-build3998177614/b390/_testmain.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env runs/20260227-152253-28710/test-4146305795/.github/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha vaScript3159717178/001/test-frontmatter-with-nested-objects.md GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env hub/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 6387092/b387/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/consenv GOMODCACHE go(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 b/gh-aw/pkg/fileenv GOMODCACHE go env SAxS/3_r8lQvpEbdGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 6387092/b391/impGOPROXY(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3897961638/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE x_amd64/compile env ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 6387092/b371/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/cmd/gh-aenv GOMODCACHE go(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build3998177614/b381/cli.test /tmp/go-build3998177614/b381/cli.test -test.testlogfile=/tmp/go-build3998177614/b381/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env e=false GO111MODULE 64/bin/go GOINSECURE %H %ct %D GOMODCACHE go(http block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.