Conversation
…dates emission Sub-path action references (owner/repo/path@ref, e.g. Homebrew/actions/setup-homebrew) were passed whole to the GitHub REST API as /repos/<owner>/<repo>/..., which 404s. Downstream: check reported "could not resolve ref", list --only=tag|branch filtered them as unknown, and updates silently failed head_sha while still emitting classifications. A new _action_repo helper trims to owner/repo and is applied at every API call site in cmd_check, cmd_updates, and cmd_list api_mode. cmd_updates switches from per-run dedup (one record per unique pin across all files) to per-file dedup matching cmd_check, so a pin appearing in multiple workflows is now reported for each file — operators can see every file that needs editing to take an upgrade. API results are cached across files by (repo, ref) so the change adds no request cost. The unused seen_in_run / _once_per_run machinery is removed. Bats coverage: sub-path classification across check/list/updates, stale sub-path branch drift, and multi-file updates emission. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Preflight failures (missing curl/jq, auth rejection, rate limit exhausted or tight, connectivity loss, unexpected HTTP status) and missing-file WARNs in cmd_check now write to stderr, matching the existing behaviour of cmd_list and cmd_updates. Keeps structured plain/tsv output on stdout so downstream pipes see only the per-pin result payload. _emit_check WARN lines (ref drift, unresolvable ref) stay on stdout because those are check's result, not diagnostic output. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restore classification and drift reporting for GitHub Actions referenced by sub-path (
owner/repo/subpath@ref, e.g.Homebrew/actions/setup-homebrew), and changeupdatesto emit one record per workflow file so operators can see every file that needs editing to take an upgrade. Routes diagnostic WARNs to stderr so structured plain/tsv output pipes cleanly.Related Issues
Fixes #124
Changes
_action_repo()helper that trims an action reference to its containingowner/repo, and apply it at every API call site incmd_check,cmd_updates, andcmd_listapi_mode. Sub-path refs no longer 404 against/repos/...endpoints.cmd_updatesfrom per-run dedup to per-file dedup mirroringcmd_check, with per-invocationupdates_newer_cache/updates_head_cacheso API cost stays one call per unique(repo, ref)pair. Drops the now-unusedseen_in_run/_once_per_run.check(drift, unresolvable ref) stay on stdout — they're part of the result payload, not diagnostic output.cmd_updatesdocstring and theupdatessection of the man page.check/list/updates, stale sub-path branch drift, multi-fileupdatesemission, and_action_repounit tests. 93/93 pass.Further Comments
Verified end-to-end against
knight-owl-dev/homebrew-tapworkflows:Before the fix, all three returned empty output (or only the first file) for the Homebrew pin because the resolver 404'd on the sub-path.