Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: joshjohanning/ensure-immutable-actions
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.3.0
Choose a base ref
...
head repository: joshjohanning/ensure-immutable-actions
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.4.0
Choose a head ref
  • 2 commits
  • 16 files changed
  • 4 contributors

Commits on Apr 10, 2026

  1. feat: recurse into composite actions and show source workflows in sum… 

    …mary (#61)

* Scan jobs.<job>.uses when checking workflow actions

* Report unsupported action reference types separately

* Recurse into local composite actions during extraction

* Show caller workflow files in summary findings

* Recurse into remote composite actions and reusable workflows

* Show source workflows for external recursive findings

* chore: format and bump coverage

* perf: skip remote expansion for first-party actions when not included

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* chore: format and bump coverage

* docs: update README and action.yml for recursive scanning and token scope requirements

Closes #62

* fix: address review feedback for remote expansion

- Fix cache mis-attribution by always deriving caller metadata from parentAction
- Rewrite local refs in remote reusable workflows to remote refs
- Skip docker actions silently instead of reporting as unsupported
- Save/restore env vars in tests to prevent leakage
- Fix README to match actual behavior for private repo recursion

* fix: prevent cachedResult from overwriting per-workflow sourceLocations

* fix: use /blob/ links for workflow file references instead of /tree/

---------

Co-authored-by: Josh Johanning <joshjohanning@github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
    @Wuodan @joshjohanning
    3 people authored Apr 10, 2026
    Configuration menu
    Copy the full SHA
    12c5e55 View commit details
    Browse the repository at this point in the history

  2. chore: prepare v2.4.0 release

    @github-actions
    github-actions[bot] authored Apr 10, 2026
    Configuration menu
    Copy the full SHA
    dc0bca3 View commit details
    Browse the repository at this point in the history
Loading