Commits on May 5, 2026

1. fix: local workflow recursion, recursive exclusions, and remote compo… …

   …site path handling (#81)
   
   * fix: handle local workflow and action paths separately
   
   - Handle local action paths and local reusable workflow paths separately, matching GitHub semantics.
   - Recurse into local reusable workflows during extraction.
   - Apply exclude-workflows inside that recursion.
   - Stop recursion on local reusable workflow cycles.
   - Reject workflow paths that escape the workspace.
   
   * fix: apply exclude-workflows consistently during traversal
   
   Intent:
   - make exclude-workflows mean the same thing everywhere
   - let exclusions win even when workflows is set
   - skip excluded reusable workflows during recursive traversal
   
   Technical:
   - apply exclude-workflows after top-level workflow selection in both modes
   - drop excluded reusable workflow refs before adding them to the action set
   - propagate excludeWorkflowPatterns through remote recursion
   - add tests for workflows+exclude-workflows overlap and excluded remote reusable traversal
   
   * fix: resolve remote composite local refs from the repo root
   
   Background:
   - 12c5e55 added remote composite recursion
   - it also started resolving nested `./...` refs relative to the composite action directory
   
   Why:
   - `./...` is the local-path form in GitHub Actions
   - a remote ref only exists in `{owner}/{repo}/...@ref` form
   - so treating `./...` inside a remote composite action as action-directory-relative remote content cannot work under the documented syntax
   - for this scanner, such refs must be interpreted as repo-root paths if we expand them at all
   
   Technical:
   - stop joining remote composite local refs with `action.actionPath`
   - normalize `./...` directly from repo root
   - update regression coverage to use a repo-root `.github/actions/...` lookup
   
   * fix: harden action reference parsing against slow invalid input
   
   Replace the regex-based action reference parser with deterministic string parsing to avoid polynomial backtracking on malformed uses strings.
   
   Keep support for owner/repo, single-segment path, and multi-segment path references, and add parser coverage for invalid and multi-segment path cases.
   
   * fix: address review findings
   
   - Remove unused baseDir parameter from extractActionsFromLocalReusableWorkflow
   - Move exclusion check before file I/O to prevent excluded+missing files
     from surfacing as unsupported findings
   - Handle normalize('./') edge case in remote composite expansion that
     would produce malformed owner/repo/.@ref references
   - Update action.yml exclude-workflows description to match new behavior
   - Remove extra ignored argument in resolveLocalReusableWorkflowPath test
   - Bump version to 2.5.3
   
   * fix: handle normalize edge case in remote reusable workflow expansion
   
   - Apply the same resolvedPath === '.' guard to expandRemoteReusableWorkflow
     (both job-level and step-level ./  refs) to prevent malformed
     owner/repo/.@ref references
   - Remove extra ignored argument in path traversal test
   
   ---------
   
   Co-authored-by: Josh Johanning <joshjohanning@github.com>

   

   Wuodan and joshjohanning authored May 5, 2026
   Configuration menu

   • View commit details
   • Copy full SHA for 6cc152d
   • Browse repository at this point

   Copy the full SHA

   6cc152d View commit details

   Browse the repository at this point in the history

2. chore: prepare v2.5.3 release

   

   github-actions[bot] authored May 5, 2026
   Configuration menu

   • View commit details
   • Copy full SHA for 09f521e
   • Browse repository at this point

   Copy the full SHA

   09f521e View commit details

   Browse the repository at this point in the history