feat: recurse into composite actions and show source workflows in summary#61
Merged
joshjohanning merged 14 commits intoApr 10, 2026
Conversation
This was referenced Apr 10, 2026
# Conflicts: # __tests__/index.test.js # badges/coverage.svg # package-lock.json # package.json # src/index.js
Contributor
There was a problem hiding this comment.
Pull request overview
Expands the actionβs dependency scanning to cover indirect references by recursing into both composite actions and reusable workflows (including remote ones), and enhances reporting by attributing findings back to the caller workflow locations.
Changes:
- Recurse into local composite actions during extraction, and into remote composite actions / remote reusable workflows during expansion.
- Track and surface caller-side βsource workflowβ locations in summaries and logs (including workflow links).
- Add supporting helpers/tests and bump package version.
Show a summary per file
| File | Description |
|---|---|
| src/index.js | Adds recursion/expansion logic for composite actions & reusable workflows and enhances summary/reporting with caller source locations. |
| tests/index.test.js | Adds tests for local recursion, remote expansion, source-location formatting, and new helpers. |
| package.json | Bumps version to reflect behavior change. |
| package-lock.json | Updates lockfile version metadata to match package.json bump. |
| badges/coverage.svg | Updates coverage badge after new tests/lines. |
Copilot's findings
Comments suppressed due to low confidence (1)
src/index.js:1011
- In
byWorkflowgrouping,sourceLocationsis set from the per-workflow deduplication, but then...cachedResultis spread afterwards. For unsupported actions,cachedResultcurrently includes its ownsourceLocations(from the global unsupported list), which overwrites the per-workflow aggregated locationsβso the summary can lose additional βfound inβ entries. Move thesourceLocationsassignment to after the spread (or avoid storingsourceLocationsin the cache) so per-workflow aggregation wins.
workflowFile: action.workflowFile,
sourceLocations: action.sourceLocations || [],
supported: action.supported !== false,
isFirstParty: action.isFirstParty || false,
...cachedResult
};
- Files reviewed: 3/5 changed files
- Comments generated: 1
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
β¦cope requirements Closes joshjohanning#62
22cd0ce to
e2ff3cf
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR expands the action reference extraction logic to recursively discover nested uses: references inside composite actions and reusable workflows (including remote ones), and enhances reporting to show caller workflow source locations in the summary and logsβclosing remaining dependency coverage gaps for indirect references.
Changes:
- Add recursion into local composite actions plus remote composite actions and remote reusable workflows to expand nested
uses:references. - Track and surface caller-side source locations (βfound inβ workflows) in summary output/logging and improve reference formatting to include subpaths.
- Bump package version to
2.4.0and update docs/tests accordingly.
Show a summary per file
| File | Description |
|---|---|
| src/index.js | Adds local/remote recursion, source-location tracking, cache/dedup changes, and improved formatting for path-based references. |
| tests/index.test.js | Adds/updates tests for recursion, remote content fetching, source formatting, and new helper functions. |
| README.md | Documents expanded scan coverage and token requirements for remote recursion; updates βHow it Worksβ. |
| action.yml | Updates github-token input description to reflect remote recursion requirements. |
| package.json | Version bump to 2.4.0. |
| package-lock.json | Lockfile version sync with package.json bump. |
| badges/coverage.svg | Updates coverage badge to reflect current test coverage. |
Copilot's findings
- Files reviewed: 5/7 changed files
- Comments generated: 5
- Fix cache mis-attribution by always deriving caller metadata from parentAction - Rewrite local refs in remote reusable workflows to remote refs - Skip docker actions silently instead of reporting as unsupported - Save/restore env vars in tests to prevent leakage - Fix README to match actual behavior for private repo recursion
Contributor
There was a problem hiding this comment.
Pull request overview
This PR expands the actionβs dependency scanning to recursively traverse remote composite actions and remote reusable workflows, and enhances reporting by surfacing caller workflow context in the summary/output metadata.
Changes:
- Recurse into local composite actions (nested
./uses) and remote composite/reusable workflow references viarepos.getContent. - Add caller/source workflow metadata aggregation for clearer βfound inβ reporting and traversal hints.
- Bump package version to
2.4.0and extend Jest coverage for the new recursion/reporting behavior.
Show a summary per file
| File | Description |
|---|---|
src/index.js |
Adds local/remote recursion, remote file fetching, action-path parsing, cache keying, and summary/source formatting updates. |
__tests__/index.test.js |
Adds/updates tests for action-path parsing, local composite recursion, remote expansion, and summary/source formatting. |
README.md |
Documents expanded scan coverage and token requirements for remote recursion. |
action.yml |
Updates github-token input description to reflect recursion needs. |
package.json |
Version bump to 2.4.0. |
package-lock.json |
Lockfile version bump to match 2.4.0. |
badges/coverage.svg |
Updates coverage badge value after test changes. |
Copilot's findings
Comments suppressed due to low confidence (1)
src/index.js:905
- Excluded first-party actions (when
includeFirstPartyis false) are added to thefirst-party-actionsoutput withoutactionPath. SinceparseActionReference()now supports path-based references (e.g.github/codeql-action/init@v3), the output will lose the path for these excluded actions. Consider includingactionPathhere (and in the cached entry if needed) to keep output fields consistent with the checked-first-party path handling.
// Process excluded first-party actions (no API check needed) - deduplicate by uses string
const uniqueExcludedFirstParty = Array.from(new Map(excludedFirstPartyActions.map(a => [a.uses, a])).values());
for (const action of uniqueExcludedFirstParty) {
const actionInfo = {
uses: action.uses,
owner: action.owner,
repo: action.repo,
ref: action.ref,
isFirstParty: true,
immutable: true,
releaseFound: false,
message: 'Excluded (first-party)',
allowed: true,
excluded: true
};
- Files reviewed: 5/7 changed files
- Comments generated: 2
Owner
|
This is great @Wuodan!!! π Thank you π |
π¦ Draft Release CreatedA draft release v2.4.0 has been created for this PR. π View Draft Release Next Steps
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Contains previous PR commits up to #60.
This change recurses into remote composite actions and remote reusable workflows.
That closes the remaining dependency-coverage gap apart from unsupported
docker://references, because indirect third-party action references pulled in from external workflows and composite actions are now included in the scan.Test workflows:
target-*.ymlfrom Wuodan/ensure-immutable-actions-testValidation run with this PR branch:
The test run also validates the action outputs, unlike the earlier PR test runs.
Also included (from closed PRs)