feat: update command always updates core actions (actions/*) to latest major version (#18692)

Author: Copilot

.changeset/patch-update-actions-core-workflows.md

@@ -31,7 +31,7 @@ jobs:
     steps:
       - name: Precompute deterministic findings
         id: precompute
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GH_AW_BOT_DETECTION_TOKEN || secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/bot-detection.lock.yml

@@ -33,7 +33,7 @@ timeout-minutes: 20
 strict: true
 steps:
   - name: Setup Go
-    uses: actions/setup-go@v5
+    uses: actions/setup-go@v6
     with:
       go-version-file: go.mod
       cache: true

.github/workflows/bot-detection.md

@@ -51,7 +51,7 @@ jobs:
 
       - name: Compute release configuration
         id: compute_config
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const releaseType = context.payload.inputs.release_type;
@@ -172,7 +172,7 @@ jobs:
           echo "✓ Tag created: $RELEASE_TAG"
           
       - name: Setup Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
         with:
           go-version-file: go.mod
           cache: false  # Disabled for release security - prevent cache poisoning attacks

.github/workflows/daily-syntax-error-quality.lock.yml

@@ -8,6 +8,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"regexp"
 	"sort"
 	"strings"
 
@@ -28,6 +29,12 @@ func extractBaseRepo(actionPath string) string {
 	return actionPath
 }
 
+// isCoreAction returns true if the repo is a GitHub-maintained core action (actions/* org).
+// Core actions are always updated to the latest major version without requiring --major.
+func isCoreAction(repo string) bool {
+	return strings.HasPrefix(repo, "actions/")
+}
+
 // UpdateActions updates GitHub Actions versions in .github/aw/actions-lock.json
 // It checks each action for newer releases and updates the SHA if a newer version is found
 func UpdateActions(allowMajor, verbose bool) error {
@@ -70,8 +77,11 @@ func UpdateActions(allowMajor, verbose bool) error {
 	for key, entry := range actionsLock.Entries {
 		updateLog.Printf("Checking action: %s@%s", entry.Repo, entry.Version)
 
+		// Core actions (actions/*) always update to the latest major version
+		effectiveAllowMajor := allowMajor || isCoreAction(entry.Repo)
+
 		// Check for latest release
-		latestVersion, latestSHA, err := getLatestActionRelease(entry.Repo, entry.Version, allowMajor, verbose)
+		latestVersion, latestSHA, err := getLatestActionRelease(entry.Repo, entry.Version, effectiveAllowMajor, verbose)
 		if err != nil {
 			if verbose {
 				fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Failed to check %s: %v", entry.Repo, err)))
@@ -456,3 +466,175 @@ func marshalActionsLockSorted(actionsLock *actionsLockFile) ([]byte, error) {
 	buf.WriteString("  }\n}")
 	return []byte(buf.String()), nil
 }
+
+// actionRefPattern matches "uses: actions/repo@SHA-or-tag" in workflow files.
+// Captures: (1) indentation+uses prefix, (2) repo path, (3) SHA or version tag,
+// (4) optional version comment (e.g., "v6.0.2" from "# v6.0.2"), (5) trailing whitespace.
+var actionRefPattern = regexp.MustCompile(`(uses:\s+)(actions/[a-zA-Z0-9_.-]+(?:/[a-zA-Z0-9_.-]+)*)@([a-fA-F0-9]{40}|[^\s#\n]+?)(\s*#\s*\S+)?(\s*)$`)
+
+// getLatestActionReleaseFn is the function used to fetch the latest release for an action.
+// It can be replaced in tests to avoid network calls.
+var getLatestActionReleaseFn = getLatestActionRelease
+
+// latestReleaseResult caches a resolved version/SHA pair.
+type latestReleaseResult struct {
+	version string
+	sha     string
+}
+
+// UpdateActionsInWorkflowFiles scans all workflow .md files under workflowsDir
+// (recursively) and updates any "uses: actions/*@version" references to the latest
+// major version. Updated files are recompiled. Core actions (actions/*) always update
+// to latest major.
+func UpdateActionsInWorkflowFiles(workflowsDir, engineOverride string, verbose bool) error {
+	if workflowsDir == "" {
+		workflowsDir = getWorkflowsDir()
+	}
+
+	updateLog.Printf("Updating action references in workflow files: dir=%s", workflowsDir)
+
+	// Per-invocation cache: key = "repo@currentVersion", avoids repeated API calls
+	cache := make(map[string]latestReleaseResult)
+
+	var updatedFiles []string
+
+	err := filepath.WalkDir(workflowsDir, func(path string, d os.DirEntry, walkErr error) error {
+		if walkErr != nil {
+			return walkErr
+		}
+		if d.IsDir() || !strings.HasSuffix(d.Name(), ".md") {
+			return nil
+		}
+
+		content, err := os.ReadFile(path)
+		if err != nil {
+			if verbose {
+				fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Failed to read %s: %v", path, err)))
+			}
+			return nil
+		}
+
+		updated, newContent, err := updateActionRefsInContent(string(content), cache, verbose)
+		if err != nil {
+			if verbose {
+				fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Failed to update action refs in %s: %v", path, err)))
+			}
+			return nil
+		}
+
+		if !updated {
+			return nil
+		}
+
+		if err := os.WriteFile(path, []byte(newContent), 0644); err != nil {
+			return fmt.Errorf("failed to write updated workflow %s: %w", path, err)
+		}
+
+		fmt.Fprintln(os.Stderr, console.FormatSuccessMessage("Updated action references in "+d.Name()))
+		updatedFiles = append(updatedFiles, path)
+
+		// Recompile the updated workflow
+		if err := compileWorkflowWithRefresh(path, verbose, false, engineOverride, false); err != nil {
+			if verbose {
+				fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Failed to recompile %s: %v", path, err)))
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return fmt.Errorf("failed to walk workflows directory: %w", err)
+	}
+
+	if len(updatedFiles) == 0 && verbose {
+		fmt.Fprintln(os.Stderr, console.FormatInfoMessage("No action references needed updating in workflow files"))
+	}
+
+	return nil
+}
+
+// updateActionRefsInContent replaces outdated "uses: actions/*@version" references
+// in content with the latest major version and SHA. Returns (changed, newContent, error).
+// cache is keyed by "repo@currentVersion" and avoids redundant API calls across lines/files.
+func updateActionRefsInContent(content string, cache map[string]latestReleaseResult, verbose bool) (bool, string, error) {
+	changed := false
+	lines := strings.Split(content, "\n")
+
+	for i, line := range lines {
+		match := actionRefPattern.FindStringSubmatchIndex(line)
+		if match == nil {
+			continue
+		}
+
+		// Extract matched groups
+		prefix := line[match[2]:match[3]] // "uses: "
+		repo := line[match[4]:match[5]]   // e.g. "actions/checkout"
+		ref := line[match[6]:match[7]]    // SHA or version tag
+		comment := ""
+		if match[8] >= 0 {
+			comment = line[match[8]:match[9]] // e.g. " # v6.0.2"
+		}
+		trailing := ""
+		if match[10] >= 0 {
+			trailing = line[match[10]:match[11]]
+		}
+
+		// Determine the "current version" to pass to getLatestActionReleaseFn
+		isSHA := IsCommitSHA(ref)
+		currentVersion := ref
+		if isSHA {
+			// Extract version from comment (e.g., " # v6.0.2" -> "v6.0.2")
+			if comment != "" {
+				commentVersion := strings.TrimSpace(strings.TrimPrefix(strings.TrimSpace(comment), "#"))
+				if commentVersion != "" {
+					currentVersion = commentVersion
+				} else {
+					currentVersion = ""
+				}
+			} else {
+				currentVersion = ""
+			}
+		}
+
+		// Resolve latest version/SHA, using the cache to avoid redundant API calls.
+		// Use "|" as separator since GitHub repo names cannot contain "|".
+		cacheKey := repo + "|" + currentVersion
+		result, cached := cache[cacheKey]
+		if !cached {
+			latestVersion, latestSHA, err := getLatestActionReleaseFn(repo, currentVersion, true, verbose)
+			if err != nil {
+				updateLog.Printf("Failed to get latest release for %s: %v", repo, err)
+				continue
+			}
+			result = latestReleaseResult{version: latestVersion, sha: latestSHA}
+			cache[cacheKey] = result
+		}
+		latestVersion := result.version
+		latestSHA := result.sha
+
+		if isSHA {
+			if latestSHA == ref {
+				continue // SHA unchanged
+			}
+		} else {
+			if latestVersion == ref {
+				continue // Version tag unchanged
+			}
+		}
+
+		// Build the new uses line
+		var newRef string
+		if isSHA {
+			// SHA-pinned references stay SHA-pinned, updated to latest SHA + version comment
+			newRef = fmt.Sprintf("%s%s%s@%s  # %s%s", line[:match[2]], prefix, repo, latestSHA, latestVersion, trailing)
+		} else {
+			// Version tag references just get the new version tag
+			newRef = fmt.Sprintf("%s%s%s@%s%s%s", line[:match[2]], prefix, repo, latestVersion, comment, trailing)
+		}
+
+		updateLog.Printf("Updating %s from %s to %s in line %d", repo, ref, latestVersion, i+1)
+		lines[i] = newRef
+		changed = true
+	}
+
+	return changed, strings.Join(lines, "\n"), nil
+}