actup
actup is a GitHub Actions version manager. It scans uses: references in your workflow files and composite actions, then reports, updates, or SHA-pins the ones that are out of date — across GitHub, GitLab and Gitea hosts.
It is a TypeScript/Bun port of the Rust actup.
Why
CI workflows accumulate stale and floating action references. actup:
- Finds outdated, floating (
@main), pinned and unresolvable refs. - Updates them per a configurable policy (track major, exact, etc.).
- SHA-pins refs to immutable commit SHAs for supply-chain hardening, with a recoverable
# tagcomment so pins can be reversed. - Works against GitHub / GitHub Enterprise, GitLab and Gitea / Forgejo / Codeberg in one pass.
- Uses a TTL SQLite cache so repeated runs are fast and an
--offlinemode works with no network at all. - Edits files with byte-span surgical rewrites — untouched lines keep their exact formatting, quoting and comments.
What it does not do
actup is not a hosted bot. It does not open pull requests, manage language-package dependencies, or schedule itself. It is a CLI you run locally or in CI. See comparison for a factual side-by-side with Dependabot and Renovate.
Feature overview
| Area | Behavior |
|---|---|
| Discovery | .github/workflows/*.{yml,yaml}, action.{yml,yaml}, .github/actions/*/action.{yml,yaml}, plus configured extra paths |
| Providers | GitHub (REST + GraphQL), GitLab, Gitea — auto-detected by host |
| Output formats | human, json, sarif |
| CI integration | ::warning annotations, SARIF for code-scanning, exit-code gating |
| Caching | bun:sqlite, per-repo, TTL-bounded; --offline is cache-only |
| Edits | Atomic temp-file + rename; span-based, formatting-preserving |
Documentation map
- Install — requirements and how to run
actup - Usage — every command, all global flags, exit codes
- CI recipes — GitHub Actions gate, SARIF, annotations
- Comparison — vs Dependabot and Renovate
- Architecture — package map, data flow, error model
- Contributing — tests, formatting, adding a provider
Config reference, providers, policy model and scripts are documented separately.