GitHub Action

actup ships a composite GitHub Action so you can run the scanner directly in a workflow without installing Bun or the binary yourself. It downloads the matching standalone actup binary for the runner, runs your chosen subcommand with --github-annotations enabled, and surfaces findings inline on pull requests.

Minimal example: PR gate

Fail a pull request when any action ref is outdated:

name: actup check

on:
  pull_request:

permissions:
  contents: read

jobs:
  actup:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: kjanat/actup@v1
        with:
          command: check

actup check exits non-zero when outdated refs are found, which fails the job and blocks the PR.

Inputs

Input	Default	Description
command	check	The actup subcommand to run (e.g. check, update, pin, config).
args	''	Extra CLI arguments passed verbatim after the command (e.g. --format sarif).
working-directory	.	Directory to run actup in.
version	latest	actup release tag to download (e.g. v1.2.3), or latest for the newest release.
github-token	${{ github.token }}	Token exported as GITHUB_TOKEN for API calls (rate limits, private/enterprise).

Outputs

Output	Description
exit-code	Exit code of the actup process (0 = clean, non-zero = findings).

Examples

Update refs and open a pull request

actup update rewrites outdated refs in place. Pair it with a create-pull-request action to land the changes for review:

name: actup update

on:
  schedule:
    - cron: "0 6 * * 1"
  workflow_dispatch:

permissions:
  contents: write
  pull-requests: write

jobs:
  update:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: kjanat/actup@v1
        with:
          command: update
      - uses: peter-evans/create-pull-request@v6
        with:
          branch: actup/update-actions
          commit-message: "chore: bump outdated action refs"
          title: "chore: bump outdated action refs"
          body: "Automated action version bumps applied by actup."
          delete-branch: true

Pinning refs to commit SHAs

- uses: kjanat/actup@v1
  with:
    command: pin

SARIF upload to code scanning

Emit SARIF with args and upload it so findings appear in the Security tab. Because the action exits non-zero on findings, use a step id plus if: always() so the upload still runs:

jobs:
  actup:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v6
      - id: actup
        uses: kjanat/actup@v1
        continue-on-error: true
        with:
          command: check
          args: --format sarif > actup.sarif
      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: actup.sarif
      - if: steps.actup.outputs.exit-code != '0'
        run: exit 1

Note: args is appended verbatim, so shell redirection like --format sarif > actup.sarif is interpreted by the action's bash step.

Private repos and enterprise / self-hosted hosts

github-token is exported as GITHUB_TOKEN, which actup uses for API calls. The default ${{ github.token }} covers higher rate limits and private repos in the same org. For cross-org private dependencies or GitHub Enterprise hosts, pass a token with the required scopes:

- uses: kjanat/actup@v1
  with:
    command: check
    github-token: ${{ secrets.ACTUP_PAT }}

Pinning the action version

Pin to a release tag for reproducibility:

- uses: kjanat/actup@v1

Or pin the downloaded binary to a specific release independently of the action ref via the version input:

- uses: kjanat/actup@v1
  with:
    version: v1.2.3

For maximum supply-chain safety, pin the action itself to a commit SHA — that is exactly what actup pin does to your own workflows.