Skip to content

Feature: freshness indicator + one-click bump for outdated uses: action versions #612

Description

@chirag127

Summary

The extension already resolves uses: owner/repo@ref for validation. It does not surface whether the pinned ref is the latest.

Effect: workflows quietly drift onto EOL action majors (e.g. actions/checkout@v3 after v4 is default, actions/upload-artifact@v3 after the v3 sunset). Users only notice on a deprecation warning in a run log, weeks later.

Proposal

For each uses: line:

  1. On workflow open, resolve the pinned ref against the action's releases (already an authenticated call the extension can make).
  2. If a newer major/minor exists, render a subtle CodeLens above the line: v3 -> v4 available (published 3 months ago).
  3. Clicking the CodeLens offers a Quick Fix: rewrite @v3 to @v4 (or @<sha> # v4.1.7 if the current pin is a SHA, preserving the pin style).
  4. Results cached per-action for 24h to avoid API-limit churn. Setting: github-actions.versionCheck.enabled (default: on) + github-actions.versionCheck.pinStyle (tag | sha | preserve, default preserve).

Why this belongs in the extension

Dependabot handles it eventually, but only after a PR round-trip. Renovate/Dependabot are async, this is inline. Same latency benefit as npm-outdated inline hints in the JS ecosystem.

Non-goals

  • Not a security scanner (that is dependabot / gh actions-secure territory).
  • Not automated PR opening.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    Status
    Backlog 🗒

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions