Summary
The extension already resolves uses: owner/repo@ref for validation. It does not surface whether the pinned ref is the latest.
Effect: workflows quietly drift onto EOL action majors (e.g. actions/checkout@v3 after v4 is default, actions/upload-artifact@v3 after the v3 sunset). Users only notice on a deprecation warning in a run log, weeks later.
Proposal
For each uses: line:
- On workflow open, resolve the pinned ref against the action's releases (already an authenticated call the extension can make).
- If a newer major/minor exists, render a subtle CodeLens above the line:
v3 -> v4 available (published 3 months ago).
- Clicking the CodeLens offers a Quick Fix: rewrite
@v3 to @v4 (or @<sha> # v4.1.7 if the current pin is a SHA, preserving the pin style).
- Results cached per-action for 24h to avoid API-limit churn. Setting:
github-actions.versionCheck.enabled (default: on) + github-actions.versionCheck.pinStyle (tag | sha | preserve, default preserve).
Why this belongs in the extension
Dependabot handles it eventually, but only after a PR round-trip. Renovate/Dependabot are async, this is inline. Same latency benefit as npm-outdated inline hints in the JS ecosystem.
Non-goals
- Not a security scanner (that is dependabot /
gh actions-secure territory).
- Not automated PR opening.
Related
Summary
The extension already resolves
uses: owner/repo@reffor validation. It does not surface whether the pinned ref is the latest.Effect: workflows quietly drift onto EOL action majors (e.g.
actions/checkout@v3after v4 is default,actions/upload-artifact@v3after the v3 sunset). Users only notice on a deprecation warning in a run log, weeks later.Proposal
For each
uses:line:v3 -> v4 available (published 3 months ago).@v3to@v4(or@<sha> # v4.1.7if the current pin is a SHA, preserving the pin style).github-actions.versionCheck.enabled(default: on) +github-actions.versionCheck.pinStyle(tag|sha|preserve, defaultpreserve).Why this belongs in the extension
Dependabot handles it eventually, but only after a PR round-trip. Renovate/Dependabot are async, this is inline. Same latency benefit as npm-outdated inline hints in the JS ecosystem.
Non-goals
gh actions-secureterritory).Related