fix: preserve GitHub Actions hashes and versions (#2007)

## PR Checklist

- [x] Addresses an existing open issue: fixes #1998
- [x] That issue was marked as [`status: accepting
prs`](https://github.com/JoshuaKGoldberg/create-typescript-app/issues?q=is%3Aopen+is%3Aissue+label%3A%22status%3A+accepting+prs%22)
- [x] Steps in
[CONTRIBUTING.md](https://github.com/JoshuaKGoldberg/create-typescript-app/blob/main/.github/CONTRIBUTING.md)
were taken

## Overview

Adds a new `workflowsVersions` option that reads in any existing pins
and comment hashes.

Printing out comment hashes is actually tricky: they're not part of the
AST, so I had to add a post-processing step after YAMl printing to turn
any `uses:` string ending with a `#` comment back from `uses: '... #
...'` to `uses: ... # ...`.

Skips adding tests for `readWorkflowVersions` pending
bingo-js/bingo#308.

🎁

Author: JoshuaKGoldberg

docs/Configuration Files.md

@@ -19,18 +19,19 @@ This includes the options described in [CLI](./CLI.md).
 Some of create-typescript-app's options are rich objects, typically very long strings, or otherwise not reasonable on the CLI.
 These options are generally only programmatically used internally, but can still be specified in a configuration file:
 
-| Option           | Description                                                              | Default (If Available)                                    |
-| ---------------- | ------------------------------------------------------------------------ | --------------------------------------------------------- |
-| `contributors`   | AllContributors contributors to store in `.all-contributorsrc`           | Existing contributors in the file, or just your username  |
-| `documentation`  | any additional docs to add to `.github/DEVELOPMENT.md`                   | Extra content in `.github/DEVELOPMENT.md`                 |
-| `existingLabels` | existing labels to switch to the standard template labels                | Existing labels on the repository from the GitHub API     |
-| `explainer`      | additional `README.md` sentence(s) describing the package                | Extra content in `README.md` after badges and description |
-| `guide`          | link to a contribution guide to place at the top of development docs     | Block quote on top of `.github/DEVELOPMENT.md`            |
-| `logo`           | local image file and alt text to display near the top of the `README.md` | First non-badge image's `alt` and `src` in `README.md`    |
-| `node`           | Node.js engine version(s) to pin and require a minimum of                | Values from `.nvmrc` and `package.json`'s `"engines"`     |
-| `packageData`    | additional properties to include in `package.json`                       | Existing values in `package.json`                         |
-| `rulesetId`      | GitHub branch ruleset ID for main branch protections                     | Existing ruleset on the `main` branch from the GitHub API |
-| `usage`          | Markdown docs to put in `README.md` under the `## Usage` heading         | Existing usage lines in `README.md`                       |
+| Option              | Description                                                              | Default (If Available)                                    |
+| ------------------- | ------------------------------------------------------------------------ | --------------------------------------------------------- |
+| `contributors`      | AllContributors contributors to store in `.all-contributorsrc`           | Existing contributors in the file, or just your username  |
+| `documentation`     | any additional docs to add to `.github/DEVELOPMENT.md`                   | Extra content in `.github/DEVELOPMENT.md`                 |
+| `existingLabels`    | existing labels to switch to the standard template labels                | Existing labels on the repository from the GitHub API     |
+| `explainer`         | additional `README.md` sentence(s) describing the package                | Extra content in `README.md` after badges and description |
+| `guide`             | link to a contribution guide to place at the top of development docs     | Block quote on top of `.github/DEVELOPMENT.md`            |
+| `logo`              | local image file and alt text to display near the top of the `README.md` | First non-badge image's `alt` and `src` in `README.md`    |
+| `node`              | Node.js engine version(s) to pin and require a minimum of                | Values from `.nvmrc` and `package.json`'s `"engines"`     |
+| `packageData`       | additional properties to include in `package.json`                       | Existing values in `package.json`                         |
+| `rulesetId`         | GitHub branch ruleset ID for main branch protections                     | Existing ruleset on the `main` branch from the GitHub API |
+| `usage`             | Markdown docs to put in `README.md` under the `## Usage` heading         | Existing usage lines in `README.md`                       |
+| `workflowsVersions` | existing versions of GitHub Actions workflows used                       | Existing action versions in `.github/workflows/*.yml`     |
 
 For example, changing `node` versions to values different from what would be inferred:
 

package.json

@@ -40,6 +40,7 @@
 		"bingo": "^0.5.8",
 		"bingo-fs": "^0.5.4",
 		"bingo-stratum": "^0.5.7",
+		"cached-factory": "^0.1.0",
 		"cspell-populate-words": "^0.3.0",
 		"execa": "^9.5.2",
 		"git-url-parse": "^16.0.1",

pnpm-lock.yaml

@@ -53,6 +53,7 @@ describe("base", () => {
 			title: "Create TypeScript App",
 			usage: expect.any(String),
 			version: expect.any(String),
+			workflowsVersions: expect.any(Object),
 		});
 	});
 });

src/base.test.ts

@@ -31,16 +31,8 @@ import { readRepository } from "./options/readRepository.js";
 import { readRulesetId } from "./options/readRulesetId.js";
 import { readTitle } from "./options/readTitle.js";
 import { readUsage } from "./options/readUsage.js";
-
-const zContributor = z.object({
-	avatar_url: z.string(),
-	contributions: z.array(z.string()),
-	login: z.string(),
-	name: z.string(),
-	profile: z.string(),
-});
-
-export type Contributor = z.infer<typeof zContributor>;
+import { readWorkflowsVersions } from "./options/readWorkflowsVersions.js";
+import { zContributor, zWorkflowsVersions } from "./schemas.js";
 
 export const base = createBase({
 	options: {
@@ -166,6 +158,9 @@ export const base = createBase({
 			.string()
 			.optional()
 			.describe("package version to publish as and store in `package.json`"),
+		workflowsVersions: zWorkflowsVersions
+			.optional()
+			.describe("existing versions of GitHub Actions workflows used"),
 	},
 	prepare({ options, take }) {
 		const getAccess = lazyValue(async () => await readAccess(getPackageData));
@@ -278,6 +273,10 @@ export const base = createBase({
 
 		const getVersion = lazyValue(async () => (await getPackageData()).version);
 
+		const getWorkflowData = lazyValue(
+			async () => await readWorkflowsVersions(take),
+		);
+
 		return {
 			access: getAccess,
 			author: getAuthor,
@@ -301,6 +300,7 @@ export const base = createBase({
 			title: getTitle,
 			usage: getUsage,
 			version: getVersion,
+			workflowsVersions: getWorkflowData,
 		};
 	},
 });

src/base.ts

@@ -0,0 +1,87 @@
+import { describe, expect, it } from "vitest";
+
+import { resolveUses } from "./resolveUses.js";
+
+describe(resolveUses, () => {
+	it("returns action@version when workflowsVersions is undefined", () => {
+		const actual = resolveUses("test-action", "v1.2.3");
+
+		expect(actual).toBe("[email protected]");
+	});
+
+	it("returns action@version when workflowsVersions does not contain the action", () => {
+		const actual = resolveUses("test-action", "v1.2.3", { other: {} });
+
+		expect(actual).toBe("[email protected]");
+	});
+
+	it("uses the provided version when it is greater than all the action versions in workflowsVersions", () => {
+		const actual = resolveUses("test-action", "v1.2.3", {
+			"test-action": {
+				"v0.1.2": {
+					pinned: true,
+				},
+				"v1.1.4": {
+					pinned: true,
+				},
+			},
+		});
+
+		expect(actual).toBe("[email protected]");
+	});
+
+	it("prefers a provided valid semver version when an action also has a non-semver tag", () => {
+		const actual = resolveUses("test-action", "v1.2.3", {
+			"test-action": {
+				main: {
+					pinned: true,
+				},
+			},
+		});
+
+		expect(actual).toBe("[email protected]");
+	});
+
+	it("prefers an action's semver tag when the provided version is a non-semver tag", () => {
+		const actual = resolveUses("test-action", "main", {
+			"test-action": {
+				"v1.2.3": {
+					pinned: true,
+				},
+			},
+		});
+
+		expect(actual).toBe("[email protected]");
+	});
+
+	it("uses the greatest version when the provided version is not bigger than all the action versions in workflowsVersions", () => {
+		const actual = resolveUses("test-action", "v1.2.3", {
+			"test-action": {
+				"v0.1.2": {
+					pinned: true,
+				},
+				"v1.3.5": {
+					pinned: true,
+				},
+			},
+		});
+
+		expect(actual).toBe("[email protected]");
+	});
+
+	it("uses a pinned hash when the greatest version contains a hash", () => {
+		const actual = resolveUses("test-action", "v1.2.3", {
+			"test-action": {
+				"v0.1.2": {
+					pinned: true,
+				},
+				"v1.3.5": {
+					hash: "abc",
+					pinned: true,
+				},
+			},
+		});
+
+		expect(actual).toBe("test-action@abc # v1.3.5");
+	});
+});

src/blocks/actions/resolveUses.test.ts

@@ -0,0 +1,41 @@
+import { CachedFactory } from "cached-factory";
+import semver from "semver";
+
+import { WorkflowsVersions } from "../../schemas.js";
+
+const semverCoercions = new CachedFactory((version: string) => {
+	return semver.coerce(version)?.toString() ?? "0.0.0";
+});
+
+export function resolveUses(
+	action: string,
+	version: string,
+	workflowsVersions?: WorkflowsVersions,
+) {
+	if (!workflowsVersions || !(action in workflowsVersions)) {
+		return `${action}@${version}`;
+	}
+
+	const workflowVersions = workflowsVersions[action];
+
+	const biggestVersion = Object.keys(workflowVersions).reduce(
+		(highestVersion, potentialVersion) =>
+			semver.gt(
+				semverCoercions.get(potentialVersion),
+				semverCoercions.get(highestVersion),
+			)
+				? potentialVersion
+				: highestVersion,
+		version,
+	);
+
+	if (!(biggestVersion in workflowVersions)) {
+		return `${action}@${biggestVersion}`;
+	}
+
+	const atBiggestVersion = workflowVersions[biggestVersion];
+
+	return atBiggestVersion.hash
+		? `${action}@${atBiggestVersion.hash} # ${biggestVersion}`
+		: `${action}@${biggestVersion}`;
+}

src/blocks/actions/resolveUses.ts

@@ -1,7 +1,9 @@
 import _ from "lodash";
 
-import { base, Contributor } from "../base.js";
+import { base } from "../base.js";
 import { ownerContributions } from "../data/contributions.js";
+import { Contributor } from "../schemas.js";
+import { resolveUses } from "./actions/resolveUses.js";
 import { blockPrettier } from "./blockPrettier.js";
 import { blockREADME } from "./blockREADME.js";
 import { blockRepositorySecrets } from "./blockRepositorySecrets.js";
@@ -59,11 +61,22 @@ export const blockAllContributors = base.createBlock({
 								},
 							},
 							steps: [
-								{ uses: "actions/checkout@v4", with: { "fetch-depth": 0 } },
+								{
+									uses: resolveUses(
+										"actions/checkout",
+										"v4",
+										options.workflowsVersions,
+									),
+									with: { "fetch-depth": 0 },
+								},
 								{ uses: "./.github/actions/prepare" },
 								{
 									env: { GITHUB_TOKEN: "${{ secrets.ACCESS_TOKEN }}" },
-									uses: `JoshuaKGoldberg/[email protected]`,
+									uses: resolveUses(
+										"JoshuaKGoldberg/all-contributors-auto-action",
+										"v0.5.0",
+										options.workflowsVersions,
+									),
 								},
 							],
 						}),

src/blocks/blockAllContributors.ts

@@ -1,13 +1,14 @@
 import { base } from "../base.js";
 import { packageData } from "../data/packageData.js";
+import { resolveUses } from "./actions/resolveUses.js";
 import { blockGitHubActionsCI } from "./blockGitHubActionsCI.js";
 import { blockPackageJson } from "./blockPackageJson.js";
 
 export const blockCTATransitions = base.createBlock({
 	about: {
 		name: "CTA Transitions",
 	},
-	produce() {
+	produce({ options }) {
 		return {
 			addons: [
 				blockGitHubActionsCI({
@@ -25,7 +26,11 @@ export const blockCTATransitions = base.createBlock({
 							steps: [
 								{ run: "pnpx create-typescript-app" },
 								{
-									uses: "stefanzweifel/git-auto-commit-action@v5",
+									uses: resolveUses(
+										"stefanzweifel/git-auto-commit-action",
+										"v5",
+										options.workflowsVersions,
+									),
 									with: {
 										commit_author: "The Friendly Bingo Bot <[email protected]>",
 										commit_message:
@@ -35,7 +40,11 @@ export const blockCTATransitions = base.createBlock({
 									},
 								},
 								{
-									uses: "mshick/add-pr-comment@v2",
+									uses: resolveUses(
+										"mshick/add-pr-comment",
+										"v2",
+										options.workflowsVersions,
+									),
 									with: {
 										issue: "${{ github.event.pull_request.number }}",
 										message: [

src/blocks/blockCTATransitions.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { base } from "../base.js";
+import { resolveUses } from "./actions/resolveUses.js";
 import { blockGitHubApps } from "./blockGitHubApps.js";
 import { blockRemoveFiles } from "./blockRemoveFiles.js";
 import { blockVitest } from "./blockVitest.js";
@@ -10,7 +11,7 @@ export const blockCodecov = base.createBlock({
 		name: "Codecov",
 	},
 	addons: { env: z.record(z.string(), z.string()).optional() },
-	produce({ addons }) {
+	produce({ addons, options }) {
 		const { env } = addons;
 		return {
 			addons: [
@@ -27,7 +28,11 @@ export const blockCodecov = base.createBlock({
 						{
 							...(env && { env }),
 							if: "always()",
-							uses: "codecov/codecov-action@v3",
+							uses: resolveUses(
+								"codecov/codecov-action",
+								"v3",
+								options.workflowsVersions,
+							),
 						},
 					],
 				}),