alchemaxinc · dotkas · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -6,119 +6,130 @@ on:
       - main
   workflow_call:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
+env:
+  PYTHON_VERSION: '3.14'
+  CSPELL_VERSION: '8.0.0'
+  BLACK_VERSION: '24.10.0'
+  PRETTIER_VERSION: '3.3.3'
+  COMMITLINT_CLI_VERSION: '20.2.0'
+
 jobs:
-  commitlint:
-    name: Commits
+  install-commitlint:
     runs-on: ubuntu-latest
-
     steps:
-      - name: Checkout code
+      - &checkout-code
+        name: Checkout code (shallow)
         uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-          fetch-tags: true
 
-      - name: Get current year and month for caching
-        id: date
-        run: echo "month_year=$(date +'%m-%Y')" >> $GITHUB_OUTPUT
-
-      - name: Cache commitlint tools
+      - &cache-commitlint
+        name: Cache Commitlint
         id: cache-commitlint
         uses: actions/cache@v4
         with:
-          path: ~/.npm-commitlint
-          key: npm-commitlint-${{ runner.os }}-${{ steps.date.outputs.month_year }}-v1
-          restore-keys: |
-            npm-commitlint-${{ runner.os }}-${{ steps.date.outputs.month_year }}-
-            npm-commitlint-${{ runner.os }}-
+          path: node_modules
+          key: v4-commitlint-${{ env.COMMITLINT_CLI_VERSION }}
 
-      - name: Install commitlint and dependencies
+      - name: Install Commitlint
         if: steps.cache-commitlint.outputs.cache-hit != 'true'
-        run: |
-          npm config set prefix ~/.npm-commitlint
-          npm install -g \
-            @commitlint/cli \
-            @commitlint/config-conventional
+        run: npm i -D @commitlint/cli@${{ env.COMMITLINT_CLI_VERSION }} @commitlint/config-conventional
 
-      - name: Add commitlint to PATH
-        run: echo "$HOME/.npm-commitlint/bin" >> $GITHUB_PATH
+  run-commitlint:
+    runs-on: ubuntu-latest
+    needs: install-commitlint
+    steps:
+      - name: Checkout code (full)
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
 
-      # To avoid having a package.json maintained in this repo, we just pretend to be a Node project during the run
-      - name: Create symlink for commitlint config
-        run: |
-          mkdir -p node_modules/@commitlint
-          ln -sf ~/.npm-commitlint/lib/node_modules/@commitlint/config-conventional node_modules/@commitlint/config-conventional
+      - *cache-commitlint
 
-      - name: Run commitlint on all commits
-        run: commitlint --from origin/main --to HEAD --verbose
+      - name: Run commitlint
+        run: |
+          git checkout main
+          git checkout -
+          ./node_modules/.bin/commitlint --from main --to HEAD --verbose
 
-  prettier:
-    name: Formatting
+  install-prettier:
     runs-on: ubuntu-latest
-
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
-
-      - name: Get current year and month for caching
-        id: date
-        run: echo "month_year=$(date +'%m-%Y')" >> $GITHUB_OUTPUT
+      - *checkout-code
 
-      - name: Cache prettier tools
+      - &cache-prettier
+        name: Cache Prettier
         id: cache-prettier
         uses: actions/cache@v4
         with:
-          path: ~/.npm-prettier
-          key: npm-prettier-${{ runner.os }}-${{ steps.date.outputs.month_year }}-v1
-          restore-keys: |
-            npm-prettier-${{ runner.os }}-${{ steps.date.outputs.month_year }}-
-            npm-prettier-${{ runner.os }}-
+          path: node_modules
+          key: v1-prettier-${{ env.PRETTIER_VERSION }}
 
       - name: Install Prettier
         if: steps.cache-prettier.outputs.cache-hit != 'true'
-        run: |
-          npm config set prefix ~/.npm-prettier
-          npm install -g prettier
+        run: npm i -D prettier@${{ env.PRETTIER_VERSION }}
 
-      - name: Add Prettier to PATH
-        run: echo "$HOME/.npm-prettier/bin" >> $GITHUB_PATH
+  run-prettier:
+    runs-on: ubuntu-latest
+    needs: install-prettier
+    steps:
+      - *checkout-code
+      - *cache-prettier
 
       - name: Run Prettier check
-        run: prettier --check .
+        run: ./node_modules/.bin/prettier --check .
 
-  cspell:
-    name: Spelling
+  run-black:
     runs-on: ubuntu-latest
-
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
+      - *checkout-code
 
-      - name: Get current year and month for caching
-        id: date
-        run: echo "month_year=$(date +'%m-%Y')" >> $GITHUB_OUTPUT
+      - name: Setup Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '${{ env.PYTHON_VERSION }}'
+
+      - name: Cache Black
+        uses: actions/cache@v4
+        id: cache-black
+        with:
+          path: ~/.cache/pip
+          key: v1-black-${{ env.BLACK_VERSION }}
 
-      - name: Cache cspell tools
+      - name: Install Black
+        run: pip install black==${{ env.BLACK_VERSION }}
+
+      - name: Run Black check
+        run: black --check .
+
+  install-cspell:
+    runs-on: ubuntu-latest
+    steps:
+      - *checkout-code
+
+      - &cache-cspell
+        name: Cache CSpell
         id: cache-cspell
         uses: actions/cache@v4
         with:
-          path: ~/.npm-cspell
-          key: npm-cspell-${{ runner.os }}-${{ steps.date.outputs.month_year }}-v1
-          restore-keys: |
-            npm-cspell-${{ runner.os }}-${{ steps.date.outputs.month_year }}-
-            npm-cspell-${{ runner.os }}-
+          path: node_modules
+          key: v1-cspell-${{ env.CSPELL_VERSION }}
 
       - name: Install CSpell
         if: steps.cache-cspell.outputs.cache-hit != 'true'
-        run: |
-          npm config set prefix ~/.npm-cspell
-          npm install -g cspell
+        run: npm i -D cspell
 
-      - name: Add CSpell to PATH
-        run: echo "$HOME/.npm-cspell/bin" >> $GITHUB_PATH
+  run-cspell:
+    runs-on: ubuntu-latest
+    needs: install-cspell
+    steps:
+      - *checkout-code
+      - *cache-cspell
 
       - name: Run CSpell check
-        run: cspell
+        run: ./node_modules/.bin/cspell
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,120 @@
+name: Test Actions
+
+on:
+  push:
+    branches-ignore:
+      - main
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  PYTHON_VERSION: '3.14'
+
+jobs:
+  python-unit-tests-actions:
+    name: Python Unit Tests (GitHub Actions)
+    runs-on: ubuntu-latest
+    steps:
+      - &checkout-code
+        name: Checkout code
+        uses: actions/checkout@v5
+
+      - &setup-python
+        name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install dependencies
+        working-directory: actions
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Run unit tests
+        working-directory: actions
+        run: python -m unittest discover -s . -p "test_*.py" -v
+
+  python-unit-tests-terraform:
+    name: Python Unit Tests (Terraform)
+    runs-on: ubuntu-latest
+    steps:
+      - *checkout-code
+      - *setup-python
+
+      - name: Run unit tests
+        working-directory: terraform
+        run: python -m unittest discover -s . -p "test_*.py" -v
+
+  test-actions:
+    name: Test GitHub Actions Updater
+    runs-on: ubuntu-latest
+    steps:
+      - *checkout-code
+
+      - name: Test actions updater
+        uses: ./actions
+        with:
+          dry-run: 'true'
+          file-glob: 'actions/test/.github/**/*.yml'
+
+  test-circleci-orbs:
+    name: Test CircleCI Orbs Updater
+    runs-on: ubuntu-latest
+    steps:
+      - *checkout-code
+
+      - name: Test CircleCI orbs updater
+        uses: ./circleci-orbs
+        with:
+          dry-run: 'true'
+          circleci-config-file: 'circleci-orbs/test/.circleci/config.yml'
+
+  test-golang:
+    name: Test Go Dependencies Updater
+    runs-on: ubuntu-latest
+    steps:
+      - *checkout-code
+
+      - name: Setup test fixtures
+        run: |
+          cp golang/test/go.mod .
+          cp golang/test/go.sum .
+
+      - name: Test Go dependencies updater
+        uses: ./golang
+        with:
+          dry-run: 'true'
+
+  test-npm:
+    name: Test NPM Dependencies Updater
+    runs-on: ubuntu-latest
+    steps:
+      - *checkout-code
+
+      - name: Setup test fixtures
+        run: |
+          cp npm/test/package.json .
+          cp npm/test/package-lock.json .
+          cp npm/test/.nvmrc .
+
+      - name: Test NPM dependencies updater
+        uses: ./npm
+        with:
+          dry-run: 'true'
+
+  test-terraform:
+    name: Test Terraform Dependencies Updater
+    runs-on: ubuntu-latest
+    steps:
+      - *checkout-code
+
+      - name: Test Terraform dependencies updater
+        uses: ./terraform
+        with:
+          dry-run: 'true'
+          working-dir: 'terraform/test'
+          var-file-path: 'test.tfvars'
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 .idea/
 .DS_Store
 .venv/
+*.pyc
diff --git a/actions/README.md b/actions/README.md
@@ -0,0 +1,54 @@
+# Update GitHub Actions :arrows_counterclockwise:
+
+This GitHub Action scans `.github` workflows, finds `uses:` entries that match configured prefixes, compares them to the
+latest GitHub releases, and updates them when newer versions exist.
+
+## :rocket: Usage
+
+```yaml
+name: Update GitHub Actions
+on:
+  schedule:
+    - cron: '0 2 * * 1'
+  workflow_dispatch:
+
+jobs:
+  update-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Update GitHub Actions
+        uses: alchemaxinc/update-deps/actions@v1
+        with:
+          token: ${{ github.token }}
+          base-branch: 'main'
+          branch-prefix: 'update-actions'
+          pr-title: 'Update GitHub Actions'
+          commit-message: 'Update GitHub Actions'
+          file-glob: '.github/**/*.yml'
+          prefixes: 'actions'
+```
+
+## :computer: Local CLI
+
+```bash
+python cli.py --root /path/to/repo --file-glob '.github/**/*.yml' --prefixes 'actions'
+```
+
+## :gear: Inputs
+
+| Input            | Description                                         | Required           | Default                 |
+| ---------------- | --------------------------------------------------- | ------------------ | ----------------------- |
+| `base-branch`    | Base branch for the pull request                    | :white_check_mark: | `main`                  |
+| `token`          | GitHub token for authentication                     | :x:                | `${{ github.token }}`   |
+| `branch-prefix`  | Prefix for the update branch                        | :x:                | `update-actions`        |
+| `pr-title`       | Title for the pull request                          | :x:                | `Update GitHub Actions` |
+| `commit-message` | Commit message for the update                       | :x:                | `Update GitHub Actions` |
+| `file-glob`      | Glob for workflow files (relative to repo root)     | :x:                | `.github/**/*.yml`      |
+| `prefixes`       | Comma-separated list of action prefixes to include  | :x:                | `actions`               |
+| `auto-merge`     | Wether automatic merge should be enabled for the PR | :x:                | `false`                 |
+
+## :warning: Prerequisites
+
+- Workflow files must be under `.github` and match the configured `file-glob`
+- The action requires write permissions to create branches and pull requests
+- GitHub CLI must be available in the runner environment