Add check-outdated-actions script with upgrade guide

[fulldecent]

This PR adds a tool to detect outdated uses: dependency versions in this repo. (For references to actions and also references to whole workflows.)

It also provides a methodical process of how to consider and implment and document each upgrade.

Supply chain security is an important job. And this repo is the start point for supply chain security for most projects on earth.

This script helps make your job easier to benefit us all!

For example:

• Add TypeScript tool to check for outdated action versions
• Handle SHA-pinned commits with version comments
• Show latest release commit information
• Add comprehensive UPGRADE_GUIDE.md documenting upgrade best practices

Pre-requisites

• Prior to submitting a new workflow, please apply to join the GitHub Technology Partner Program: partner.github.com/apply. / applied

---

Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.

---

Tasks

Some general notes:

• This workflow must only use actions that are produced by GitHub, in the actions organization, or
• This workflow must only use actions that are produced by the language or ecosystem that the workflow supports. These actions must be published to the GitHub Marketplace. We require that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file:

  # This workflow uses actions that are not certified by GitHub.
  # They are provided by a third-party and are governed by
  # separate terms of service, privacy policy, and support
  # documentation.
  

• Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies.
• Automation and CI workflows cannot be dependent on a paid service or product.

[Copilot]

Pull request overview

This PR introduces a TypeScript-based tool to detect outdated action versions in GitHub Actions workflows, along with comprehensive documentation for upgrading actions safely. The tool scans workflow files to identify actions that have newer releases available and provides a systematic upgrade process to maintain supply chain security.

• Adds automated detection of outdated action versions with support for both tag-based and SHA-pinned references
• Includes detailed UPGRADE_GUIDE.md with best practices, version specificity patterns, and a case study of the actions/checkout v5→v6 upgrade
• Implements GitHub API integration with rate limit handling and progress tracking

Reviewed changes

Copilot reviewed 5 out of 7 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
script/check-outdated-actions/package.json	Defines Node.js project dependencies for TypeScript and YAML parsing
script/check-outdated-actions/package-lock.json	Locks dependency versions for reproducible installations
script/check-outdated-actions/tsconfig.json	Minimal TypeScript compiler configuration
script/check-outdated-actions/settings.json	Configuration specifying workflow directories to scan
script/check-outdated-actions/index.ts	Main TypeScript script that scans workflows, fetches release data via GitHub API, and reports outdated actions
script/check-outdated-actions/UPGRADE_GUIDE.md	Comprehensive documentation covering upgrade methodology, version format patterns, breaking change analysis, and verification steps
package-lock.json	Root-level lockfile initialization for the repository

Files not reviewed (1)

• script/check-outdated-actions/package-lock.json: Language not supported

Comments suppressed due to low confidence (2)

script/check-outdated-actions/index.ts:11

• Unused variable commitCache.

const commitCache = new Map<string, string | null>();

script/check-outdated-actions/index.ts:12

• Unused variable releaseCache.

const releaseCache = new Map<string, { tag: string; commit: string } | null>();

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The releaseCache variable is declared but never used in the code. Consider implementing caching for getLatestRelease to avoid fetching the same release information multiple times for actions from the same repository.

Suggested change

async function findActionsInWorkflows(folders: string[]): Promise<Map<string, string[]>> {

[majdialharbi989]

yes