renovatebot · Mar 25, 2025 · Mar 25, 2025
diff --git a/lib/modules/manager/github-actions/extract.spec.ts b/lib/modules/manager/github-actions/extract.spec.ts
@@ -705,5 +705,134 @@ describe('modules/manager/github-actions/extract', () => {
         },
       ]);
     });
+
+    it('extracts x-version from actions/setup-x in composite action', () => {
+      const yamlContent = `
+        steps:
+          - name: "Setup Node.js"
+            uses: actions/setup-node@v3
+            with:
+              node-version: '16.x'
+          - name: "Setup Node.js with exact version"
+            uses: actions/setup-node@v3
+            with:
+              node-version: '20.0.0'
+          - name: "Setup Go"
+            uses: actions/setup-go@v5
+            with:
+              go-version: '1.23'
+          - name: "Setup Python with range"
+            uses: actions/setup-python@v3
+            with:
+              python-version: '>=3.8.0 <3.10.0'
+          - name: "Setup Node.js with latest"
+            uses: actions/setup-node@v3
+            with:
+              node-version: 'latest'`;
+
+      const res = extractPackageFile(yamlContent, 'action.yml');
+      expect(res?.deps).toMatchObject([
+        {
+          autoReplaceStringTemplate:
+            '{{depName}}@{{#if newDigest}}{{newDigest}}{{#if newValue}} # {{newValue}}{{/if}}{{/if}}{{#unless newDigest}}{{newValue}}{{/unless}}',
+          commitMessageTopic: '{{{depName}}} action',
+          currentValue: 'v3',
+          datasource: 'github-tags',
+          depName: 'actions/setup-node',
+          depType: 'action',
+          replaceString: 'actions/setup-node@v3',
+          versioning: 'docker',
+        },
+        {
+          autoReplaceStringTemplate:
+            '{{depName}}@{{#if newDigest}}{{newDigest}}{{#if newValue}} # {{newValue}}{{/if}}{{/if}}{{#unless newDigest}}{{newValue}}{{/unless}}',
+          commitMessageTopic: '{{{depName}}} action',
+          currentValue: 'v3',
+          datasource: 'github-tags',
+          depName: 'actions/setup-node',
+          depType: 'action',
+          replaceString: 'actions/setup-node@v3',
+          versioning: 'docker',
+        },
+        {
+          autoReplaceStringTemplate:
+            '{{depName}}@{{#if newDigest}}{{newDigest}}{{#if newValue}} # {{newValue}}{{/if}}{{/if}}{{#unless newDigest}}{{newValue}}{{/unless}}',
+          commitMessageTopic: '{{{depName}}} action',
+          currentValue: 'v5',
+          datasource: 'github-tags',
+          depName: 'actions/setup-go',
+          depType: 'action',
+          replaceString: 'actions/setup-go@v5',
+          versioning: 'docker',
+        },
+        {
+          autoReplaceStringTemplate:
+            '{{depName}}@{{#if newDigest}}{{newDigest}}{{#if newValue}} # {{newValue}}{{/if}}{{/if}}{{#unless newDigest}}{{newValue}}{{/unless}}',
+          commitMessageTopic: '{{{depName}}} action',
+          currentValue: 'v3',
+          datasource: 'github-tags',
+          depName: 'actions/setup-python',
+          depType: 'action',
+          replaceString: 'actions/setup-python@v3',
+          versioning: 'docker',
+        },
+        {
+          autoReplaceStringTemplate:
+            '{{depName}}@{{#if newDigest}}{{newDigest}}{{#if newValue}} # {{newValue}}{{/if}}{{/if}}{{#unless newDigest}}{{newValue}}{{/unless}}',
+          commitMessageTopic: '{{{depName}}} action',
+          currentValue: 'v3',
+          datasource: 'github-tags',
+          depName: 'actions/setup-node',
+          depType: 'action',
+          replaceString: 'actions/setup-node@v3',
+          versioning: 'docker',
+        },
+        {
+          depName: 'node',
+          packageName: 'actions/node-versions',
+          currentValue: '16.x',
+          datasource: 'github-releases',
+          versioning: 'node',
+          extractVersion: '^(?<version>\\d+\\.\\d+\\.\\d+)(-\\d+)?$',
+          depType: 'uses-with',
+        },
+        {
+          depName: 'node',
+          packageName: 'actions/node-versions',
+          currentValue: '20.0.0',
+          datasource: 'github-releases',
+          versioning: 'node',
+          extractVersion: '^(?<version>\\d+\\.\\d+\\.\\d+)(-\\d+)?$',
+          depType: 'uses-with',
+        },
+        {
+          depName: 'go',
+          packageName: 'actions/go-versions',
+          currentValue: '1.23',
+          datasource: 'github-releases',
+          versioning: 'npm',
+          extractVersion: '^(?<version>\\d+\\.\\d+\\.\\d+)(-\\d+)?$',
+          depType: 'uses-with',
+        },
+        {
+          depName: 'python',
+          packageName: 'actions/python-versions',
+          currentValue: '>=3.8.0 <3.10.0',
+          datasource: 'github-releases',
+          versioning: 'npm',
+          extractVersion: '^(?<version>\\d+\\.\\d+\\.\\d+)(-\\d+)?$',
+          depType: 'uses-with',
+        },
+        {
+          depName: 'node',
+          packageName: 'actions/node-versions',
+          currentValue: 'latest',
+          datasource: 'github-releases',
+          versioning: 'node',
+          extractVersion: '^(?<version>\\d+\\.\\d+\\.\\d+)(-\\d+)?$',
+          depType: 'uses-with',
+        },
+      ]);
+    });
   });
 });
diff --git a/lib/modules/manager/github-actions/extract.ts b/lib/modules/manager/github-actions/extract.ts
@@ -15,7 +15,8 @@ import type {
   PackageDependency,
   PackageFileContent,
 } from '../types';
-import { WorkflowJobsSchema } from './schema';
+import type { Steps } from './schema';
+import { WorkflowSchema } from './schema';
 
 const dockerActionRe = regEx(/^\s+uses\s*: ['"]?docker:\/\/([^'"]+)\s*$/);
 const actionRe = regEx(
@@ -167,6 +168,41 @@ function extractRunner(runner: string): PackageDependency | null {
   return dependency;
 }
 
+const versionedActions: Record<string, string> = {
+  go: npmVersioning.id,
+  node: nodeVersioning.id,
+  python: npmVersioning.id,
+  // Not covered yet because they use different datasources/packageNames:
+  // - dotnet
+  // - java
+};
+
+function extractSteps(
+  steps: Steps[],
+  deps: PackageDependency<Record<string, any>>[],
+): void {
+  for (const step of steps) {
+    for (const [action, versioning] of Object.entries(versionedActions)) {
+      const actionName = `actions/setup-${action}`;
+      if (step.uses === actionName || step.uses?.startsWith(`${actionName}@`)) {
+        const fieldName = `${action}-version`;
+        const currentValue = step.with?.[fieldName];
+        if (currentValue) {
+          deps.push({
+            datasource: GithubReleasesDatasource.id,
+            depName: action,
+            packageName: `actions/${action}-versions`,
+            versioning,
+            extractVersion: '^(?<version>\\d+\\.\\d+\\.\\d+)(-\\d+)?$', // Actions release tags are like 1.24.1-13667719799
+            currentValue,
+            depType: 'uses-with',
+          });
+        }
+      }
+    }
+  }
+}
+
 function extractWithYAMLParser(
   content: string,
   packageFile: string,
@@ -175,11 +211,19 @@ function extractWithYAMLParser(
   logger.trace('github-actions.extractWithYAMLParser()');
   const deps: PackageDependency[] = [];
 
-  const jobs = withMeta({ packageFile }, () =>
-    WorkflowJobsSchema.parse(content),
-  );
+  const obj = withMeta({ packageFile }, () => WorkflowSchema.parse(content));
 
-  for (const job of jobs) {
+  if (!obj) {
+    return deps;
+  }
+
+  // composite action
+  if ('steps' in obj) {
+    extractSteps(obj.steps, deps);
+    return deps;
+  }
+
+  for (const job of obj) {
     if (job.container) {
       const dep = getDep(job.container, true, config.registryAliases);
       if (dep) {
@@ -203,38 +247,7 @@ function extractWithYAMLParser(
       }
     }
 
-    const versionedActions: Record<string, string> = {
-      go: npmVersioning.id,
-      node: nodeVersioning.id,
-      python: npmVersioning.id,
-      // Not covered yet because they use different datasources/packageNames:
-      // - dotnet
-      // - java
-    };
-
-    for (const step of job.steps) {
-      for (const [action, versioning] of Object.entries(versionedActions)) {
-        const actionName = `actions/setup-${action}`;
-        if (
-          step.uses === actionName ||
-          step.uses?.startsWith(`${actionName}@`)
-        ) {
-          const fieldName = `${action}-version`;
-          const currentValue = step.with?.[fieldName];
-          if (currentValue) {
-            deps.push({
-              datasource: GithubReleasesDatasource.id,
-              depName: action,
-              packageName: `actions/${action}-versions`,
-              versioning,
-              extractVersion: '^(?<version>\\d+\\.\\d+\\.\\d+)(-\\d+)?$', // Actions release tags are like 1.24.1-13667719799
-              currentValue,
-              depType: 'uses-with',
-            });
-          }
-        }
-      }
-    }
+    extractSteps(job.steps, deps);
   }
 
   return deps;

diff --git a/lib/modules/manager/github-actions/schema.ts b/lib/modules/manager/github-actions/schema.ts
@@ -6,8 +6,14 @@ import {
   withDebugMessage,
 } from '../../../util/schema-utils';
 
-export const WorkflowJobsSchema = Yaml.pipe(
-  z.object({
+const StepsSchema = z.object({
+  uses: z.string(),
+  with: LooseRecord(z.string()),
+});
+export type Steps = z.infer<typeof StepsSchema>;
+
+const WorkFlowJobsSchema = z
+  .object({
     jobs: LooseRecord(
       z.object({
         container: z
@@ -28,15 +34,15 @@ export const WorkflowJobsSchema = Yaml.pipe(
         'runs-on': z
           .union([z.string().transform((v) => [v]), z.array(z.string())])
           .catch([]),
-        steps: LooseArray(
-          z.object({
-            uses: z.string(),
-            with: LooseRecord(z.string()),
-          }),
-        ).catch([]),
+        steps: LooseArray(StepsSchema).catch([]),
       }),
     ),
-  }),
-)
-  .transform((v) => Object.values(v.jobs))
-  .catch(withDebugMessage([], 'Does not match schema'));
+  })
+  .transform((v) => Object.values(v.jobs));
+
+const ActionStepsSchema = z.object({
+  steps: LooseArray(StepsSchema).catch([]),
+});
+export const WorkflowSchema = Yaml.pipe(
+  z.union([WorkFlowJobsSchema, ActionStepsSchema, z.null()]),
+).catch(withDebugMessage(null, 'Does not match schema'));
diff --git a/lib/workers/repository/process/libyear.spec.ts b/lib/workers/repository/process/libyear.spec.ts
@@ -94,13 +94,13 @@ describe('workers/repository/process/libyear', () => {
         ],
       };
       calculateLibYears(config, packageFiles);
-      expect(logger.logger.debug).toHaveBeenCalledWith(
+      expect(logger.logger.once.debug).toHaveBeenCalledWith(
         'No currentVersionTimestamp for some/image',
       );
-      expect(logger.logger.debug).toHaveBeenCalledWith(
+      expect(logger.logger.once.debug).toHaveBeenCalledWith(
         'No releaseTimestamp for dep1 update to 3.0.0',
       );
-      expect(logger.logger.debug).toHaveBeenCalledWith(
+      expect(logger.logger.once.debug).toHaveBeenCalledWith(
         'No currentVersionTimestamp for dep3',
       );
       expect(logger.logger.debug).toHaveBeenCalledWith(

diff --git a/lib/workers/repository/process/libyear.ts b/lib/workers/repository/process/libyear.ts
@@ -39,7 +39,7 @@ export function calculateLibYears(
 
         depInfo.outdated = true;
         if (!dep.currentVersionTimestamp) {
-          logger.debug(`No currentVersionTimestamp for ${dep.depName}`);
+          logger.once.debug(`No currentVersionTimestamp for ${dep.depName}`);
           allDeps.push(depInfo);
           continue;
         }
@@ -50,7 +50,7 @@ export function calculateLibYears(
 
         for (const update of dep.updates) {
           if (!update.releaseTimestamp) {
-            logger.debug(
+            logger.once.debug(
               `No releaseTimestamp for ${dep.depName} update to ${update.newVersion}`,
             );
             continue;