fix: harden GitHub Action version resolution

[qartik]

Summary

• keep moving action refs at their published precision, including major-moving tags like v3 and minor-moving tags like v3.4
• upgrade exact action refs to the latest eligible stable release without treating semver-equivalent representations as upgrades
• resolve each workflow action reference independently instead of reusing one repo-level result across mixed refs
• reduce resolver edge cases and API pressure by modeling per-major candidates explicitly and short-circuiting cooldown checks once a higher-priority eligible target is found
• strengthen the resolver with targeted regressions, reference-model checks, and property-based tests

Details

actupdate now resolves action tags through an explicit per-major candidate model instead of a sequence of ad hoc helper interactions. For each published major, the resolver distinguishes moving major tags such as v6, moving minor tags such as v6.2, and exact tags such as v6.2.1, then applies one consistent selection policy across upgrade, cooldown, and unchanged paths.

This makes the tool behave correctly for cases such as:

• exact same-major upgrades like v3.0 to v3.3
• preserving moving minor refs like v3.4 instead of rewriting them to v3.4.1
• mixed workflow refs from the same repository without cross-contaminating results
• fallback from blocked moving tags to eligible exact tags when appropriate
• newer majors that publish only a moving tag
• semver-equivalent exact tags such as v3.0 and v3.0.0 without treating them as upgrades

Validation

• go test ./...
• targeted resolver and CLI regressions for mixed refs, cooldown fallback, moving-only majors, moving minor preservation, and semver-equivalent tags
• generated reference-model checks over many candidate-state combinations
• property-based tests for resolver invariants using testing/quick

[Copilot]

Pull request overview

This PR updates actupdate’s resolver and CLI so exact semver action refs (e.g. @v3.0) can be upgraded to newer eligible tags within the same major (e.g. @v3.3), and ensures per-repo resolutions aren’t incorrectly reused across different refs during a single scan.

Changes:

• Add ResolveLatestStable to resolve upgrades within the current major and still prefer moving major tags when a newer major is eligible.
• Update the CLI scan/report flow to resolve per ref (removing the repo-level resolution reuse that caused incorrect behavior).
• Add regression tests covering mixed refs for the same repo (e.g. pypa/cibuildwheel@v3.3 and @v3.0) and same-major upgrade behavior.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
README.md	Updates documentation to describe “latest eligible stable version” behavior and moving-tag preference rules.
internal/github/client.go	Introduces ResolveLatestStable and same-major exact-tag upgrade detection logic.
internal/github/client_test.go	Adds unit tests for same-major upgrades and behavior with moving tags.
cmd/actupdate/main.go	Switches CLI resolution to ResolveLatestStable and removes repo-wide resolution caching across refs.
cmd/actupdate/main_test.go	Adds CLI regression test for mixed refs from the same repo in one workflow file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

[qartik]

• Superseded by feat: improve stable action resolution #4