GitHub Actions is great in automating your workflows. However, as you start using various actions from GitHub Marketplace in your workflow, it will soon become necessary for you to keep the actions up-to-date. Actions might contain security fixes, bug fixes etc and manually keeping track of updates or updating them when a newer version is available is a lot of hassle. This is where we can use Depndabot, which can help by automatically raising PR’s whenever there is a newer version of action is available used in the workflow. In this post, we will see quick way to keep the actions up-to-date using GitHub Dependabot.

For this post, I am using my Git Config User Profiles repository. I have workflow setup which builds and releases the VS Code extension to VS Marketplace.

Create dependabot.yml file

To setup Dependabot scan, first got to .github folder in your root and create a depndabot.yml file. Then add the following content. This will ensure GitHub Dependabot raise a PR whenever there is a newer version of action is available

version: 2
  - package-ecosystem: "github-actions" # search for actions - there are other options available
    directory: "/" # search in .github/workflows under root `/`
      interval: "weekly" # check for action update every week

Commit the file

Commit the file created above and wait for few seconds. Based on your workflow, you will see a bunch of PR’s raised.

Dependabot Alerts as PR

If you look at the PR, you will be able to see the change and take a decision whether you want to upgrade the specific action or not. If you decide to accept the change, merge the PR and the changes on the workflow file will be made.

Commit Details


Isn’t it cool? This saves a lot of time, if you have a number of workflows and don’t want to keep checking the latest versions of actions. BTW, not only GitHub actions, you can use the same approach to update npm, docker and many more using various package ecosystems. Do check it out!

About author
Utkarsh Shigihalli
Utkarsh Shigihalli
Utkarsh is passionate about software development and has experience in the areas of Azure, Azure DevOps, C# and TypeScript. Over the years he has worked as an architect, independent consultant and manager in many countries including India, United States, Netherlands and United Kingdom. He is a Microsoft MVP and has developed numerous extensions for Visual Studio, Visual Studio Code and Azure DevOps.
We Are
  • onlyutkarsh
    Utkarsh Shigihalli
    Microsoft MVP, Technologist & DevOps Coach

  • arora_tarun
    Tarun Arora
    Microsoft MVP, Author & DevOps Coach at Avanade

Do you like our posts? Subscribe to our newsletter!
Our Book