GitHub Actions is great in automating your workflows. However, as you start using various actions from GitHub Marketplace in your workflow, it will soon become necessary for you to keep the actions up-to-date. Actions might contain security fixes, bug fixes etc and manually keeping track of updates or updating them when a newer version is available is a lot of hassle. This is where we can use Depndabot, which can help by automatically raising PR’s whenever there is a newer version of action is available used in the workflow. In this post, we will see quick way to keep the actions up-to-date using GitHub Dependabot.
For this post, I am using my Git Config User Profiles repository. I have workflow setup which builds and releases the VS Code extension to VS Marketplace.
Create dependabot.yml file
To setup Dependabot scan, first got to
.github folder in your root and create a
depndabot.yml file. Then add the following content. This will ensure GitHub Dependabot raise a PR whenever there is a newer version of action is available
version: 2 updates: - package-ecosystem: "github-actions" # search for actions - there are other options available directory: "/" # search in .github/workflows under root `/` schedule: interval: "weekly" # check for action update every week
Commit the file
Commit the file created above and wait for few seconds. Based on your workflow, you will see a bunch of PR’s raised.
If you look at the PR, you will be able to see the change and take a decision whether you want to upgrade the specific action or not. If you decide to accept the change, merge the PR and the changes on the workflow file will be made.
Isn’t it cool? This saves a lot of time, if you have a number of workflows and don’t want to keep checking the latest versions of actions. BTW, not only GitHub actions, you can use the same approach to update
docker and many more using various package ecosystems. Do check it out!