If you're using GitHub Workflows to automate bits of your development process (test runs, deployment, stuff like that) then you're almost certainly using GitHub Actions as well. Actions are pre-build chunks of functionality that you can use in your workflows and which save you having to write a load of code yourself. I've never, for example, written a workflow definition that doesn't use actions/checkout to checkout the current repo on the container that is running that workflow. Part of my workflow definition will always look like this:
steps:
- name: Check out code
uses: actions/checkout@v3
Or, at least, it will look a lot like that. The bit that might change is that v3 on the end there. That is, of course, the version of the action that I'm using. And that will change when the author of the action releases a new version. Well, strictly speaking, it will change when I notice that there's a new version and bother to update the workflow definition.
Recently, I noticed that two of the actions I use frequently (including the checkout action which I use everywhere) had updated their version numbers and I hadn't known about the change. It took a few hours of work to update the version numbers in all of my workflow definitions.
And life isn't supposed to be that much work.
But there's a solution. And I discovered it thanks to a discussion on Reddit.
If you're doing much work on GitHub (particularly in the Javascript/Node) area, then you'll have met Dependabot. It's a bot that scans GitHub repos for dependencies that are out of date and then (and here's the really clever bit!) it generates pull requests that update the repo to use the updated versions.
To be honest, I don't have many projects on GitHub that use the technologies that Dependabot targets by default. The few I have are web sites that use frameworks I've cloned from elsewhere - so I get the occasional PR that updates packages.json and I just apply them and forget about it.
But it seems that Dependabot can do far more than that. You just need to configure it properly in your repo. And one of the things it can do is to scan for out of date actions being used in your workflow definitions. You just need a file called dependabot.yml in your .github directory and the contents should look like this:
# Set update schedule for GitHub Actions
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
# Check for updates to GitHub Actions every week
interval: "weekly"
Dependabot will then check your actions versions once a week and create PRs for any that are out of date. I know it works, because I added this to all of my repos this morning and it promptly created half a dozen PRs for repos where I had updated the versions but hadn't pushed the changes to GitHub. When I pushed the existing changes, Dependabot checked its PR against the new code, realised the PR was no longer needed and closed the PR. Which was nice :-)
It you're using GitHub Workflows (and I can't really think of any reason why you wouldn't be) then I recommend adding this file to your repos. Of course, GitHub has documentation about this feature.
Dependabot clearly has more uses than I thought it did. I'm going to have to investigate it further. I wonder if it can check CPAN dependencies.
Do you have any Dependabot tricks that I would find useful?
Top comments (2)
As far as I know Dependabot can't check CPAN dependencies. That's why I rolled my own. That script, once you've set it up, can be put in a cron job to run every night and notify you by email when any of your dependencies have been updated.
Useful stuff. But I wonder if we could rip the guts out of your code and wrap in it Dependabot magic so that it automatically creates PRs to the correct metadata files.
To be honest, on reflection, I'm not sure how useful this would be (for me, at least) because I mostly just list module names as prereqs and if I add a version, it will be a minimum required version - which is unlikely to need automatic updating.