DEV Community

Utkarsh Shigihalli
Utkarsh Shigihalli

Posted on • Originally published at visualstudiogeeks.com on

Keep your workflow actions up to date using GitHub Dependabot

GitHub Actions is great in automating your workflows. However, as you start using various actions from GitHub Marketplace in your workflow, it will soon become necessary for you to keep the actions up-to-date. Actions might contain security fixes, bug fixes etc and manually keeping track of updates or updating them when a newer version is available is a lot of hassle. This is where we can use Depndabot can help is by automatically raising PR’s whenever there is a newer version of action is available used in the workflow. In this post, we will see quick way to keep the actions up-to-date using GitHub Dependabot.

For this post, I am using my Git Config User Profiles repository. I have workflow setup which builds and releases the VS Code extension to VS Marketplace.

Create dependabot.yml file

To set up Dependabot scan, first got to .github folder in your root and create a depndabot.yml file. Then add the following content. This will ensure GitHub Dependabot raise a PR whenever there is a newer version of action is available

version: 2
updates:
  - package-ecosystem: "github-actions" # search for actions - there are other options available
    directory: "/" # search in .github/workflows under root `/`
    schedule:
      interval: "weekly" # check for action update every week

Enter fullscreen mode Exit fullscreen mode

Commit the file

Commit the file created above and wait for few seconds. Based on your workflow, you will see a bunch of PR’s raised.

Dependabot PR
Dependabot Alerts as PR

If you look at the PR, you will be able to see the change and take a decision whether you want to upgrade the specific action or not. If you decide to accept the change, merge the PR and the changes on the workflow file will be made.

Commit Details
Commit Details

Conclusion

Isn’t it cool? This saves a lot of time, if you have a number of workflows and don’t want to keep checking the latest versions of actions. BTW, not only GitHub actions, you can use same approach to update npm, docker and many more using various package ecosystems. Do check it out!

Top comments (0)