Keep your workflow actions up to date using GitHub Dependabot
source link: https://dev.to/onlyutkarsh/keep-your-workflow-actions-up-to-date-using-github-dependabot-1i29
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Keep your workflow actions up to date using GitHub Dependabot
GitHub Actions is great in automating your workflows. However, as you start using various actions from GitHub Marketplace in your workflow, it will soon become necessary for you to keep the actions up-to-date. Actions might contain security fixes, bug fixes etc and manually keeping track of updates or updating them when a newer version is available is a lot of hassle. This is where we can use Depndabot can help is by automatically raising PR’s whenever there is a newer version of action is available used in the workflow. In this post, we will see quick way to keep the actions up-to-date using GitHub Dependabot.
For this post, I am using my Git Config User Profiles repository. I have workflow setup which builds and releases the VS Code extension to VS Marketplace.
Create dependabot.yml file
To set up Dependabot scan, first got to .github folder in your root and create a depndabot.yml file. Then add the following content. This will ensure GitHub Dependabot raise a PR whenever there is a newer version of action is available
version: 2
updates:
- package-ecosystem: "github-actions" # search for actions - there are other options available
directory: "/" # search in .github/workflows under root `/`
schedule:
interval: "weekly" # check for action update every week
Enter fullscreen mode
Exit fullscreen mode
Commit the file
Commit the file created above and wait for few seconds. Based on your workflow, you will see a bunch of PR’s raised.
Dependabot Alerts as PR
If you look at the PR, you will be able to see the change and take a decision whether you want to upgrade the specific action or not. If you decide to accept the change, merge the PR and the changes on the workflow file will be made.
Commit Details
Conclusion
Isn’t it cool? This saves a lot of time, if you have a number of workflows and don’t want to keep checking the latest versions of actions. BTW, not only GitHub actions, you can use same approach to update npm, docker and many more using various package ecosystems. Do check it out!
Recommend
-
64
README.md The GitHub Actions Workflow Parser This is the language specification and the...
-
114
GitHub 宣布增加一些新的特性, 旨在帮助开发者保护其代码 ,包括能够针对需要为包含安全补丁而更新的依赖创建 PR,支持与 WhiteSource...
-
10
CI/CD using GitHub Actions Workflow directly from Visual Studio GitHub Actions makes it extremely easy for CI/CD to build, test, and deploy your code right from GitHub Repos. Github Actions Workflow has a robust integration with...
-
11
Github Actions: What is it? GitHub Actions is a tool that conveniently enables you to automate custom workflows inside of your GitHub repository. There is a marketplace filled with already-made actions created by developers a...
-
6
Auto Merge Dependabot Pull Requests with GitHub Actions April 28, 2021 • 4 min read A good year ago it
-
9
How we use Dependabot to secure GitHubA two-part story about how GitHub’s Product Security Engineering team rolled out Dependabot internally to track vulnerable dependencies, and how GitHub tr...
-
7
If you’re like me, you’re still excited by last week’s news that Dependabot is generally available...
-
8
Enable pnpm support in dependabot #4961
-
11
Android Lint workflow using Github ActionsPublished in
-
5
Dependabot on GitHub Actions and self-hosted runners is now generally availableA quick guide on the advantages of Dependabot as a GitHub Actions workflow and the benefits this unlocks, including self-hos...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK