Dependabot and GitHub Actions

davorg

Dave Cross

Posted on February 16, 2023

Dependabot and GitHub Actions

If you're using GitHub Workflows to automate bits of your development process (test runs, deployment, stuff like that) then you're almost certainly using GitHub Actions as well. Actions are pre-build chunks of functionality that you can use in your workflows and which save you having to write a load of code yourself. I've never, for example, written a workflow definition that doesn't use actions/checkout to checkout the current repo on the container that is running that workflow. Part of my workflow definition will always look like this:

steps:
  - name: Check out code
    uses: actions/checkout@v3
Enter fullscreen mode Exit fullscreen mode

Or, at least, it will look a lot like that. The bit that might change is that v3 on the end there. That is, of course, the version of the action that I'm using. And that will change when the author of the action releases a new version. Well, strictly speaking, it will change when I notice that there's a new version and bother to update the workflow definition.

Recently, I noticed that two of the actions I use frequently (including the checkout action which I use everywhere) had updated their version numbers and I hadn't known about the change. It took a few hours of work to update the version numbers in all of my workflow definitions.

And life isn't supposed to be that much work.

But there's a solution. And I discovered it thanks to a discussion on Reddit.

If you're doing much work on GitHub (particularly in the Javascript/Node) area, then you'll have met Dependabot. It's a bot that scans GitHub repos for dependencies that are out of date and then (and here's the really clever bit!) it generates pull requests that update the repo to use the updated versions.

To be honest, I don't have many projects on GitHub that use the technologies that Dependabot targets by default. The few I have are web sites that use frameworks I've cloned from elsewhere - so I get the occasional PR that updates packages.json and I just apply them and forget about it.

But it seems that Dependabot can do far more than that. You just need to configure it properly in your repo. And one of the things it can do is to scan for out of date actions being used in your workflow definitions. You just need a file called dependabot.yml in your .github directory and the contents should look like this:

# Set update schedule for GitHub Actions

version: 2
updates:

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      # Check for updates to GitHub Actions every week
      interval: "weekly"
Enter fullscreen mode Exit fullscreen mode

Dependabot will then check your actions versions once a week and create PRs for any that are out of date. I know it works, because I added this to all of my repos this morning and it promptly created half a dozen PRs for repos where I had updated the versions but hadn't pushed the changes to GitHub. When I pushed the existing changes, Dependabot checked its PR against the new code, realised the PR was no longer needed and closed the PR. Which was nice :-)

It you're using GitHub Workflows (and I can't really think of any reason why you wouldn't be) then I recommend adding this file to your repos. Of course, GitHub has documentation about this feature.

Dependabot clearly has more uses than I thought it did. I'm going to have to investigate it further. I wonder if it can check CPAN dependencies.

Do you have any Dependabot tricks that I would find useful?

💖 💪 🙅 🚩
davorg
Dave Cross

Posted on February 16, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Dependabot and GitHub Actions
github Dependabot and GitHub Actions

February 16, 2023