About Dependabot version updates for actions
Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable Dependabot version updates for GitHub Actions, Dependabot will help ensure that references to actions in a repository's workflow.yml file and reusable workflows used inside workflows are kept up to date.
For each action in the file, Dependabot checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. For information about how action creators version their actions, see "Using release management for your custom actions."
If a more recent version of the action is available, Dependabot will send you a pull request that updates the reference in the workflow file to the latest version. For more information about Dependabot version updates, see "About Dependabot version updates." For more information about configuring workflows for GitHub Actions, see "Writing workflows."
Dependabot also checks workflow files for uses of reusable workflows, and updates the git reference for these called reusable workflows. For more information about reusable workflows, see "Reusing workflows."
Note
Workflow runs triggered by Dependabot pull requests run as if they are from a forked repository, and therefore use a read-only GITHUB_TOKEN
. These workflow runs cannot access any secrets. For information about strategies to keep these workflows secure, see "Security hardening for GitHub Actions."
Enabling Dependabot version updates for actions
You can configure Dependabot version updates to maintain your actions as well as the libraries and packages you depend on.
- If you have already enabled Dependabot version updates for other ecosystems or package managers, simply open the existing
dependabot.yml
file. Otherwise, create adependabot.yml
configuration file in the.github
directory of your repository. For more information, see "Configuring Dependabot version updates." - Specify
"github-actions"
as apackage-ecosystem
to monitor. - Set the
directory
to"/"
to check for workflow files in.github/workflows
. - Set a
schedule.interval
to specify how often to check for new versions. - Check the
dependabot.yml
configuration file in to the.github
directory of the repository. If you have edited an existing file, save your changes.
You can also enable Dependabot version updates on forks. For more information, see "Configuring Dependabot version updates."
Example dependabot.yml
file for GitHub Actions
The example dependabot.yml
file below configures version updates for GitHub Actions. The directory
must be set to "/"
to check for workflow files in .github/workflows
. The schedule.interval
is set to "weekly"
. After this file has been checked in or updated, Dependabot checks for new versions of your actions. Dependabot will raise pull requests for version updates for any outdated actions that it finds. After the initial version updates, Dependabot will continue to check for outdated versions of actions once a week.
# Set update schedule for GitHub Actions
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
# Check for updates to GitHub Actions every week
interval: "weekly"
Configuring Dependabot version updates for actions
When enabling Dependabot version updates for actions, you must specify values for package-ecosystem
, directory
, and schedule.interval
. There are many more optional properties that you can set to further customize your version updates. For more information, see "Configuration options for the dependabot.yml file."