Updating Your GitHub Actions with Dependabot

Monday, April 1, 2024

Keep your GitHub Actions Up-To-Date

Recently, GitHub announced the deprecation of Node.js 16 actions, urging developers to transition to Node.js 20. With Node 16 reaching its end of life, this move is part of GitHub's ongoing effort to ensure security and efficiency in the development process.

You might have seen the following warning on your GitHub actions:

⚠️

Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20

By Spring 2024, all GitHub Actions are expected to run on Node 20. This transition is monitored closely, with GitHub gathering community feedback to determine the final migration date.

This warning serves as a reminder of the upcoming changes, urging developers to update their workflows. For more details, refer to GitHub's blog post.

Introduction to GitHub Actions

GitHub Actions enables the automation of all your software workflows, allowing you to build, test, and deploy your code right within GitHub's ecosystem. GitHub actions are stored as code files (YAML) inside your repository. You are responsible to create and update these workflows by yourself.

The Easier Way to Update: Leveraging Dependabot for GitHub Actions

While manual updating GitHub Actions versions has been my default way to update this workflow, there exists a more straightforward solution — Dependabot.

It is a great solution to update your (p)npm or NuGet packages. However, it also supports GitHub Actions. So instead of manually tracking and updating your GitHub Actions, you can utilize Dependabot to automate this process.

Dependabot scans your workflows and automatically creates pull requests to update your GitHub Actions to the latest versions. This not only saves time but also ensures your workflows remain secure and efficient, leveraging the latest features and fixes.

Setting Up Dependabot for GitHub Actions

To get started with Dependabot for your GitHub Actions:

  1. Create a .github/dependabot.yml file in your repository.
  2. Configure the file to monitor the directories containing your GitHub Actions workflows, specifying github-actions as the package-ecosystem.
  3. Sit back and let Dependabot handle the rest. Whenever a new version of an action you use is released, Dependabot will automatically raise a pull request to update your workflow file.

A complete example of a dependabot.yml file:

.github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "github-actions" 
    directory: "/"
    schedule:
      interval: "weekly"