GitHub Actions

Categories: ci

Renovate supports updating GitHub Actions dependencies.

File Matching¶

By default, Renovate will check any files matching any of the following regular expressions:

/(^|/)(workflow-templates|\.(?:github|gitea|forgejo)/(?:workflows|actions))/.+\.ya?ml$/
/(^|/)action\.ya?ml$/

For details on how to extend a manager's managerFilePatterns value, please follow this link.

Supported datasources¶

This manager supports extracting the following datasources: gitea-tags, github-digest, github-runners, github-tags.

Dependency types¶

This manager extracts the following depType values:

`depType`	Description
`action`	A repository-based action reference in a `uses:` field (e.g. `actions/checkout@v4`)
`docker`	A Docker image reference in a `uses:` field (e.g. `uses: docker://alpine:3`)
`container`	A Docker image specified in a job's `container:` field
`service`	A Docker image specified in a job's `services:` field
`github-runner`	A GitHub-hosted runner version in a `runs-on:` field (e.g. `ubuntu-24.04`)
`uses-with`	A language/runtime version passed as an input to a versioned action (e.g. `node-version` for `actions/setup-node`)

Default config¶

{
  "managerFilePatterns": [
    "/(^|/)(workflow-templates|\\.(?:github|gitea|forgejo)/(?:workflows|actions))/.+\\.ya?ml$/",
    "/(^|/)action\\.ya?ml$/"
  ]
}

Additional Information¶

The github-actions manager extracts dependencies from GitHub Actions workflow and workflow template files. It can also be used for Gitea and Forgejo Actions workflows as such are compatible with GitHub Actions workflows.

Digest pinning and updating¶

If you like to use digest pinning but want to follow the action version tag, you can use the sample below:

name: build

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

Renovate will update the commit SHA according to the GitHub tag you specified. Renovate can update digests that use SHA1 and SHA256 algorithms. The GitHub tag is in the format of <PREFIX><SEPARATOR><VERSION>. PREFIX and SEPARATOR are optional. Valid separators are the ASCII hyphen (-) or forward slash (/). VERSION can include the major, minor, and patch components and may optionally include a v prefix. Here are the examples of valid GitHub tags: 1.0.1, 1.0, 1, v1.0.1, v1.0, v1, prefix-1.0.1, prefix-1.0, prefix-1, prefix-v1.0.1, prefix-v1.0, prefix-v1. prefix/1.0.1, prefix/1.0, prefix/1, prefix/v1.0.1, prefix/v1.0, prefix/v1.

If you want to automatically pin action digests add the helpers:pinGitHubActionDigests preset to the extends array:

{
  "extends": ["helpers:pinGitHubActionDigests"]
}

Actions pinned to a bare SHA without a version comment are disabled by default, because Renovate cannot determine which branch or tag the SHA belongs to. To enable updates, add a tag or branch name as a version comment, as shown above.

Non-semver refs (branches and feature tags)¶

Renovate supports GitHub Actions that reference non-semver refs like branch names (main, master) or feature-oriented tags (cargo-llvm-cov).

When the action reference doesn't look like a version number (i.e., doesn't match /^v?\d+/), Renovate routes to the github-digest datasource which fetches both tags and branches. Since these refs have no version ordering, only digest pinning updates are supported.

Routing logic:

actions/checkout@v4.2.0 → github-tags datasource (version updates)
actions/checkout@v4 → github-tags datasource (version updates)
taiki-e/install-action@cargo-llvm-cov → github-digest datasource (digest pinning only)
actions/checkout@main → github-digest datasource (digest pinning only)

When pinning, Renovate adds a comment to preserve the original ref:

- uses: taiki-e/install-action@d8c10dae823f48238abff23fee4146b448aed2f1 # cargo-llvm-cov

Non-semver ref support is currently limited to GitHub-hosted actions. Gitea and Forgejo support the same ref types, but Renovate does not yet handle them for these platforms.

Non-support of Variables¶

Renovate ignores any GitHub runners which are configured in variables. For example, Renovate ignores the runner configured in the RUNNER variable:

name: build
on: [push]

env:
  RUNNER: ubuntu-22.04

jobs:
  build:
    runs-on: ${{ env.RUNNER }}

Ratchet support¶

The github-action manager understands ratchet comments, like # ratchet:actions/checkout@v2.1.0. This means that Renovate will:

update the version of a pinned Ratchet version if needed
not delete Ratchet comments after parsing them
keep # ratchet:exclude comments

with:version support for built-in Actions¶

Renovate supports updating the "with" version for actions/setup-go, actions/setup-node, and actions/setup-python, although not all syntaxes are supported out of the box.

By default, Renovate will use npm-style semver versioning for go and python, and Renovate's built-in node versioning for updating node. The goal of these defaults is to match as closely as possible to what these GitHub Actions support. For example, normally the ^ syntax is not used in go or python, but it's supported in their respective actions.

Depending on your use case, you may need to change versioning manually. If you find a use case which you think Renovate could/should automatically detect and support without manual configuration, please raise a Discussion to suggest it.

Updating `with:` values in commonly used Community-maintained GitHub Actions¶

Third-party GitHub Actions will commonly specify a version of a given tool using a with: block, such as:

GitHub Actions maintained by the wider community have with: blocks such as:

steps:
- uses: astral-sh/setup-uv@v8.2.0
  with:
    version: '0.4.x'

- uses: 'denoland/setup-deno@v2',
  with:
    deno-version: '2.4.0'

Renovate supports extracting some of these input(s) from the following Actions, and performing automagic dependency updates accordingly. The following third-party Actions have support for their with: blocks:

Action	`with` input(s) used	Dependency
`aquasecurity/setup-trivy`	`version`	`aquasecurity/trivy`
`aquasecurity/trivy-action`	`version`	`aquasecurity/trivy`
`astral-sh/setup-uv`	`version`	`astral-sh/uv`
`azure/setup-helm`	`version`	`helm`
`denoland/setup-deno`	`deno-version`	`deno`
`docker/setup-buildx-action`	`version`	`buildx`
`docker/setup-compose-action`	`version`	`docker/compose`
`docker/setup-docker-action`	`version`	`docker`
`golangci/golangci-lint-action`	`version`	`golangci/golangci-lint`
`helm/chart-testing-action`	`version`	`chart-testing`
`jakebailey/pyright-action`	`version`	`pyright`
`jaxxstorm/action-install-gh-release`	`repo`, `tag`	(determined from `with` input(s))
`oven-sh/setup-bun`	`bun-version`	`bun`
`pdm-project/setup-pdm`	`version`	`pdm`
`pnpm/action-setup`	`version`	`pnpm`
`prefix-dev/setup-pixi`	`pixi-version`	`prefix-dev/pixi`
`pypa/hatch`	`version`	`pypa/hatch`
`ruby/setup-ruby`	`ruby-version`	`ruby`
`sigoden/install-binary`	`repo`, `tag`	(determined from `with` input(s))
`zizmorcore/zizmor-action`	`version`	`ghcr.io/zizmorcore/zizmor`

Open items¶

The below list of features and bugs were current when this page was generated on June 10, 2026.

Feature requests¶

Use gitea-refs for Gitea / ForgejoActions #28120

Bug reports¶

pinDigests with github-actions fails for suffixed version tags #35789
Keep comments like ratchet:actions/setup-java@v4 when creating PRs #28645