Skip to content

Automated Dependency Updates for Github Actions

Renovate supports updating Github Actions dependencies.

File Matching

By default, Renovate will check any files matching any of the following regular expressions:

^(workflow-templates|\.github\/workflows)\/[^/]+\.ya?ml$
(^|\/)action\.ya?ml$

For details on how to extend a manager's fileMatch value, please follow this link.

Supported datasources

This manager supports extracting the following datasources: github-tags.

Default config

{
  "fileMatch": [
    "^(workflow-templates|\\.github\\/workflows)\\/[^/]+\\.ya?ml$",
    "(^|\\/)action\\.ya?ml$"
  ]
}

Additional Information

The github-actions manager extracts dependencies from GitHub Actions workflow and workflow template files.

If you like to use digest pinning but want to follow the action version tag, you can use the following sample:

name: build

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@af513c7a016048ae468971c52ed77d9562c7c819 # renovate: tag=v1.0.0

Renovate will update the commit SHA but follow the GitHub tag you specified. Renovate can update digests that use SHA1 and SHA256 algorithms.

If you want to automatically pin action digests add the helpers:pinGitHubActionDigests preset to the extends array:

{
  "extends": ["helpers:pinGitHubActionDigests"]
}

Open feature requests

  • pin version in github-actions #7516
  • Renovate doesn't update NodeJS version used by GitHub actions #7716
  • Use Gradle versioning automatically for gradle Actions #12584

Open bug reports

  • GHE: github-actions should lookup new versions from current host/endpoint #10178

The above list of features and bugs were current when this page was generated on December 08, 2022.