Automated Dependency Updates for GitHub Actions
Categories: ci
Renovate supports updating GitHub Actions dependencies.
File Matching¶
By default, Renovate will check any files matching any of the following regular expressions:
/(^|/)(workflow-templates|\.(?:github|gitea|forgejo)/(?:workflows|actions))/.+\.ya?ml$/
/(^|/)action\.ya?ml$/
For details on how to extend a manager's managerFilePatterns value, please follow this link.
Supported datasources¶
This manager supports extracting the following datasources: gitea-tags, github-digest, github-runners, github-tags.
Dependency types¶
This manager extracts the following depType values:
depType |
Description |
|---|---|
action |
A repository-based action reference in a uses: field (e.g. actions/checkout@v4) |
docker |
A Docker image reference in a uses: field (e.g. uses: docker://alpine:3) |
container |
A Docker image specified in a job's container: field |
service |
A Docker image specified in a job's services: field |
github-runner |
A GitHub-hosted runner version in a runs-on: field (e.g. ubuntu-24.04) |
uses-with |
A language/runtime version passed as an input to a versioned action (e.g. node-version for actions/setup-node) |
Default config¶
{
"managerFilePatterns": [
"/(^|/)(workflow-templates|\\.(?:github|gitea|forgejo)/(?:workflows|actions))/.+\\.ya?ml$/",
"/(^|/)action\\.ya?ml$/"
]
}
Additional Information¶
The github-actions manager extracts dependencies from GitHub Actions workflow and workflow template files.
It can also be used for Gitea and Forgejo Actions workflows as such are compatible with GitHub Actions workflows.
Digest pinning and updating¶
If you like to use digest pinning but want to follow the action version tag, you can use the sample below:
name: build
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
Renovate will update the commit SHA according to the GitHub tag you specified.
Renovate can update digests that use SHA1 and SHA256 algorithms.
The GitHub tag is in the format of <PREFIX><SEPARATOR><VERSION>.
PREFIX and SEPARATOR are optional.
Valid separators are the ASCII hyphen (-) or forward slash (/).
VERSION can include the major, minor, and patch components and may optionally include a v prefix.
Here are the examples of valid GitHub tags:
1.0.1, 1.0, 1,
v1.0.1, v1.0, v1,
prefix-1.0.1, prefix-1.0, prefix-1,
prefix-v1.0.1, prefix-v1.0, prefix-v1.
prefix/1.0.1, prefix/1.0, prefix/1,
prefix/v1.0.1, prefix/v1.0, prefix/v1.
If you want to automatically pin action digests add the helpers:pinGitHubActionDigests preset to the extends array:
{
"extends": ["helpers:pinGitHubActionDigests"]
}
Non-semver refs (branches and feature tags)¶
Renovate supports GitHub Actions that reference non-semver refs like branch names (main, master) or feature-oriented tags (cargo-llvm-cov).
When the action reference doesn't look like a version number (i.e., doesn't match /^v?\d+/), Renovate routes to the github-digest datasource which fetches both tags and branches.
Since these refs have no version ordering, only digest pinning updates are supported.
Routing logic:
actions/checkout@v4.2.0→github-tagsdatasource (version updates)actions/checkout@v4→github-tagsdatasource (version updates)taiki-e/install-action@cargo-llvm-cov→github-digestdatasource (digest pinning only)actions/checkout@main→github-digestdatasource (digest pinning only)
When pinning, Renovate adds a comment to preserve the original ref:
- uses: taiki-e/install-action@d8c10dae823f48238abff23fee4146b448aed2f1 # cargo-llvm-cov
Non-semver ref support is currently limited to GitHub-hosted actions. Gitea and Forgejo support the same ref types, but Renovate does not yet handle them for these platforms.
Non-support of Variables¶
Renovate ignores any GitHub runners which are configured in variables.
For example, Renovate ignores the runner configured in the RUNNER variable:
name: build
on: [push]
env:
RUNNER: ubuntu-22.04
jobs:
build:
runs-on: ${{ env.RUNNER }}
Ratchet support¶
The github-action manager understands ratchet comments, like # ratchet:actions/checkout@v2.1.0.
This means that Renovate will:
- update the version of a pinned Ratchet version if needed
- not delete Ratchet comments after parsing them
- keep
# ratchet:excludecomments
with:version support for built-in Actions¶
Renovate supports updating the "with" version for actions/setup-go, actions/setup-node, and actions/setup-python, although not all syntaxes are supported out of the box.
By default, Renovate will use npm-style semver versioning for go and python, and Renovate's built-in node versioning for updating node.
The goal of these defaults is to match as closely as possible to what these GitHub Actions support.
For example, normally the ^ syntax is not used in go or python, but it's supported in their respective actions.
Depending on your use case, you may need to change versioning manually.
If you find a use case which you think Renovate could/should automatically detect and support without manual configuration, please raise a Discussion to suggest it.
commonly used community actions¶
Renovate also supports some commonly used community actions:
astral-sh/setup-uvpnpm/action-setuppdm-project/setup-pdmjaxxstorm/action-install-gh-releasesigoden/install-binaryprefix-dev/setup-pixipypa/hatch@installgolangci/golangci-lint-action
Open items¶
The below list of features and bugs were current when this page was generated on April 03, 2026.
Feature requests¶
- Change default versioning for github-actions to be
semver-partial#42331 - Use
gitea-refsfor Gitea / ForgejoActions #28120