Skip to content
Latchkey

How to Keep SHA-Pinned Actions Updated With Dependabot

Dependabot updates SHA-pinned actions and refreshes the version comment, so pinning does not mean going stale.

Add a github-actions entry to .github/dependabot.yml. Dependabot opens PRs that bump the pinned SHA to the latest release and updates the trailing version comment, giving you pinning plus timely patches.

Steps

  • Create or edit .github/dependabot.yml.
  • Add a package-ecosystem: "github-actions" update block.
  • Set an update schedule and review the PRs Dependabot opens.

dependabot.yml

.github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 5

Gotchas

  • Dependabot only scans workflows in .github/workflows; reusable workflows elsewhere need their own config.
  • Review each bump; an automated PR still points at code you should trust before merging.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →