How to Keep SHA-Pinned Actions Updated With Dependabot
Dependabot updates SHA-pinned actions and refreshes the version comment, so pinning does not mean going stale.
Add a github-actions entry to .github/dependabot.yml. Dependabot opens PRs that bump the pinned SHA to the latest release and updates the trailing version comment, giving you pinning plus timely patches.
Steps
- Create or edit
.github/dependabot.yml. - Add a
package-ecosystem: "github-actions"update block. - Set an update
scheduleand review the PRs Dependabot opens.
dependabot.yml
.github/dependabot.yml
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5Gotchas
- Dependabot only scans workflows in
.github/workflows; reusable workflows elsewhere need their own config. - Review each bump; an automated PR still points at code you should trust before merging.
Related guides
How to Pin GitHub Actions to a Commit SHAPin third-party GitHub Actions to a full commit SHA instead of a mutable tag so a compromised or retagged rel…
How to Block Risky Dependencies With dependency-review-actionFail pull requests that add vulnerable or disallowed-license dependencies in GitHub Actions with actions/depe…