Skip to main content

此版本的 GitHub Enterprise 将停止服务 2023-01-18. 即使针对重大安全问题,也不会发布补丁。 为了获得更好的性能、更高的安全性和新功能,请升级到最新版本的 GitHub Enterprise。 如需升级帮助,请联系 GitHub Enterprise 支持

Keeping your actions up to date with Dependabot

You can use Dependabot to keep the actions you use updated to the latest versions.

Note: Dependabot security and version updates are currently in private beta and subject to change. Please contact your account management team for instructions on enabling Dependabot updates.

注意:站点管理员必须先为 your GitHub Enterprise Server instance设置 Dependabot updates,然后你才能使用此功能。 有关详细信息,请参阅“对企业启用 Dependabot”。

About Dependabot version updates for actions

Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable Dependabot version updates for GitHub Actions, Dependabot will help ensure that references to actions in a repository's workflow.yml file are kept up to date. For each action in the file, Dependabot checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. If a more recent version of the action is available, Dependabot will send you a pull request that updates the reference in the workflow file to the latest version. For more information about Dependabot version updates, see "About Dependabot version updates." For more information about configuring workflows for GitHub Actions, see "Learn GitHub Actions."

Enabling Dependabot version updates for actions

You can configure Dependabot version updates to maintain your actions as well as the libraries and packages you depend on.

  1. If you have already enabled Dependabot version updates for other ecosystems or package managers, simply open the existing dependabot.yml file. Otherwise, create a dependabot.yml configuration file in the .github directory of your repository. For more information, see "Configuring Dependabot version updates."
  2. Specify "github-actions" as a package-ecosystem to monitor.
  3. Set the directory to "/" to check for workflow files in .github/workflows.
  4. Set a schedule.interval to specify how often to check for new versions.
  5. 将 dependabot.yml 配置文件签入存储库的 .github 目录中。 If you have edited an existing file, save your changes.

You can also enable Dependabot version updates on forks. For more information, see "Configuring Dependabot version updates."

Example dependabot.yml file for GitHub Actions

The example dependabot.yml file below configures version updates for GitHub Actions. The directory must be set to "/" to check for workflow files in .github/workflows. The schedule.interval is set to "weekly". After this file has been checked in or updated, Dependabot checks for new versions of your actions. Dependabot will raise pull requests for version updates for any outdated actions that it finds. After the initial version updates, Dependabot will continue to check for outdated versions of actions once a week.

# Set update schedule for GitHub Actions

version: 2
updates:

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      # Check for updates to GitHub Actions every week
      interval: "weekly"

Configuring Dependabot version updates for actions

When enabling Dependabot version updates for actions, you must specify values for package-ecosystem, directory, and schedule.interval. There are many more optional properties that you can set to further customize your version updates. For more information, see "Configuration options for the dependabot.yml file."

Further reading