GitHub Actions Updater¶
Update GitHub Actions version pins in GitHub workflow files. Even with grouped, monthly updates, Dependabot PRs can still be noisy, especially for smaller or stable projects. This tool allows updating pins locally, when the maintainer wants to.
Installing¶
Install from PyPI in a virtualenv using an installer such as pip. Or install globally with an installer such as pipx:
$ pip install gha-update
$ pipx install gha-update
Running¶
Running the gha-update
command will update all workflow files
(.yaml
or .yml
) in .github/workflows
and subdirectories. The highest
tag for each action is found, and the commit hash for that tag is used to update
the pin. The version tag is added as a comment for reference.
Configuration¶
Configuration is taken from the [tool.gha-update]
section of a project’s
pyproject.toml
file. The --config
option can be used to select a different
TOML file. The following options are available:
tag-only
: A list of action names to pin using the tag name only, rather than the commit hash for that tag. For example, theslsa-framework/slsa-github-generator
action can’t work correctly when pinned as a hash.