You don't notice your GitHub Actions versions until you start getting warnings about things like "Node 20 is no longer supported". When you think about it, GitHub Actions are yet another dependency that needs to be kept up to date and present supply chain risks.
Get Dependabot to do the work
The good news is, you can get Dependabot to keep your GitHub Actions up to date for you. You can add instructions for this to your .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
In my case I already had configuration for my npm dependencies:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
But it's trivial to add multiple updates to the same file:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
Automatic pull requests
When you first commit this file, you'll notice pull requests start appearing for your review.
- name: Setup pnpm cache
uses: actions/cache@v4 (-)
uses: actions/cache@v5 (+)
This is a simple example of how you can use Dependabot to keep your GitHub Actions up to date. You can find more information about Dependabot in the GitHub documentation.