Automating NPM Dependency Updates with GitHub Actions
Discover how to streamline your development with GitHub Actions for automated dependency updates, enhancing efficiency in your CI/CD pipeline.
Maintaining up-to-date dependencies in your software projects is crucial for security, performance, and accessing new features. This task, however, can be tedious and time-consuming.
Fortunately, GitHub Actions offer a powerful and flexible way to automate this process. In this blog post, we'll explore how to set up a GitHub Action to automatically update dependencies in a JavaScript project.
What are GitHub Actions?
GitHub Actions is a CI/CD (Continuous Integration and Continuous Deployment) platform that allows you to automate your build, test, and deployment workflows right from your GitHub repository.
You can write individual tasks, called actions, and combine them to create a workflow. Workflows are defined by a YAML file in your repository and can be triggered by various GitHub events (like a push, pull request, or scheduled event).
Setting Up an Automatic Dependency Update Workflow
Let's dive into how we can use GitHub Actions to automatically update dependencies in a JavaScript project. Here’s a step-by-step guide using the provided example workflow:
1. Understanding the Workflow File
The YAML file for our workflow, which might be named .github/workflows/update-dependencies.yml
, looks like this:
name: Update Dependencies
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * *' # Runs every day at midnight
jobs:
update:
runs-on: ubuntu-latest
steps:
...
This configuration sets up a workflow named “Update Dependencies” that triggers on two occasions: manually (workflow_dispatch
) and on a schedule (cron: '0 0 * * *'
, which means every day at midnight).
I like to add the manual configuration (workflow_dispatch
) because it makes testing easier.
The location of the file is important. GitHub looks for these actions to be located in the .github/workflow
folder.
2. Configuring the Job
The update
job runs on the latest Ubuntu runner provided by GitHub and consists of several steps:
Checking out the repository:
actions/checkout@v2
checks out your repository, so your workflow can access it. This action is provided by GitHub.Setting up Node.js:
actions/setup-node@v1
sets up the Node.js environment with a specified version (node-version: '20'
).Installing Yarn: This step installs Yarn, a package manager, using NPM. This step is only required if your application uses Yarn. If your application is based on NPM feel free to skip.
3. Updating Dependencies
The core of our workflow is updating the dependencies:
- name: Update Dependencies
run: |
yarn global add npm-check-updates
ncu -u
yarn install
This step does the following:
Installs
npm-check-updates
, a tool for upgrading yourpackage.json
dependencies to the latest versions.Runs
ncu -u
(npm-check-updates) which upgrades thepackage.json
file.Runs
yarn install
to install the updated dependencies and generate a new lock file.
4. Creating a Pull Request
Finally, the workflow uses the peter-evans/create-pull-request@v3
action to create a pull request with the updated package.json
and yarn.lock
files.
The pull request will include a predefined message, title, and branch name. What you decide to put in the message is entirely up to you.
- name: Create Pull Request
uses: peter-evans/create-pull-request@v3
with:
commit-message: Update dependencies
title: '[DEPENDENCY] Update Dependencies'
body: |
Updates dependencies in `package.json`.
branch: update-dependencies
5. Running the Action
The action will run automatically at midnight or whenever you trigger using the manual run workflow trigger (Actions > Update Dependencies > Run workflow
).
When the action finds dependencies to update, it will automatically create a PR with the required changes that you can merge at your leisure.
Conclusion
By automating the dependency update process using GitHub Actions, you can significantly reduce the manual effort involved in keeping your project dependencies current.
This not only saves time but also helps in maintaining a secure and stable code base. Remember, while the example provided focuses on a JavaScript project, the concept can be adapted to other languages and package managers.
You can find a complete example of this code here (I use this to keep my personal site up-to-date).
Happy coding!