How to automatically update packages using GitHub Actions

Introduction

As I outlined in this post, I am a strong advocate of keeping all my dependencies up to date. Previously, I used a script to manually update them every morning, but this quickly became tedious and felt like a chore. Since I already use GitHub for this website's codebase and have integrated it with Vercel for automatic deployments, it makes sense to use GitHub Actions to automatically update my packages and have the changes automatically deployed when there is no build error.

In this blog post, I will outline how I set up my GitHub Actions workflow to automatically update my packages.

Setting Up the Workflow

To get started, follow the steps provided by GitHub in their workflow documentation.

Setting Up Dependabot

After setting up the general GitHub Actions workflow, enable Dependabot to automatically update your packages. In the dependabot.yml file, use the following configuration:

yml

version: 2
updates:
    - package-ecosystem: 'github-actions'
      directory: '/'
      schedule:
          interval: 'weekly'
    - package-ecosystem: 'pnpm'
      directory: '/'
      schedule:
          interval: 'daily'
          time: '06:00'
      groups:
          all-dependencies:
              update-types:
                  - 'minor'
                  - 'patch'

This configuration will make Dependabot check for updates at 06:00 every day for minor and patch updates. It will also check for GitHub Actions updates weekly.

Normally, Dependabot creates a pull request for each update. You can manually merge these pull requests after verifying that the build is successful and deployed correctly. However, this can also become tedious, so the next step is to automate the approval and merging of pull requests.

Setting Up the Auto-Merge Workflow

To automatically approve and merge pull requests, create a new workflow file named dependabot-workflow.yml in the .github/workflows directory.

The workflow should include two main jobs:

Auto-approve job: This job runs when Dependabot creates a pull request and automatically approves it
Auto-merge job: This job runs after the auto-approve job and automatically merges the approved pull request

The key components of the workflow are:

Trigger: The workflow triggers on pull request events
Permissions: Set appropriate permissions for contents and pull-requests
Conditional execution: Only run for Dependabot pull requests using if: github.actor == 'dependabot[bot]'
GitHub CLI commands: Use gh pr review --approve and gh pr merge --auto --merge to handle the automation
Environment variables: Set up necessary tokens and URLs for the GitHub CLI commands

With this setup, every pull request opened by Dependabot will be automatically approved and merged. Here's how it looks in the GitHub UI:

GitHub pull request interface showing automated approval and merge by Dependabot workflow — GitHub automatically approving and merging a Dependabot pull request through the configured workflow

Conclusion

Hopefully, this has shown how easy it is to keep your dependencies up to date using GitHub Actions and Dependabot. The key benefits of this approach are:

Automated updates: Dependencies are updated automatically without manual intervention
Consistent timing: Updates happen at a predictable schedule
Reduced maintenance: Less time spent on routine dependency management
Improved security: Faster adoption of security patches and bug fixes

This automation has significantly improved my development workflow and ensures my projects stay current with the latest package versions.