Note
Update 2023-08-24
Looks like Dependabot introduced grouped Dependabot updates which makes this GitHub Action redundant. Check out their announcement here:
https://github.blog/2023-08-24-a-faster-way-to-manage-version-updates-with-dependabot/
GitHub Action to bump multiple dependencies from either the same or mulitple package managers with Dependabot in a single pull request.
Here is an example how to use this action:
name: Dependabot
on:
workflow_dispatch:
schedule:
- cron: "0 0 * * *"
jobs:
check-dependencies:
runs-on: ubuntu-latest
steps:
- uses: marcoroth/[email protected]
with:
dependencies: dependency_1, dependency_2
package_managers: bundler, npm_and_yarn, pip
directory: /
branch: main
username: x-access-token
token: ${{ secrets.GITHUB_TOKEN }}
These options can be provided via with:
in the workflow file.
Required: Comma-separated list of the dependencies Dependabot should bump together
Required: Comma-separated list of the package managers Dependabot should update.
Default value: bundler, npm_and_yarn, pip
The available options are:
bundler
pip
(includes pipenv)npm_and_yarn
maven
gradle
cargo
hex
composer
nuget
dep
go_modules
elm
submodules
docker
terraform
Required: Directory in which the project to update lives
Default value: /
Required: The branch Dependabot runs against in your repository.
Default value: main
Required: The user to create the pull request
Default value: x-access-token
Required: A GitHub Access Token with permission to create the pull request and access potential private repos Dependabot should bump.
This GitHub Action depends on the dependabot/dependabot-core
Docker Image and uses a modified version of the dependabot/dependabot-script update-script.rb
to bump the dependencies.