I have a GitHub repository which hosts GitHub Actions logic shared among other GitHub repositories. The file structure is:
.github
|_ .workflows
|_ shared-workflow-1
|_ ...
|_ shared-workflow-2
|_ ...
|_ custom-action-1
|_ action.yaml
|_ custom-action-2
|_ action.yaml
(Note that the workflows HAD to be declared in .github/workflows because of GitHub constraints, but the custom actions can be declared at repository root level, and can thus simply be called with my-github-logic-repo@custom-action1@main.)
My custom-action-* actions are composite actions, which rely themselves on GitHub actions from the marketplace, which I would like to be automatically updated by Dependabot.
I have enabled Dependabot on the repository with the following .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
But the issue is that Dependabot only open Pull Requests to update actions inside the workflows, and it completely ignores the actions inside my own custom composite actions.
Is there a way to make Dependabot look at my custom actions when checking for updates, or is it plain not supported at the moment?
According to this Dependabot issue, composite actions are supported.
Using the directories setting introduced in April 2024, you could do something like
- package-ecosystem: github-actions
directories:
- / # Still required to update workflows
- /custom-action-1
- /custom-action-2
schedule:
interval: weekly
This was also possible before directories, but required multiple entries:
- package-ecosystem: github-actions
directory: / # Still required to update workflows
schedule:
interval: weekly
- package-ecosystem: github-actions
directory: /custom-action-1
schedule:
interval: weekly
- package-ecosystem: github-actions
directory: /custom-action-2
schedule:
interval: weekly