A while back I’d documented my journey to figure out automated GitHub Pages deployments with GitHub Actions, for which I’d created a script to make a GitHub repository automatically update itself – which is just what we need here as well. Since GitHub Actions also supports scheduled jobs, that article provides a solid foundation for our proposition above. Let’s start by tweaking that existing script:
Here we run
./bin/update-dependencies (a placeholder for something like
ncu -u && git add package.json) to update our
dependency declarations and then commit the result to the target branch. The
script relies on
environment variables provided by GitHub Actions
as well as a personal access token (PAT),
which we need to add to our repo’s
(via Settings → Secrets; named
Now we can make GitHub Actions periodically execute that script (e.g.
./bin/check-dependencies) by creating a workflow description (e.g.
(contab.guru is pretty helpful for figuring out
While that’s helpful already, we really want to be notified when dependencies were updated. Since we’re already using GitHub, we might as well create a pull request (PR) via their API. For that we’ll need to add our username (the one we used to create the PAT) to the workflow description – plus we’ll need Node for processing below:
Then we add a few HTTP requests to the end of our script:
(Note that we’re using Node here to interpret the API response.)
That’s it: Whenever dependencies are updated, a PR will be created or the existing one will be updated.
One caveat though: Since we’re using a personal access token to authenticate with GitHub’s API, the respective user won’t get an e-mail notification for PRs created/updated by our script. A workaround would be to use a friend’s PAT or create a technical user instead – neither of which seems very elegant. If there’s a better way, let me know in the comments below.