Updates Node dependencies and creates a pull request with the changes.
Uses npm-check-updates under the hood,
so you can add a .ncurc
file to fine tune dependency decisions,
such as which ones to ignore.
Note: prefer dependabot over this action once dependabot supports grouped pull requests.
name: Scheduled dependencies update
on:
schedule:
- cron: '0 15 * * 2'
jobs:
update-deps:
name: Update Node dependencies
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version-file: .nvmrc
- uses: neverendingqs/gh-action-node-update-deps@v2
with:
bump-version: patch # defaults to not bumping the package version
commit-message-prefix: fix # defaults 'chore'
package-manager: yarn # defaults to 'npm'
github-token: ${{ secrets.CUSTOM_GITHUB_TOKEN }} # defaults to the repo's `GITHUB_TOKEN`
git-user-email: [email protected] # defaults to '41898282+github-actions[bot]@users.noreply.github.com'
git-user-name: Test # defaults to 'github-actions[bot]'
pre-commit-script: npm run build # defaults to not running anything
pull-request-labels: test # defaults to 'dependencies'
target-version: minor # defaults to 'latest'
That is by design when using the repository's GITHUB_TOKEN
.
You can circumvent this by creating a personal access token or a installation access token.
Note that doing so exposes you to vulnerabilities described on Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests.