I have a GitHub repository which hosts GitHub Actions logic shared among other GitHub repositories. The file structure is:

.github
|_ .workflows
  |_ shared-workflow-1
     |_ ...
  |_ shared-workflow-2
     |_ ...
|_ custom-action-1
     |_ action.yaml
|_ custom-action-2
     |_ action.yaml

(Note that the workflows HAD to be declared in .github/workflows because of GitHub constraints, but the custom actions can be declared at repository root level, and can thus simply be called with my-github-logic-repo@custom-action1@main.)

My custom-action-* actions are composite actions, which rely themselves on GitHub actions from the marketplace, which I would like to be automatically updated by Dependabot.

I have enabled Dependabot on the repository with the following .github/dependabot.yml:

version: 2

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

But the issue is that Dependabot only open Pull Requests to update actions inside the workflows, and it completely ignores the actions inside my own custom composite actions.

Is there a way to make Dependabot look at my custom actions when checking for updates, or is it plain not supported at the moment?

CodePudding user response：

According to this Dependabot issue, composite actions are supported, but you need to point dependabot to each subdirectory in the configuration:

  - package-ecosystem: github-actions
    directory: /  # Still required to update workflows
    schedule:
      interval: weekly

  - package-ecosystem: github-actions
    directory: /custom-action-1
    schedule:
      interval: weekly

  - package-ecosystem: github-actions
    directory: /custom-action-2
    schedule:
      interval: weekly