GitHub bought a service called Dependabot a while back and is now integrating this service as a GitHub Application into the ecosystem. This allows GitHub users to automatically do dependency management and get alerted when a security-related update has been found. For now, his service is still in beta but can be added to all service plans.
Let start simple and creating .github/dependabot.yml with the content below will tell Dependabot to scan all your GitHub workflows daily for GitHub Actions that are defined and have a newer release available. It will also create a pull-request that can be merged when approved.
---
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: daily
time: "04:00"
open-pull-requests-limit: 10
A daily scan seems to be fine and is only limited to 10 open pull requests, but if you have many repositories to maintain, then this task can become daunting. Luckily Dependabot is aware of pull-requests that are still open and will update them if a new dependency update is found. Then still just going for a weekly or even monthly scan can be a better fit for your workflow. The example below runs every Friday and gives you an idea of what your work for the next week will be.
---
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
day: friday
open-pull-requests-limit: 10
Dependabot can maintain dependencies for many ecosystems and the example below is one I use for my development containers in VSCode and GitHub CodeSpaces. It scans for Dockerfile to see if the base image is outdated, and it also scans Python dependencies for any know updates.
---
version: 2
updates:
- package-ecosystem: docker
directory: "/"
schedule:
interval: weekly
day: friday
open-pull-requests-limit: 10
- package-ecosystem: pip
directory: "/"
schedule:
interval: weekly
day: friday
open-pull-requests-limit: 10
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
day: friday
open-pull-requests-limit: 10
These examples are only a small introduction to using Dependabot and many more options and package ecosystems are available. But for most people, this is enough to get started before thinking about a complex Semantic Versioning oriented updating strategy.