Keeping your project's dependencies updated is crucial for security and efficiency. In this guide, we'll explore how to automate the updating of minor dependencies using GitHub Actions and Husky hooks.
Automating dependency updates ensures that your project stays current with the latest patches and improvements without manual oversight. Using GitHub Actions, we can check for and apply these updates regularly. Additionally, with Husky, we can ensure that any changes in dependency files trigger necessary installations post-merge.
Before setting up the automation, you need to prepare your project with a couple of steps:
Husky is used to manage Git hooks in your project easily. Install it by running:
npm install --save-dev husky
npx husky init
- Open GitHub Repository.
- Go to Settings.
- Go to Actions.
- Go to General.
- Scroll down to Workflow permissions.
- Make sure the "Read and write permissions" is checked and click "Save".
The GitHub Action workflow automatically checks for minor updates in the project's dependencies and creates a pull request if updates are available.
- Create the folder
.github/workflows
at the root of your project. - Create the file
automatic_check_updates.yml
inside of.github/workflows
folder.
# .github/workflows/automatic_check_updates.yml
name: Automatic Check Updates
on:
schedule:
- cron: '0 0 1,15 * *'
workflow_dispatch:
permissions:
pull-requests: write
contents: write
jobs:
update-dependencies:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Check for minor updates in dependencies
id: ncu
run: |
npx --package npm-check-updates ncu --target minor -u || exit 1
npm install || exit 2
git add package.json package-lock.json
if [[ $(git status --porcelain | wc -l) -gt 0 ]]; then
echo "updates_available=yes" >> $GITHUB_ENV
else
echo "updates_available=no" >> $GITHUB_ENV
fi
- name: Create Pull Request
if: env.updates_available == 'yes'
uses: peter-evans/create-pull-request@v6
with:
commit-message: |
Build(Deps): Update minor dependencies
title: '[Automated] Update minor dependencies'
body: 'Automated PR to update minor dependencies'
token: ${{ secrets.GITHUB_TOKEN }}
branch: build/minor-dependencies-${{ github.run_number }}
After merging a pull request (so after a git pull
too) that updates dependencies, the project should install these new versions automatically.
This Husky hook checks if there are changes in package.json or package-lock.json post-merge and performs an npm install if needed.
- Check if
npx husky init
successfully create a folder named.husky
at the root of the project. - Create the file named
pre-merge
inside of.husky
folder.
changed_files="$(git diff-tree -r --name-only --no-commit-id ORIG_HEAD HEAD)"
needs_install=false
echo "$changed_files" | grep -E 'package.json|package-lock.json' > /dev/null && needs_install=true
if [ "$needs_install" = true ] ; then
echo "Changes detected in package.json or package-lock.json. Running npm install..."
npm install
fi