peplocanto/automating_dependency_updates.md

## automating_dependency_updates.md

      
    Raw
  

              automating_dependency_updates.md
            
          
    Automating Dependency Updates in GitHub Projects

Keeping your project's dependencies updated is crucial for security and efficiency. In this guide, we'll explore how to automate the updating of minor dependencies using GitHub Actions and Husky hooks.
Automating dependency updates ensures that your project stays current with the latest patches and improvements without manual oversight. Using GitHub Actions, we can check for and apply these updates regularly. Additionally, with Husky, we can ensure that any changes in dependency files trigger necessary installations post-merge.
Prerequisites

Before setting up the automation, you need to prepare your project with a couple of steps:
Install Husky into the Project

Husky is used to manage Git hooks in your project easily. Install it by running:
npm install --save-dev husky
npx husky init
Set Workflow Permissions in Github


Open GitHub Repository.
Go to Settings.
Go to Actions.
Go to General.
Scroll down to Workflow permissions.
Make sure the "Read and write permissions" is checked and click "Save".

Workflow

The GitHub Action workflow automatically checks for minor updates in the project's dependencies and creates a pull request if updates are available.
Prerequisites


Create the folder .github/workflows at the root of your project.
Create the file automatic_check_updates.yml inside of .github/workflows folder.

The Code

# .github/workflows/automatic_check_updates.yml

name: Automatic Check Updates

on:
  schedule:
    - cron: '0 0 1,15 * *'
  workflow_dispatch:

permissions:
  pull-requests: write
  contents: write

jobs:
  update-dependencies:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Check for minor updates in dependencies
        id: ncu
        run: |
          npx --package npm-check-updates ncu --target minor -u || exit 1
          npm install || exit 2
          git add package.json package-lock.json
          if [[ $(git status --porcelain | wc -l) -gt 0 ]]; then
            echo "updates_available=yes" >> $GITHUB_ENV
          else
            echo "updates_available=no" >> $GITHUB_ENV
          fi
      - name: Create Pull Request
        if: env.updates_available == 'yes'
        uses: peter-evans/create-pull-request@v6
        with:
          commit-message: |
            Build(Deps): Update minor dependencies
          title: '[Automated] Update minor dependencies'
          body: 'Automated PR to update minor dependencies'
          token: ${{ secrets.GITHUB_TOKEN }}
          branch: build/minor-dependencies-${{ github.run_number }}
Hook

After merging a pull request (so after a git pull too) that updates dependencies, the project should install these new versions automatically.
This Husky hook checks if there are changes in package.json or package-lock.json post-merge and performs an npm install if needed.
Prerequisites


Check if npx husky init successfully create a folder named .husky at the root of the project.
Create the file named pre-merge inside of .husky folder.

The Code

changed_files="$(git diff-tree -r --name-only --no-commit-id ORIG_HEAD HEAD)"
needs_install=false

echo "$changed_files" | grep -E 'package.json|package-lock.json' > /dev/null && needs_install=true

if [ "$needs_install" = true ] ; then
  echo "Changes detected in package.json or package-lock.json. Running npm install..."
  npm install
fi
Docs


npm check updates
husky
gh workflows