A fast CLI tool that automatically bumps GitHub Actions in your workflow files to their latest major versions.
Scans every .yml / .yaml file in .github/workflows, queries the GitHub API for the newest tags, and rewrites pinned versions in place.
bun add -g @jadujoel/bump-github-actionsOr run directly without installing:
bunx @jadujoel/bump-github-actionsRun from the root of any repository that contains a .github/workflows directory:
bump-github-actionsFound 5 unique action(s) across 3 workflow file(s).
Checking actions/checkout@v3 ... update available: v3 -> v4
Checking actions/setup-node@v4 ... up to date (v4).
Checking softprops/action-gh-release@v1 ... update available: v1 -> v2
Applying 2 update(s)...
Updated .github/workflows/ci.yml
Updated .github/workflows/release.yml
Done.
Both short (@v3) and full semver (@v3.1.0) references are detected and replaced.
Unauthenticated requests to the GitHub API are rate-limited to 60 per hour. To raise the limit, set a GITHUB_TOKEN environment variable:
export GITHUB_TOKEN=ghp_...
bump-github-actionsThe package exports its core functions for use in scripts and other tools:
import {
parseActions,
getLatestVersion,
bumpGithubActions,
} from "@jadujoel/bump-github-actions";
// Parse action references from a workflow string
const actions = parseActions(workflowContent);
// Look up the latest version of a specific action
const latest = await getLatestVersion("actions", "checkout");
// Run the full scan-and-bump pipeline
await bumpGithubActions();- Globs all
*.ymland*.yamlfiles in.github/workflows. - Extracts every
uses: owner/repo@vXreference via regex. - Fetches tags from
https://api.github.com/repos/{owner}/{repo}/tagsfor each unique action. - Determines the highest major version, preferring short tags (
v5) over full semver (v5.2.1) when both exist. - Rewrites workflow files in place, updating only the actions that have a newer major version available.
- Bun runtime
MIT