GitHub Action
Automate dependency upgrades for your GitHub repo: run inup on a schedule and get one rolling pull request with safe upgrades applied. Re-runs update the same PR instead of opening new ones.
Add this workflow to your repo:
# .github/workflows/inup.yml
name: inup
on:
schedule:
- cron: '17 5 * * *' # daily around 05:17 UTC
workflow_dispatch: {}
permissions:
contents: write
pull-requests: write
jobs:
upgrade:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: donfear/inup@v1
with:
target: minor # minor (default) | patch | latest
That’s it. Also enable Settings → Actions → General → Workflow permissions → “Allow GitHub Actions to create and approve pull requests” so the action can open the PR.
Scheduled workflows are not real-time timers: GitHub documents that
scheduleruns can be delayed during busy periods, and the start of each hour is especially busy. Schedule earlier than you need and avoid:00cron minutes.
What the action creates#
When inup finds applicable upgrades, the workflow commits the changed manifest/lockfile and opens or updates one pull request. The PR body contains a summary line, the list of upgrades applied in the PR, and a full table of available updates — including whether a major is available and whether an upgrade fixes a known vulnerability.
Catalog-sourced upgrades (pnpm catalog: deps) are applied to pnpm-workspace.yaml and marked catalog:<name> in the PR body so reviewers know which file the diff touches.
Commit as you, not the bot#
By default the upgrade commit is authored by github-actions[bot]. To attribute it to you, store your name/email as repo secrets and pass committer/author:
- uses: donfear/inup@v1
with:
committer: ${{ secrets.GH_USERNAME }} <${{ secrets.GH_EMAIL }}>
author: ${{ secrets.GH_USERNAME }} <${{ secrets.GH_EMAIL }}>
Inputs#
| Input | Default | Description |
|---|---|---|
target |
minor |
How far to bump: minor (in-range), patch, or latest (includes majors) |
directory |
. |
Directory to run in |
package-manager |
(auto) | Force npm/yarn/pnpm/bun; empty auto-detects from the lockfile |
node-version |
22 |
Node.js version for the run (minimum 22.19) |
inup-version |
latest |
inup version to run (pin for reproducible runs) |
pr-branch |
inup/dependency-upgrades |
Branch for the rolling PR |
pr-title |
chore(deps): dependency upgrades |
PR title |
commit-message |
chore(deps): upgrade dependencies via inup |
Commit message |
base |
(default branch) | Base branch the PR targets |
labels |
dependencies |
Labels to apply to the PR |
token |
${{ github.token }} |
Token to push + open the PR. Pass a PAT to also trigger CI on the PR |
committer |
github-actions[bot] |
Commit committer, as Name <email> |
author |
(triggering user) | Commit author, as Name <email> |
Outputs#
outdated, vulnerable, pull-request-number.
@v1 floats to the latest 1.x release; pin to a specific version or a SHA for reproducible runs. The action honors your .inuprc (ignore, exclude, scanDirs).
Last updated 2026-07-06 · Edit this page on GitHub