Enable GitHub Dependabot Updates for actions used in Composite actions

Question

I have a GitHub repository which hosts GitHub Actions logic shared among other GitHub repositories. The file structure is:

.github
|_ .workflows
  |_ shared-workflow-1
     |_ ...
  |_ shared-workflow-2
     |_ ...
|_ custom-action-1
     |_ action.yaml
|_ custom-action-2
     |_ action.yaml

(Note that the workflows HAD to be declared in .github/workflows because of GitHub constraints, but the custom actions can be declared at repository root level, and can thus simply be called with my-github-logic-repo@custom-action1@main.)

My custom-action-* actions are composite actions, which rely themselves on GitHub actions from the marketplace, which I would like to be automatically updated by Dependabot.

I have enabled Dependabot on the repository with the following .github/dependabot.yml:

version: 2

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

But the issue is that Dependabot only open Pull Requests to update actions inside the workflows, and it completely ignores the actions inside my own custom composite actions.

Is there a way to make Dependabot look at my custom actions when checking for updates, or is it plain not supported at the moment?

Answer 1

According to this Dependabot issue, composite actions are supported, but you need to point dependabot to each subdirectory in the configuration:

  - package-ecosystem: github-actions
    directory: /  # Still required to update workflows
    schedule:
      interval: weekly

  - package-ecosystem: github-actions
    directory: /custom-action-1
    schedule:
      interval: weekly

  - package-ecosystem: github-actions
    directory: /custom-action-2
    schedule:
      interval: weekly