A GitHub Action to do crate maintenance
A simple GitHub Action that performs regular crate maintenance,
which means it runs a cargo update
, applies auto-fixable cargo clippy
followed
by a cargo fmt
.
You can start by copy-pasting this snippet to a .github/workflows/crate-maintenance.yml
,
making sure that you pin this action repository.
name: Crate maintenance
on:
schedule:
- cron: "14 3 * * 5" # every friday at 03:14
# workflow_dispatch: # optionally, if desired
jobs:
rust-maintain:
runs-on: ubuntu-latest
permissions: # see below for permissions / security
contents: write
pull-requests: write
steps:
# you should use a *pinned commit*:
- uses: Swatinem/rust-maintain@d30335b4b3c4c7a19c42ca2e25e3d73500f22098
After running, the action will open a pull request with crate updates and clippy
auto-fixes,
like this one.
As you can see in the example above, this action requires elevated permissions in order to push code changes, and to open / update pull requests.
Apart from granting those permissions in a workflow file, you also have to grant extra permission for this action to be able to open / update pull requests.
You can find these in the GitHub Settings UI under Settings > Actions > General, as seen here:
Similar to other dependencies, you should follow best practices when it comes to software supply chain security. This means that you should not blindly trust me. I encourage you to review the code of this action thoroughly, and to pin an exact commit when using it.
As the primary use-case of this action is to run cargo update
, the same also
applies to pull-requests opened by this action:
You should not blindly trust the dependency updates in the Cargo.lock
,
but review the changes before merging any pull-request.
cargo clippy
portion currently runs with the default features, it might thusIsn’t this the same as dependabot
or renovate
?
The cargo update
portion might be similar, but this action also applies clippy
auto-fixes.
Apart from this, I am not a fan of dependabot
myself,
as it is often overly spammy and opens an unreasonable amount of PRs.
renovate
can be configured to batch multiple updates,
but configuring it properly is quite some effort.
In general I would still recommend to use either tool to automatically open PRs for major version updates, or to regularly review dependencies.
This action is heavily based on the Rust compilers own dependency update workflow. The primary credit thus goes to its original author, @pitaj