Updates the dependencies of a Python project and raises pull requests in the repository containing the required changes/updates. Works for projects using UV, Poetry, PDM project tooling, or those described using a "Pipfile".
Compatible with modern Python projects described by: pyproject.toml
steps:
- name: Update Python dependencies
uses: lfreleng-actions/python-dependencies-update-action@main
with:
token: ${{ secrets.GITHUB_TOKEN }}| Variable Name | Required | Description |
|---|---|---|
| token | True | Github token with the required permissions |
| path_prefix | False | Directory location containing project code |
| update_method | False | Tool/method used to update dependencies |
| message | False | Commit message and pull request title |
| sign-off-commit | False | Whether commit message contains signed-off-by |
| sign-commits | False | Sign commits as github-actions[bot] |
| exit_on_fail | False | Exit with error if no Python project code found |
| no_checkout | False | Don't perform a checkout of the local repository |
| labels | False | Labels to apply to the pull request (one per line) |
| Variable Name | Default |
|---|---|
| path_prefix | '.' ' |
| update_method | 'auto' |
| message | 'Chore: Update Python dependencies' |
| sign-off-commit | true |
| sign-commits | true |
| labels | '' |
The token passed as input requires:
- id-token: write
- pull-requests: write
- repository-projects: write
- contents: write
Note: If you use the labels input to apply labels to pull requests,
ensure the labels already exist in your repository. The action does not create
new labels and will fail if trying to apply non-existent labels without the
necessary permissions.
| Value | Description |
|---|---|
| auto | Auto-detect and run all available tools (default) |
| uv | Use UV package manager (requires uv.lock) |
| poetry | Use Poetry (requires poetry.lock or tool.poetry) |
| pdm | Use PDM (requires pdm.lock or tool.pdm) |
| pip | Use Pipenv (requires Pipfile) |
The action supports Python dependency management tools:
UV: Modern, fast Python package installer and resolver
- Triggered by:
uv.lockfile exists - Command:
uv lock --upgrade
Poetry: Popular Python dependency management tool
- Triggered by:
poetry.lockfile exists ORtool.poetryin pyproject.toml - Command:
poetry update
PDM: Modern Python package manager supporting PEP 582
- Triggered by:
pdm.lockfile exists ORtool.pdmin pyproject.toml - Command:
pdm update
Pipenv: Traditional Python package manager using Pipfile
- Triggered by:
Pipfileexists - Command:
pipenv lock
When update_method: auto (default), all detected tools run in priority
order. When you specify a tool, that tool executes.
The action consolidates all dependency updates into a single pull request using:
peter-evans/create-pull-request
The labels input allows you to apply labels to the generated pull request.
Provide one label per line, as demonstrated in the example below:
steps:
- name: Update Python dependencies
uses: lfreleng-actions/python-dependencies-update-action@main
with:
token: ${{ secrets.GITHUB_TOKEN }}
labels: |
automated
dependencies
pythonIf you don't specify any labels, the pull request will have no labels. This avoids failures that can occur trying to apply non-existent labels, and provides for usage in repositories where you may not have the permissions required to add them.