GitHub Action

Automate Updatecli with GitHub Action

Description

Updatecli is most effective when executed regularly and automatically. So, lets see how to use updatecli in a GitHub Action.

Credentials

Updatecli requires a token to interact with the GitHub API. It can be done using different approaches.

GITHUB_TOKEN

The easiest one is the GITHUB_TOKEN which comes with two major limitations:

  1. For security reason, GitHub prevents to trigger GitHub action workflow from pullrequest created with a GITHUB_TOKEN, more information here. This means that a pullrequest recreated this way won’t trigger any test.

  2. GITHUB_TOKEN has the lower API request limit 1000 requests per hour as explained here

Important
By default the GITHUB_TOKEN is not allowed to open pullrequest. You first need to configure the default GITHUB_TOKEN permission for your repository. More information here

Personal Access Token

The second approach is to configure a GitHub action secret with a personal access token that allow 5000 request per hour src.

GitHub App

The third approach is to use a GitHub App that provides the highest api limit, 15000 request per hour here.

Conclusion

The third option is the best one but not yet supported natively by Updatecli. An issue is open at issue#2262. A workaround is available by using the GitHub action actions/create-github-app-token.

Migration

From V1 to v2

The updatecli action v1 was a "GitHub Action" of type docker. While it was easier to start with, that type of GitHub Action runs in a docker container and so in a fully isolated environment. Updatecli uses many other tools. So switching to a Javascript GitHub action, allows installing updatecli directly on the GitHub Action runner next to those other tools. Now, the goal of this GitHub action evolved from running updatecli to installing updatecli.

Parameter

Version

version: specifies the Updatecli version to install. Accepted values are any valid releases such as v0.25.0. The default value corresponds to the latest Updatecli version

Required: false

Example

The current example takes uses the repository jenkins-infra/jenkins-infra.

Once you have your update strategy configuration in the directory ./updatecli/updatecli.d, you need following files in order to run updatecli from Github Action.

./updatecli/values.yaml

---
github:
  user: "GitHub Actions Bot"
  email: "bots@udpatecli.io"
  username: "github-actions"
  token: "UPDATECLI_GITHUB_TOKEN"

./github/workflows/updatecli.yaml

---
name: Updatecli

on:
  # Trigger Updatecli if a new commit land on the main branch
  push:
    branches: [main]
  # Trigger Updatecli if a pullrequest is open targeting the main branch.
  # This is useful to test Updatecli manifest change
  pull_request:
    branches: [main]
  # Manually trigger Updatecli via GitHub UI
  workflow_dispatch:
  # Trigger Updatecli once day by a cronjob
  schedule:
    # * is a special character in YAML so you have to quote this string
    # Run once a day 
    - cron: '0 0 * * *'

permissions:
  contents: "write"
  pull-requests: "write"

jobs:
  updatecli:
    runs-on: "ubuntu-latest"
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Install Updatecli in the runner
        uses: updatecli/updatecli-action@v2

      - name: Run Updatecli in Dry Run mode
        run: "updatecli diff --config ./updatecli/updatecli.d --values updatecli/values.yaml"
        env:
          UPDATECLI_GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Run Updatecli in apply mode
        run: "updatecli apply --config ./updatecli/updatecli.d --values updatecli/values.yaml"
        env:
          UPDATECLI_GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
Important
Environment variables starting with GITHUB_ are reserved by GitHub Actions.
Last modified on August 27, 2025
Edit this page on GitHub
← Condition
Source →