Keeping .nvmrc up-to-date with GitHub Actions

Published on April 09, 2025 - Estimated reading time is 5 minutes
GitHub Actions Node.js

Keeping your .nvmrc file up-to-date ensures your project always uses the latest Node.js version. While Dependabot is a fantastic tool for managing dependencies, it doesn't handle .nvmrc files. This can be achieved using a GitHub Action.

Keeping your .nvmrc file updated is not just about staying current; it’s about ensuring your development environment is consistent and reliable. By leveraging GitHub Actions, you can automate this process, reducing the risk of errors and saving valuable time. This guide will walk you through setting up a workflow to handle .nvmrc updates seamlessly.

Setting up the workflow

Create a GitHub Actions workflow file (e.g., .github/workflows/update-nvm-rc.yaml) with the following steps:

  1. Get the current Node.js version: Read the version from the .nvmrc file.
  2. Fetch the latest Node.js version: Use the official Node.js release sources to retrieve the latest LTS version.
  3. Update .nvmrc: If a new version is available, update the file with the latest version.
  4. Create a pull request: Automatically generate a pull request with the updated .nvmrc file, including details about the version change.

Example workflow

name: Update Node.js

on:
  schedule:
    - cron: "0 11 * * *"
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions: {}

jobs:
  update:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Checkout the repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Get current Node.js version
        id: current_version
        run: echo "version=$(cat .nvmrc)" >> "$GITHUB_OUTPUT"

      - name: Set version in .nvmrc
        id: latest_version
        run: |
          version=$(curl -s https://nodejs.org/download/release/index.json | jq -r '[.[] | select(.lts != false)][0].version')
          echo "${version}" > .nvmrc
          echo "version=$(cat .nvmrc)" >> "$GITHUB_OUTPUT"

      - name: Create pull request
        if: steps.current_version.outputs.version != steps.latest_version.outputs.version
        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          title: "Bump Node.js from ${{ steps.current_version.outputs.version }} to ${{ steps.latest_version.outputs.version }}"
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: "Bump Node.js from ${{ steps.current_version.outputs.version }} to ${{ steps.latest_version.outputs.version }}"
          author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
          sign-commits: true
          branch: update-nodejs
          add-paths: .nvmrc
          body: |
            This PR updates the Node.js version in `.nvmrc` from `${{ steps.current_version.outputs.version }}` to `${{ steps.latest_version.outputs.version }}`.
            - https://github.com/nodejs/node/releases/tag/${{ steps.latest_version.outputs.version }}
            - https://github.com/nodejs/node/compare/${{ steps.current_version.outputs.version }}...${{ steps.latest_version.outputs.version }}

The example workflow uses two on types:

  1. schedule: This triggers the workflow at a specific time interval, defined using a cron expression. In this case, it runs daily at 11:00 UTC.
  2. workflow_dispatch: This allows the workflow to be triggered manually via the GitHub Actions interface, providing flexibility for on-demand updates.

Elevated permissions

The workflow requires specific permissions to function correctly. The contents: write permission allows the workflow to push changes to the repository, such as updating the .nvmrc file. The pull-requests: write permission is necessary to create and manage pull requests for these updates. These permissions are scoped to the update job to ensure minimal access.

Using SHA1 hashes for actions

Using a SHA1 hash instead of branches or tags ensures your workflow uses a fixed, immutable version of the action. This guarantees stability by avoiding unexpected changes and enhances security by preventing supply chain attacks. Always verify the SHA1 hash from a trusted source.

Need latest Node.js version instead of LTS?

If you prefer to use the latest Node.js release instead of the LTS version, modify the workflow step that fetches the version. Replace the filter [.[] | select(.lts != false)][0].version with [0].version to always get the latest release.

Why use a GitHub Action for your .nvmrc updates?

Imagine this: You’re working on a critical project, and suddenly, a teammate encounters an issue because they’re using an outdated Node.js version. Time is wasted troubleshooting, and the team’s momentum is disrupted. Now, picture a different scenario: Your .nvmrc file is always up-to-date with the latest stable Node.js version, thanks to a GitHub Action. No more manual updates, no more inconsistencies, and no more wasted time.

With this GitHub Action, you can:

This GitHub Action is your silent teammate, working in the background to keep your project running smoothly. Say goodbye to version mismatches and hello to a more efficient development process.

Additional resources