Comparison: actup vs Dependabot vs Renovate
This is a factual scope comparison, not a benchmark. It reflects what actup ships today (verified against source) and the well-known behavior of Dependabot and Renovate for GitHub Actions.
At a glance
| Capability | actup | Dependabot (Actions) | Renovate (Actions) |
|---|---|---|---|
Scans uses: in workflows | Yes | Yes | Yes |
Scans composite action.yml | Yes | Yes | Yes |
| Opens pull requests | No | Yes | Yes |
| Runs as a hosted/scheduled bot | No (you run it; CI optional) | Yes (GitHub-hosted) | Yes (app or self-hosted) |
| SHA-pin actions | Yes (pin) | No (tag updates) | Yes (pinDigests) |
Reverse a SHA pin (unpin) | Yes (via # tag comment) | No | No (one-way digest pinning) |
| Multi-provider (GitLab/Gitea hosts) | Yes (GitHub/GitLab/Gitea) | GitHub only | GitHub-centric for Actions |
| Offline / cached resolution | Yes (--offline, SQLite cache) | No | No |
| SARIF / code-scanning output | Yes (--format sarif) | No | No |
::warning annotations | Yes (--github-annotations) | No | No |
| Non-Actions ecosystems (npm, pip…) | No | Yes | Yes |
| Config policy (track/pin/bump) | Yes (zod-validated file) | Limited (update strategy) | Extensive (presets, rules) |
| Editor / LSP integration | Planned (not shipped) | No | No |
What actup does that they do not
- Multi-host in one pass.
actupresolves refs against GitHub / GitHub Enterprise, GitLab and Gitea/Forgejo/Codeberg, auto-detecting the host (or via explicithosts.<host>.kindconfig). Dependabot's Actions updater is GitHub-only. - Reversible SHA pinning.
pinwritesrepo@<sha> # <tag>;pin --unpinreads that comment back and restores the tag. Digest pinning in Renovate is effectively one-way. - Offline, cache-backed runs. A TTL
bun:sqlitecache lets--offlineresolve entirely from previously fetched data — useful in air-gapped or rate-limited CI. - First-class machine output for security tooling. Native SARIF 2.1.0 and GitHub annotation emission, plus a strict exit-code contract (
0/1/2/3) designed for gating. - Formatting-preserving edits. Rewrites are byte-span surgical with atomic temp-file + rename; unrelated lines, quoting and comments are untouched. The tools above regenerate/patch via their own writers.
What they do that actup does not
- No pull requests, no scheduling of itself.
actupis a CLI. It does not open PRs or run as a managed service; you wire it into CI yourself (see CI recipes). - Single ecosystem.
actuponly manages GitHub Actionsuses:refs. Dependabot and Renovate cover many language package ecosystems. - No grouping/auto-merge/preset ecosystem. Renovate's rule presets, grouping, auto-merge and changelog rendering have no
actupequivalent.
Roadmap (not yet shipped)
Per ROADMAP.md, an @actup/lsp language server (diagnostics, code actions, hover) and an @actup/mcp Model Context Protocol server are planned but not implemented. Do not rely on them today.
When to use which
- Want PR automation across many ecosystems on GitHub → Dependabot or Renovate.
- Want a scriptable, multi-host, SHA-pinning Actions checker with strict CI exit codes and SARIF, including offline →
actup. - They are not mutually exclusive: run
actupas a code-scanning / gate step alongside Dependabot/Renovate PRs.