New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

Updating CI

We recommend pinning the Action to the floating major @v2, which updates to new releases automatically.

Don't pin to @main. Older setup docs suggested it, but we no longer recommend it: @main runs unreleased code that can change or break without warning. Switch to the floating major @v2.

There are two ways to pin the Action to the floating major @v2:

Paste this prompt into your coding agent, then review and merge the pull request it opens:

Update the React Doctor GitHub Action to the latest version.

- Open .github/workflows/react-doctor.yml.
- Change the action ref to the floating major millionco/react-doctor@v2 so it tracks new releases automatically.
- If it currently pins an exact tag (like @v2.3.1) or a commit SHA, replace it with @v2 unless we deliberately froze the version.
- Leave the version: input (the react-doctor scanner) on latest unless we pin it on purpose.
- Open a pull request with the change.

Pin the Action to the floating major in .github/workflows/react-doctor.yml:

- uses: millionco/react-doctor@v2

@v2 always resolves to the latest v2.x.y, so you get fixes and new rules with no PR. The one manual step is the next major: GitHub won't move you from @v2 to @v3, so bump it yourself and read the migration guide when it ships. If a new rule is noisy, silence it in your config rather than pinning the Action.

Bump a pinned version

A commit or exact-tag pin doesn't update until you change it. Both of these are frozen pins:

- uses: millionco/react-doctor@e3f0a1c2b4d5968778899aabbccddeeff0011223 # a commit
- uses: millionco/react-doctor@v2.3.1 # an exact tag

A commit is the supply-chain-hardened pin; an exact tag is the readable version of the same idea. To update either, swap in the newer commit or tag from the releases page, and follow the migration guide across a major. Or skip the manual bumps and let Dependabot do them for you. If you don't need a frozen version, switch to @v2 and drop the upkeep entirely.

Let Dependabot do it

To keep a hash or exact-tag pin current without tracking releases by hand, add .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly

Dependabot opens a PR bumping the pinned Action after each new release.

Updating the scanner

The @… ref pins the Action. A separate version input pins the scanner it runs, the react-doctor npm package. It defaults to latest:

- uses: millionco/react-doctor@v2
  with:
    version: "0.2.18"

Leave it on latest for the newest rules, or pin it to freeze the engine independently of the Action. See the Action reference.