Dependabot on GitHub Actions runners

GitHub automatically runs the jobs that generate Dependabot pull requests on GitHub Actions if you have GitHub Actions enabled for the repository. When Dependabot is enabled, these jobs will run by bypassing Actions policy checks and disablement at the repository or organization level.

Qui peut utiliser cette fonctionnalité ?

Dependabot sur GitHub Actions est activé par défaut pour tous les référentiels pour lesquels GitHub Actions est activé

Dans cet article

About Dependabot on GitHub Actions runners

Important

If Dependabot is enabled for a repository, it will always run on GitHub Actions, bypassing both Actions policy checks and disablement at the repository or organization level. This ensures that security and version update workflows always run when Dependabot is enabled.

Using GitHub Actions runners allows you to more easily identify Dependabot job errors and manually detect and troubleshoot failed runs. You can also integrate Dependabot into your CI/CD pipelines by using GitHub Actions APIs and webhooks to detect Dependabot job status such as failed runs, and perform downstream processing. For more information, see Points de terminaison d’API REST pour GitHub Actions and Événements et charges utiles du webhook.

New repositories that you create in your user account or in your organization will automatically be configured to run Dependabot on GitHub Actions using standard GitHub-hosted runners if any of the following is true:

  • Dependabot is installed and enabled, and GitHub Actions is enabled and in use.
  • The "Dependabot on GitHub Actions runners" setting for your organization is enabled.

Future releases of GitHub will remove the ability to disable running Dependabot on GitHub Actions.

Remarque

Enabling Dependabot on GitHub Actions may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the Portail de support GitHub, or contact your sales representative.

Runner options

You can run Dependabot on GitHub Actions using:

  • Standard GitHub-hosted runners. These are the default runners used by GitHub to execute GitHub Actions jobs.
  • Exécuteurs plus grands. These are GitHub-hosted runners with advanced features like more RAM, CPU, and disk space. For more information, see Utilisation des exécuteurs plus grands.
  • Self-hosted runners. These runners grant you greater control over Dependabot access to your private registries and internal network resources. Be aware that for security reasons, Dependabot updates on self-hosted runners will not run on public repositories. For more information on assigning a dependabot label on self-hosted runners, see Configuration de Dependabot sur des exécuteurs auto-hébergés.

Running Dependabot on standard GitHub-hosted or self-hosted runners does not count towards your included GitHub Actions minutes. For Dependabot on exécuteurs plus grands, GitHub will bill your organization at the regular rate. See Tarification des runners Actions.

Remarque

La mise en réseau privée est prise en charge avec un réseau virtuel Azure (VNET) ou l'Actions Runner Controller (ARC) pour Dependabot sur GitHub Actions. Consultez Configurer Dependabot pour qu'il s'exécute sur des exécuteurs d'actions auto-hébergés à l'aide du contrôleur d'exécuteurs d'actions et Configuration de Dependabot pour s’exécuter sur des exécuteurs d’actions hébergées sur github à l’aide du réseau privé Azure.

How runner settings interact

The Dependabot on GitHub Actions runners and Dependabot on self-hosted runners settings are interdependent:

  • Enabling "Dependabot on self-hosted runners" automatically enables "Dependabot on GitHub Actions runners". Disabling "Dependabot on GitHub Actions runners" automatically disables "Dependabot on self-hosted runners".
  • When both settings are enabled, Dependabot jobs run only on self-hosted runners or exécuteurs plus grands with a dependabot label—not on standard GitHub-hosted runners.

Avertissement

If both settings are enabled but no self-hosted runners or exécuteurs plus grands with a dependabot label are available, Dependabot jobs will remain queued indefinitely. Ensure runners with this label are configured before enabling "Dependabot on self-hosted runners".

Access and permissions

If you are transitioning to using Dependabot on GitHub Actions runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that Dependabot uses, you should update your allowlist to use the GitHub-hosted runners IP addresses sourced from the meta API endpoint. For more information, see Points de terminaison d’API REST pour les métadonnées.

Lorsque vous appliquez une stratégie pour autoriser les actions et les flux de travail réutilisables uniquement dans votre entreprise, et que vous activez Dependabot sur GitHub Actions, Dependabot ne s’exécute pas. Pour activer Dependabot pour s’exécuter avec vos actions d’entreprise et les flux de travail réutilisables, vous devez choisir d’autoriser les actions créées par GitHub, ou d’autoriser les actions spécifiées et les flux de travail réutilisables. Pour plus d’informations, consultez « Application de stratégies pour GitHub Actions dans votre entreprise ».

Next steps

To enable Dependabot on GitHub Actions runners, see Configuration de Dependabot sur des exécuteurs hébergés par GitHub and Configuration de Dependabot sur des exécuteurs auto-hébergés.