About Dependabot on GitHub Actions runners
Внимание
If Dependabot is enabled for a repository, it will always run on GitHub Actions, bypassing both Actions policy checks and disablement at the repository or organization level. This ensures that security and version update workflows always run when Dependabot is enabled.
Using GitHub Actions runners allows you to more easily identify Dependabot job errors and manually detect and troubleshoot failed runs. You can also integrate Dependabot into your CI/CD pipelines by using GitHub Actions APIs and webhooks to detect Dependabot job status such as failed runs, and perform downstream processing. For more information, see REST API endpoints для GitHub Actions and События и полезные данные веб-перехватчика.
New repositories that you create in your user account or in your organization will automatically be configured to run Dependabot on GitHub Actions using standard GitHub-hosted runners if any of the following is true:
- Dependabot is installed and enabled, and GitHub Actions is enabled and in use.
- The "Dependabot on GitHub Actions runners" setting for your organization is enabled.
Future releases of GitHub will remove the ability to disable running Dependabot on GitHub Actions.
Примечание.
Enabling Dependabot on GitHub Actions may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the Портал поддержки GitHub, or contact your sales representative.
Runner options
You can run Dependabot on GitHub Actions using:
- Standard GitHub-hosted runners. These are the default runners used by GitHub to execute GitHub Actions jobs.
- Более крупные бегуны. These are GitHub-hosted runners with advanced features like more RAM, CPU, and disk space. For more information, see Использование крупных средств выполнения.
- Self-hosted runners. These runners grant you greater control over Dependabot access to your private registries and internal network resources. Be aware that for security reasons, Dependabot updates on self-hosted runners will not run on public repositories. For more information on assigning a
dependabotlabel on self-hosted runners, see Конфигурирование Dependabot на самостоятельных раннерах.
Running Dependabot on standard GitHub-hosted or self-hosted runners does not count towards your included GitHub Actions minutes. For Dependabot on более крупные бегуны, GitHub will bill your organization at the regular rate. See Цены на средства выполнения действий.
Примечание.
Частная сеть поддерживается либо с помощью виртуальной сети Azure (VNET), либо контроллера Actions Runner (ARC) для Dependabot на GitHub Actions. См. раздел [AUTOTITLE и Настройка Dependabot для запуска на локальных запусках действий с помощью контроллера runner actions](/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-github-hosted-runners-using-vnet).
How runner settings interact
The Dependabot on GitHub Actions runners and Dependabot on self-hosted runners settings are interdependent:
- Enabling "Dependabot on self-hosted runners" automatically enables "Dependabot on GitHub Actions runners". Disabling "Dependabot on GitHub Actions runners" automatically disables "Dependabot on self-hosted runners".
- When both settings are enabled, Dependabot jobs run only on self-hosted runners or более крупные бегуны with a
dependabotlabel—not on standard GitHub-hosted runners.
Предупреждение
If both settings are enabled but no self-hosted runners or более крупные бегуны with a dependabot label are available, Dependabot jobs will remain queued indefinitely. Ensure runners with this label are configured before enabling "Dependabot on self-hosted runners".
Access and permissions
If you are transitioning to using Dependabot on GitHub Actions runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that Dependabot uses, you should update your allowlist to use the GitHub-hosted runners IP addresses sourced from the meta API endpoint. For more information, see Конечные точки REST API для метаданных.
Если вы применяете политику только для разрешения действий и повторно используемых рабочих процессов из вашей организации, и вы включите Dependabot на GitHub Actions, Dependabot не будет выполняться. Чтобы включить Dependabot для выполнения с корпоративными действиями и повторно используемыми рабочими процессами, следует разрешить действия, созданные GitHub, или разрешить указанные действия и повторно используемые рабочие процессы. Дополнительные сведения см. в разделе Применение политик для GitHub Actions в вашем предприятии.
Next steps
To enable Dependabot on GitHub Actions runners, see Configuring Dependabot на раннерах на GitHub and Конфигурирование Dependabot на самостоятельных раннерах.