Dependabot on GitHub Actions runners

GitHub automatically runs the jobs that generate Dependabot pull requests on GitHub Actions if you have GitHub Actions enabled for the repository. When Dependabot is enabled, these jobs will run by bypassing Actions policy checks and disablement at the repository or organization level.

谁可以使用此功能?

对于启用了 Dependabot 的所有存储库,GitHub Actions 上的 GitHub Actions 默认启用

在本文中

About Dependabot on GitHub Actions runners

重要

If Dependabot is enabled for a repository, it will always run on GitHub Actions, bypassing both Actions policy checks and disablement at the repository or organization level. This ensures that security and version update workflows always run when Dependabot is enabled.

Using GitHub Actions runners allows you to more easily identify Dependabot job errors and manually detect and troubleshoot failed runs. You can also integrate Dependabot into your CI/CD pipelines by using GitHub Actions APIs and webhooks to detect Dependabot job status such as failed runs, and perform downstream processing. For more information, see GitHub Actions 的 REST API 端点 and Webhook 事件和有效负载.

New repositories that you create in your user account or in your organization will automatically be configured to run Dependabot on GitHub Actions using standard GitHub-hosted runners if any of the following is true:

  • Dependabot is installed and enabled, and GitHub Actions is enabled and in use.
  • The "Dependabot on GitHub Actions runners" setting for your organization is enabled.

Future releases of GitHub will remove the ability to disable running Dependabot on GitHub Actions.

注意

Enabling Dependabot on GitHub Actions may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the GitHub 支持门户, or contact your sales representative.

Runner options

You can run Dependabot on GitHub Actions using:

  • Standard GitHub-hosted runners. These are the default runners used by GitHub to execute GitHub Actions jobs.
  • 大型运行器. These are GitHub-hosted runners with advanced features like more RAM, CPU, and disk space. For more information, see 使用较大运行器.
  • Self-hosted runners. These runners grant you greater control over Dependabot access to your private registries and internal network resources. Be aware that for security reasons, Dependabot updates on self-hosted runners will not run on public repositories. For more information on assigning a dependabot label on self-hosted runners, see 在自托管运行器上配置 Dependabot.

Running Dependabot on standard GitHub-hosted or self-hosted runners does not count towards your included GitHub Actions minutes. For Dependabot on 大型运行器, GitHub will bill your organization at the regular rate. See Actions 运行程序定价.

注意

Azure 虚拟网络(VNET)或 Actions Runner Controller(ARC)支持 Dependabot 在 GitHub Actions 上的专用网络。 请参阅“设置 Dependabot 以使用 Actions Runner Controller 在自托管操作运行器上运行”和“使用Azure专用网络设置 Dependabot 以在 github 托管的操作运行程序上运行”。

How runner settings interact

The Dependabot on GitHub Actions runners and Dependabot on self-hosted runners settings are interdependent:

  • Enabling "Dependabot on self-hosted runners" automatically enables "Dependabot on GitHub Actions runners". Disabling "Dependabot on GitHub Actions runners" automatically disables "Dependabot on self-hosted runners".
  • When both settings are enabled, Dependabot jobs run only on self-hosted runners or 大型运行器 with a dependabot label—not on standard GitHub-hosted runners.

警告

If both settings are enabled but no self-hosted runners or 大型运行器 with a dependabot label are available, Dependabot jobs will remain queued indefinitely. Ensure runners with this label are configured before enabling "Dependabot on self-hosted runners".

Access and permissions

If you are transitioning to using Dependabot on GitHub Actions runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that Dependabot uses, you should update your allowlist to use the GitHub-hosted runners IP addresses sourced from the meta API endpoint. For more information, see 元数据的 REST API 端点.

强制实施策略以仅允许企业中的操作和可重用工作流,并且对 Dependabot 启用 GitHub Actions 时,Dependabot 将不会运行。 若要使 Dependabot 能够与企业操作和可重用工作流一起运行,应选择允许 GitHub 创建的操作,或允许指定的操作和可重用工作流。 有关详细信息,请参阅“在企业中强制实施GitHub Actions策略”。

Next steps

To enable Dependabot on GitHub Actions runners, see 在 GitHub 托管的运行程序上配置 Dependabot and 在自托管运行器上配置 Dependabot.