From 0e586da65a94df484359283fd58dba757ad2e8f5 Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 18:22:37 +0000 Subject: [PATCH 01/15] update dependabot-run-by-actions-policies and disablement --- .../automating-dependabot-with-github-actions.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index eab2af97fbfd..714edd452d4a 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -35,6 +35,9 @@ You can use {% data variables.product.prodname_actions %} to perform automated t ## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %} +> [!IMPORTANT] +> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run—**bypassing both GitHub Actions policy checks and disablement**. This means Dependabot workflows will still execute even if GitHub Actions is disabled or restricted by enterprise or organization policies. + {% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date. You can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request. {% data reusables.dependabot.working-with-actions-considerations %} For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions). @@ -187,6 +190,18 @@ jobs: > [!NOTE] > If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless **all the required status checks pass**. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). +## 📌 Dependabot and GitHub Actions Policies + +Normally, whether a workflow can run in a repository depends on GitHub Actions **policy checks** and whether GitHub Actions is **enabled** at the organization or repository level. These controls can restrict workflows from running—especially when external actions are blocked or GitHub Actions is disabled entirely. + +However, when {% data variables.product.prodname_dependabot %} is enabled for a repository, its workflows will always run—**bypassing both Actions policy checks and disablement**. + +* {% data variables.product.prodname_dependabot %} workflows are not blocked by Actions disablement or enterprise policy restrictions. +* The actions referenced within these workflows are also allowed to run, even if external actions are disallowed. +* This behavior aligns with GitHub's organizational ruleset workflows, which may override repository-level settings. + +For more details, see [About Dependabot on GitHub Actions Runners](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). + ## Investigating failed workflow runs If your workflow run fails, check the following: From 8e7c88d597d0746e41c0fa06c1deacb8655ff854 Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 18:34:43 +0000 Subject: [PATCH 02/15] update doc to mention that dependabot bypass actions policy checks and disablement --- .../about-dependabot-on-github-actions-runners.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index 90cfdc9432c2..ec155b66f4a0 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -1,6 +1,6 @@ --- title: About Dependabot on GitHub Actions runners -intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} if you have {% data variables.product.prodname_actions %} enabled for the repository.' +intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} when {% data variables.product.prodname_dependabot %} is enabled for the repository. These jobs run even if GitHub Actions is disabled or restricted by policy.' shortTitle: About Dependabot on Actions product: '{% data reusables.gated-features.dependabot-on-actions %}' versions: @@ -17,6 +17,9 @@ topics: ## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners +> [!IMPORTANT] +> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run—**bypassing both GitHub Actions policy checks and disablement**. This ensures that security and version update workflows run even when Actions is disabled or restricted at the repo or org level. + {% data reusables.dependabot.dependabot-updates-and-actions %} {% data reusables.dependabot.dependabot-on-actions-future-note %} From a9bfc12eec921cd59db224aba4e457fdaf502fa2 Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 18:38:06 +0000 Subject: [PATCH 03/15] fix link --- .../automating-dependabot-with-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index 714edd452d4a..36f859c475c2 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -200,7 +200,7 @@ However, when {% data variables.product.prodname_dependabot %} is enabled for a * The actions referenced within these workflows are also allowed to run, even if external actions are disallowed. * This behavior aligns with GitHub's organizational ruleset workflows, which may override repository-level settings. -For more details, see [About Dependabot on GitHub Actions Runners](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). +For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). ## Investigating failed workflow runs From aa89799e2ddfa3572636cca3940dbeace2a124ce Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 19:04:27 +0000 Subject: [PATCH 04/15] remove outline --- .../automating-dependabot-with-github-actions.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index 36f859c475c2..072cff1986d6 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -198,7 +198,6 @@ However, when {% data variables.product.prodname_dependabot %} is enabled for a * {% data variables.product.prodname_dependabot %} workflows are not blocked by Actions disablement or enterprise policy restrictions. * The actions referenced within these workflows are also allowed to run, even if external actions are disallowed. -* This behavior aligns with GitHub's organizational ruleset workflows, which may override repository-level settings. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). From 7a09151df328c6414f3afe8e2e36993644ff257e Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 19:06:10 +0000 Subject: [PATCH 05/15] clarify the sentence --- .../automating-dependabot-with-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index 072cff1986d6..4e7dd812abd7 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -194,7 +194,7 @@ jobs: Normally, whether a workflow can run in a repository depends on GitHub Actions **policy checks** and whether GitHub Actions is **enabled** at the organization or repository level. These controls can restrict workflows from running—especially when external actions are blocked or GitHub Actions is disabled entirely. -However, when {% data variables.product.prodname_dependabot %} is enabled for a repository, its workflows will always run—**bypassing both Actions policy checks and disablement**. +However, when {% data variables.product.prodname_dependabot %} is enabled for a repository, its workflows will always run on actions **bypassing both Actions policy checks and disablement**. * {% data variables.product.prodname_dependabot %} workflows are not blocked by Actions disablement or enterprise policy restrictions. * The actions referenced within these workflows are also allowed to run, even if external actions are disallowed. From 726efebec82aa208f978af1b70bcfba76fd6b73f Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 19:07:54 +0000 Subject: [PATCH 06/15] revert back the change --- .../about-dependabot-on-github-actions-runners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index ec155b66f4a0..16ef54b7e566 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -1,6 +1,6 @@ --- title: About Dependabot on GitHub Actions runners -intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} when {% data variables.product.prodname_dependabot %} is enabled for the repository. These jobs run even if GitHub Actions is disabled or restricted by policy.' +intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} if you have {% data variables.product.prodname_actions %} enabled for the repository. These jobs run even if GitHub Actions is disabled or restricted by policy.' shortTitle: About Dependabot on Actions product: '{% data reusables.gated-features.dependabot-on-actions %}' versions: From 02da4ea2c3d2fd7b5e28b6ab0e189eae9123feb0 Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 19:11:01 +0000 Subject: [PATCH 07/15] clarify sentence --- .../about-dependabot-on-github-actions-runners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index 16ef54b7e566..af82b58c2856 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -1,6 +1,6 @@ --- title: About Dependabot on GitHub Actions runners -intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} if you have {% data variables.product.prodname_actions %} enabled for the repository. These jobs run even if GitHub Actions is disabled or restricted by policy.' +intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} if you have {% data variables.product.prodname_actions %} enabled for the repository. Dependabot jobs also run by bypassing Actions policy checks and disablement at the repository or organization level when {% data variables.product.prodname_dependabot %} is enabled.' shortTitle: About Dependabot on Actions product: '{% data reusables.gated-features.dependabot-on-actions %}' versions: From f5131e5fb53c8f938271fd75da27cee8108eba03 Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 19:12:42 +0000 Subject: [PATCH 08/15] clarify sentences --- .../about-dependabot-on-github-actions-runners.md | 2 +- .../automating-dependabot-with-github-actions.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index af82b58c2856..e24fd96a0e31 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -18,7 +18,7 @@ topics: ## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners > [!IMPORTANT] -> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run—**bypassing both GitHub Actions policy checks and disablement**. This ensures that security and version update workflows run even when Actions is disabled or restricted at the repo or org level. +> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both GitHub Actions policy checks and disablement**. This ensures that security and version update workflows run even when Actions is disabled or restricted at the repo or org level. {% data reusables.dependabot.dependabot-updates-and-actions %} diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index 4e7dd812abd7..be4ce947f7dc 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -36,7 +36,7 @@ You can use {% data variables.product.prodname_actions %} to perform automated t ## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %} > [!IMPORTANT] -> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run—**bypassing both GitHub Actions policy checks and disablement**. This means Dependabot workflows will still execute even if GitHub Actions is disabled or restricted by enterprise or organization policies. +> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both GitHub Actions policy checks and disablement**. This means Dependabot workflows will still execute even if GitHub Actions is disabled or restricted by enterprise or organization policies. {% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date. You can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request. From 2fc7dcfc05264d29489e3389fea7945d85d1a6fd Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 19:14:06 +0000 Subject: [PATCH 09/15] clarify notes --- .../about-dependabot-on-github-actions-runners.md | 2 +- .../automating-dependabot-with-github-actions.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index e24fd96a0e31..091c3563a885 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -18,7 +18,7 @@ topics: ## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners > [!IMPORTANT] -> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both GitHub Actions policy checks and disablement**. This ensures that security and version update workflows run even when Actions is disabled or restricted at the repo or org level. +> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both actions policy checks and disablement on repository and organization level**. This ensures that security and version update workflows run even when Actions is disabled or restricted at the repo or org level. {% data reusables.dependabot.dependabot-updates-and-actions %} diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index be4ce947f7dc..fa82d0ff28df 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -36,7 +36,7 @@ You can use {% data variables.product.prodname_actions %} to perform automated t ## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %} > [!IMPORTANT] -> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both GitHub Actions policy checks and disablement**. This means Dependabot workflows will still execute even if GitHub Actions is disabled or restricted by enterprise or organization policies. +> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both actions policy checks and disablement on repository and organization level**. This means Dependabot workflows will still execute even if GitHub Actions is disabled or restricted by enterprise or organization policies. {% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date. You can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request. From 3939004cde45e82856a18ef6ddce7520bdb590bd Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 19:16:11 +0000 Subject: [PATCH 10/15] clarify sentences --- .../about-dependabot-on-github-actions-runners.md | 2 +- .../automating-dependabot-with-github-actions.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index 091c3563a885..02ae0954379b 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -18,7 +18,7 @@ topics: ## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners > [!IMPORTANT] -> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both actions policy checks and disablement on repository and organization level**. This ensures that security and version update workflows run even when Actions is disabled or restricted at the repo or org level. +> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both actions policy checks and disablement on repository and organization level**. This ensures that security and version update workflows always run when Dependabot is enabled. {% data reusables.dependabot.dependabot-updates-and-actions %} diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index fa82d0ff28df..cffb433522fe 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -36,7 +36,7 @@ You can use {% data variables.product.prodname_actions %} to perform automated t ## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %} > [!IMPORTANT] -> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both actions policy checks and disablement on repository and organization level**. This means Dependabot workflows will still execute even if GitHub Actions is disabled or restricted by enterprise or organization policies. +> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both actions policy checks and disablement on repository and organization level**. This ensures that security and version update workflows always run when Dependabot is enabled. {% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date. You can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request. From a8c1a712f165225b467efa587d7a77887304592c Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 19:23:13 +0000 Subject: [PATCH 11/15] add if conditions for the references docs --- .../automating-dependabot-with-github-actions.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index cffb433522fe..fd5728646eed 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -199,7 +199,9 @@ However, when {% data variables.product.prodname_dependabot %} is enabled for a * {% data variables.product.prodname_dependabot %} workflows are not blocked by Actions disablement or enterprise policy restrictions. * The actions referenced within these workflows are also allowed to run, even if external actions are disallowed. +{% ifversion dependabot-on-actions-opt-in %} For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). +{% endif %} ## Investigating failed workflow runs From 08783c5ba34263e99067a38cfbcd457a541bd4f9 Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 19:28:28 +0000 Subject: [PATCH 12/15] refine the note --- .../automating-dependabot-with-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index fd5728646eed..20ca7414940d 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -36,7 +36,7 @@ You can use {% data variables.product.prodname_actions %} to perform automated t ## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %} > [!IMPORTANT] -> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both actions policy checks and disablement on repository and organization level**. This ensures that security and version update workflows always run when Dependabot is enabled. +> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on {% data variables.product.prodname_actions %}, **bypassing both Actions policy checks and disablement at the repository or organization level**. This ensures that security and version update workflows always run when Dependabot is enabled. {% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date. You can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request. From 3932adcab25c08934d783771a32195f0c4ce16f8 Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 19:29:24 +0000 Subject: [PATCH 13/15] use variable names --- .../automating-dependabot-with-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index 20ca7414940d..920767108648 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -194,7 +194,7 @@ jobs: Normally, whether a workflow can run in a repository depends on GitHub Actions **policy checks** and whether GitHub Actions is **enabled** at the organization or repository level. These controls can restrict workflows from running—especially when external actions are blocked or GitHub Actions is disabled entirely. -However, when {% data variables.product.prodname_dependabot %} is enabled for a repository, its workflows will always run on actions **bypassing both Actions policy checks and disablement**. +However, when {% data variables.product.prodname_dependabot %} is enabled for a repository, its workflows will always run on {% data variables.product.prodname_actions %}, **bypassing both Actions policy checks and disablement**. * {% data variables.product.prodname_dependabot %} workflows are not blocked by Actions disablement or enterprise policy restrictions. * The actions referenced within these workflows are also allowed to run, even if external actions are disallowed. From 254391bb94b45b1d6262d1ea4083b42acf392740 Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Mon, 19 May 2025 19:32:30 +0000 Subject: [PATCH 14/15] refine sentences --- .../about-dependabot-on-github-actions-runners.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index 02ae0954379b..cac16098fece 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -1,6 +1,6 @@ --- title: About Dependabot on GitHub Actions runners -intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} if you have {% data variables.product.prodname_actions %} enabled for the repository. Dependabot jobs also run by bypassing Actions policy checks and disablement at the repository or organization level when {% data variables.product.prodname_dependabot %} is enabled.' +intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} if you have {% data variables.product.prodname_actions %} enabled for the repository. When {% data variables.product.prodname_dependabot %} is enabled, these jobs will run by bypassing Actions policy checks and disablement at the repository or organization level.' shortTitle: About Dependabot on Actions product: '{% data reusables.gated-features.dependabot-on-actions %}' versions: @@ -18,7 +18,7 @@ topics: ## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners > [!IMPORTANT] -> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on actions **bypassing both actions policy checks and disablement on repository and organization level**. This ensures that security and version update workflows always run when Dependabot is enabled. +> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run on {% data variables.product.prodname_actions %}, **bypassing both Actions policy checks and disablement at the repository or organization level**. This ensures that security and version update workflows always run when Dependabot is enabled. {% data reusables.dependabot.dependabot-updates-and-actions %} From e5dbcc864c80274b4005d5a40ee069426aee9d3a Mon Sep 17 00:00:00 2001 From: Joe Clark <31087804+jc-clark@users.noreply.github.com> Date: Mon, 19 May 2025 15:46:34 -0700 Subject: [PATCH 15/15] Apply suggestions from code review --- .../automating-dependabot-with-github-actions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index 920767108648..b04378ebb0d8 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -190,9 +190,9 @@ jobs: > [!NOTE] > If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless **all the required status checks pass**. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). -## 📌 Dependabot and GitHub Actions Policies +## {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %} policies -Normally, whether a workflow can run in a repository depends on GitHub Actions **policy checks** and whether GitHub Actions is **enabled** at the organization or repository level. These controls can restrict workflows from running—especially when external actions are blocked or GitHub Actions is disabled entirely. +Normally, whether a workflow can run in a repository depends on {% data variables.product.prodname_actions %} **policy checks** and whether {% data variables.product.prodname_actions %} is **enabled** at the organization or repository level. These controls can restrict workflows from running—especially when external actions are blocked or {% data variables.product.prodname_actions %} is disabled entirely. However, when {% data variables.product.prodname_dependabot %} is enabled for a repository, its workflows will always run on {% data variables.product.prodname_actions %}, **bypassing both Actions policy checks and disablement**.