Skip to content

Clarify that Dependabot workflows bypass Actions policy checks and disablement #38421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
May 19, 2025
Merged

Clarify that Dependabot workflows bypass Actions policy checks and disablement #38421

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
0e586da
update dependabot-run-by-actions-policies and disablement
kbukum1 May 19, 2025
8e7c88d
update doc to mention that dependabot bypass actions policy checks an…
kbukum1 May 19, 2025
a9bfc12
fix link
kbukum1 May 19, 2025
6718429
Merge branch 'main' into kamil/update-dependabot-run-policies
kbukum1 May 19, 2025
aa89799
remove outline
kbukum1 May 19, 2025
7a09151
clarify the sentence
kbukum1 May 19, 2025
726efeb
revert back the change
kbukum1 May 19, 2025
02da4ea
clarify sentence
kbukum1 May 19, 2025
f5131e5
clarify sentences
kbukum1 May 19, 2025
2fc7dcf
clarify notes
kbukum1 May 19, 2025
3939004
clarify sentences
kbukum1 May 19, 2025
a8c1a71
add if conditions for the references docs
kbukum1 May 19, 2025
08783c5
refine the note
kbukum1 May 19, 2025
3932adc
use variable names
kbukum1 May 19, 2025
254391b
refine sentences
kbukum1 May 19, 2025
e5dbcc8
Apply suggestions from code review
jc-clark May 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion ...ependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: About Dependabot on GitHub Actions runners
intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} if you have {% data variables.product.prodname_actions %} enabled for the repository.'
intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} when {% data variables.product.prodname_dependabot %} is enabled for the repository. These jobs run even if GitHub Actions is disabled or restricted by policy.'
shortTitle: About Dependabot on Actions
product: '{% data reusables.gated-features.dependabot-on-actions %}'
versions:
Expand All @@ -17,6 +17,9 @@ topics:

## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners

> [!IMPORTANT]
> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run—**bypassing both GitHub Actions policy checks and disablement**. This ensures that security and version update workflows run even when Actions is disabled or restricted at the repo or org level.

{% data reusables.dependabot.dependabot-updates-and-actions %}

{% data reusables.dependabot.dependabot-on-actions-future-note %}
Expand Down
15 changes: 15 additions & 0 deletions ...dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@

## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %}

> [!IMPORTANT]
> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run—**bypassing both GitHub Actions policy checks and disablement**. This means Dependabot workflows will still execute even if GitHub Actions is disabled or restricted by enterprise or organization policies.

{% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date. You can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request.

{% data reusables.dependabot.working-with-actions-considerations %} For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions).
Expand Down Expand Up @@ -187,6 +190,18 @@
> [!NOTE]
> If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless **all the required status checks pass**. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule).

## 📌 Dependabot and GitHub Actions Policies

Normally, whether a workflow can run in a repository depends on GitHub Actions **policy checks** and whether GitHub Actions is **enabled** at the organization or repository level. These controls can restrict workflows from running—especially when external actions are blocked or GitHub Actions is disabled entirely.

However, when {% data variables.product.prodname_dependabot %} is enabled for a repository, its workflows will always run—**bypassing both Actions policy checks and disablement**.

* {% data variables.product.prodname_dependabot %} workflows are not blocked by Actions disablement or enterprise policy restrictions.

Check failure on line 199 in content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md

View workflow job for this annotation

GitHub Actions / test-changed-content

Error 

Unable to find Page by '/en/enterprise-server@3.17/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners'.
    To fix it, look at content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md on line 199 and see if the link is correct and active.
* The actions referenced within these workflows are also allowed to run, even if external actions are disallowed.
* This behavior aligns with GitHub's organizational ruleset workflows, which may override repository-level settings.

For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners).

## Investigating failed workflow runs

If your workflow run fails, check the following:
Expand All @@ -194,7 +209,7 @@
* You are running the workflow only when the correct actor triggers it.
* You are checking out the correct `ref` for your `pull_request`.
* Your secrets are available in {% data variables.product.prodname_dependabot %} secrets rather than as {% data variables.product.prodname_actions %} secrets.
* You have a `GITHUB_TOKEN` with the correct permissions.

Check failure on line 212 in content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md

View workflow job for this annotation

GitHub Actions / check-links

Error 

Unable to find Page by '/en/enterprise-server@3.13/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners'.
    To fix it, look at content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md on line 212 and see if the link is correct and active.

Check failure on line 212 in content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md

View workflow job for this annotation

GitHub Actions / check-links

Error 

Unable to find Page by '/en/enterprise-server@3.14/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners'.
    To fix it, look at content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md on line 212 and see if the link is correct and active.

Check failure on line 212 in content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md

View workflow job for this annotation

GitHub Actions / check-links

Error 

Unable to find Page by '/en/enterprise-server@3.15/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners'.
    To fix it, look at content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md on line 212 and see if the link is correct and active.

Check failure on line 212 in content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md

View workflow job for this annotation

GitHub Actions / check-links

Error 

Unable to find Page by '/en/enterprise-server@3.16/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners'.
    To fix it, look at content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md on line 212 and see if the link is correct and active.

Check failure on line 212 in content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md

View workflow job for this annotation

GitHub Actions / check-links

Error 

Unable to find Page by '/en/enterprise-server@3.17/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners'.
    To fix it, look at content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md on line 212 and see if the link is correct and active.

For information on writing and debugging {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions).

Expand Down
Loading