Acerca de Dependabot en ejecutores de Acciones de

¿Quién puede utilizar esta característica?

Dependabot en Actions está habilitado de forma predeterminada para todos los repositorios para los que se habilita Actions

En este artículo

Importante

If Dependabot is enabled for a repository, it will always run on Actions, bypassing both Actions policy checks and disablement at the repository or organization level. This ensures that security and version update workflows always run when Dependabot is enabled.

If you enable Dependabot on a new repository and have Actions enabled, Dependabot will run on Actions by default.

If you enable Dependabot on a new repository and have Actions disabled, Dependabot will run on the legacy application in to perform Dependabot updates. This doesn't provide as good performance, visibility, or control of Dependabot updates jobs as Actions does. If you want to use Dependabot with Actions, you must ensure that your repository enables Actions, then enable "Dependabot on Actions runners" from the repository's "Advanced Security" settings page.

Nota:

Future releases of will always run Dependabot using Actions, and you will no longer have the option to enable or disable this setting.

Using Actions runners allows you to more easily identify Dependabot job errors and manually detect and troubleshoot failed runs. You can also integrate Dependabot into your CI/CD pipelines by using Actions APIs and webhooks to detect Dependabot job status such as failed runs, and perform downstream processing. For more information, see REST API endpoints for Actions and Webhook events and payloads.

Nota:

Running Dependabot on -hosted and self-hosted runners does not count towards your included Actions minutes. For more information, see About billing for Actions.

You can run Dependabot on Actions using:

  • -hosted runners
  • Larger runners. These runners are -hosted, with advanced features, such as more RAM, CPU, and disk space. For more information, see Using larger runners.
  • Self-hosted runners. For more information on assigning a dependabot label on self-hosted runners, see Managing Dependabot on self-hosted runners.

Nota:

Private networking is supported with either an Azure Virtual Network (VNET) or the Actions Runner Controller (ARC) for Dependabot on Actions. See Setting up Dependabot to run on self-hosted action runners using the Actions Runner Controller and Setting up Dependabot to run on -hosted action runners using the Azure Private Network for more information, and instruction.

Enabling Dependabot on Actions may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the Support portal, or contact your sales representative.

If you are transitioning to using Dependabot on Actions runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that Dependabot uses, you should update your allowlist to use the -hosted runners IP addresses sourced from the meta API endpoint. For more information, see REST API endpoints for meta data.

When you enforce a policy to only allow actions and reusable workflows from your enterprise, and you enable Dependabot on Actions, Dependabot will not run. To enable Dependabot to run with your enterprise actions and reusable workflows, you should choose either to allow actions created by , or allow specified actions and reusable workflows. For more information, see Enforcing policies for Actions in your enterprise.

Nota:

Dependabot on Actions relies on the ubuntu-latest label to select the appropriate runner. To ensure Dependabot runs on -hosted runners, you should not use the label ubuntu-latest for self-hosted runners.

This section only applies to standard -hosted runners, not larger runners.

New repositories that you create in your user account or in your organization will automatically be configured to run Dependabot on Actions if any of the following is true:

  • Dependabot is installed and enabled, and Actions is enabled and in use.
  • The "Dependabot on Actions runners" setting for your organization is enabled.

For existing repositories, you can opt in to run Dependabot on Actions as follows.

Future releases of will remove the ability to disable running Dependabot on Actions.

If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling Dependabot on Actions runners. You can update your IP allow list to use the -hosted runners IP addresses (instead of the Dependabot IP addresses), sourced from the meta REST API endpoint.

Advertencia

You should not rely on the Actions IP addresses for authentication to private registries. These Actions addresses are not only used by , and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see Managing Dependabot on self-hosted runners.

Note, disabling and re-enabling the "Dependabot on Actions runners" settings will not trigger a new Dependabot run.

You can manage Dependabot on Actions for your public, private or internal repository.

  1. On , navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Advanced Security.

  4. Under "Dependabot", to the right of "Dependabot on Actions runners", click Enable to enable the feature or Disable to disable it.

You can enable Dependabot on Actions for all existing repositories in an organization.

Only repositories with the following configuration will be updated to run Dependabot on Actions the next time a Dependabot job is triggered.

  • Dependabot is enabled in the repository.
  • Actions is enabled in the repository.

If a repository in your organization has Dependabot enabled but Actions disabled, Dependabot will not run on Actions, but will continue to run using the built-in Dependabot application.

  1. In the upper-right corner of , select your profile photo, then click Your organizations.
  2. Next to the organization, click Settings.
  3. In the "Security" section of the sidebar, click Advanced Security then Global settings.
  4. Under "Dependabot", select "Dependabot on Actions runners" to enable the feature or deselect to disable it.

For more information, see Configuring global security settings for your organization.

If you run into Dependabot timeouts and out-of-memory errors, you may want to use larger runners, as you can configure these runners to have more resources.

Nota:

You can only enable larger runners for Dependabot at the organization level. will bill your organization at the regular Actions runner pricing. For more information, see About billing for Actions.

  1. Add a larger runner to your organization and ensure the name specified is dependabot. For more information, see Managing larger runners.
  2. Opt in the organization to self-hosted runners. For more information, see Managing Dependabot on self-hosted runners. This step is required, as it ensures that future Dependabot jobs will run on the larger -hosted runner that has the dependabot name.

When a Dependabot on Actions job is run, you can review the workflow run history directly from the Dependabot job logs. For more information, see Viewing Dependabot job logs.

You can also navigate to a Dependabot workflow run from the Actions tab in a repository. For more information, see Viewing workflow run history.

To re-run a Dependabot version updates or Dependabot security updates job, use the appropriate procedure below. You cannot re-run a Dependabot job on Actions as you would for other Actions workflows and jobs, that is, by using the Actions tab in a repository. You cannot view usage data for Dependabot updates workflows and jobs in your organization's Actions usage metrics.

  1. On , navigate to the main page of the repository.

  2. Under your repository name, click Insights.

    Screenshot of the main page of a repository. In the horizontal navigation bar, a tab, labeled with a graph icon and "Insights," is outlined in orange.

  3. In the left sidebar, click Dependency graph.

    Screenshot of the "Dependency graph" tab. The tab is highlighted with an orange outline.

  4. Under "Dependency graph", click Dependabot.

  5. To the right of the name of manifest file that you're interested in, click Recent update jobs.

  6. To the right of the affected manifest file, click Check for updates to re-run a Dependabot version updates job and check for new updates to dependencies for that ecosystem.

  1. On , navigate to the main page of the repository.
  2. Under your repository name, click Security.
  3. In the left sidebar, under "Vulnerability alerts", click Dependabot.
  4. Under "Dependabot", click the alert you want to view.
  5. In the section displaying the error details for the alert, click Try again to re-run the Dependabot security updates job.