Clarify Dependabot is exempt from IP allow list enforcement#44599
Clarify Dependabot is exempt from IP allow list enforcement#44599emisanada wants to merge 1 commit into
Conversation
Dependabot is a first-party GitHub App with explicit IP allow list exemption. Update docs to accurately state that Dependabot can access repositories regardless of IP allow list configuration. Addresses: github/enterprise-primitives#5258 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
How to review these changes 👓Thank you for your contribution. To review these changes, choose one of the following options: A Hubber will need to deploy your changes internally to review. Table of review linksNote: Please update the URL for your staging server or codespace. The table shows the files in the
Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server 🤖 This comment is automatically generated. |
github-actions
Bot
added
the
triage
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates Dependabot IP allow list guidance to clarify that Dependabot’s repository access is exempt from IP allow list restrictions, while still advising static IP solutions for workflows that need them.
Changes:
- Replaces runner-IP-focused opening with a statement about Dependabot’s exemption from IP allow list restrictions.
- Reframes the “must use self-hosted/larger runners” guidance as conditional on needing static IPs for other resources (e.g., private registries).
- Minor wording cleanup in the larger runners/static IP sentence.
Show a summary per file
| File | Description |
|---|---|
| data/reusables/dependabot/ip-allow-list-dependabot.md | Clarifies Dependabot’s IP allow list behavior and refines guidance on when static IP runners are needed. |
Copilot's findings
- Files reviewed: 1/1 changed files
- Comments generated: 1
| @@ -1,7 +1,7 @@ | |||
| By default, dynamically provisioned {% data variables.product.github %}-hosted runners do not guarantee static IP addresses. This includes the runners that are used by default with {% data variables.product.prodname_dependabot %}. | |||
| {% data variables.product.prodname_dependabot %} is a first-party {% data variables.product.github %} App whose repository access is exempt from IP allow list restrictions. This means {% data variables.product.prodname_dependabot %} can read dependency files and create pull requests regardless of your IP allow list configuration, even when running on standard {% data variables.product.github %}-hosted runners. | |||
|
Closing — moving to docs-internal per DIY docs guidelines. |
Summary
Updates the Dependabot IP allow list documentation to accurately reflect that Dependabot is a first-party GitHub App whose repository access is exempt from IP allow list restrictions.
Why
The current docs state that customers "must set up a self-hosted runner or enable Dependabot for use with larger runners" when using IP allow lists. This is inaccurate for Dependabot's core operations:
ip_allowlist_exempt: truecapabilityChanges
Rewrites
data/reusables/dependabot/ip-allow-list-dependabot.mdto:What this does NOT cover
The interaction between
GITHUB_TOKENin Dependabot workflow steps and IP allow list enforcement is nuanced and not fully documented here. The Actions app has a different exemption scope (ip_allowlist_exempt_for_internal_apisonly). This PR focuses solely on clarifying Dependabot's own access, which is unambiguously exempt.Affected pages
This reusable appears on: