Clarify Dependabot is exempt from IP allow list enforcement

emisanada · Copilot · emisanada · commit 438203179198 · 2026-06-04T16:10:11.000-07:00
Dependabot is a first-party GitHub App with explicit IP allow list exemption. Update docs to accurately state that Dependabot can access repositories regardless of IP allow list configuration. Addresses: github/enterprise-primitives#5258 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/data/reusables/dependabot/ip-allow-list-dependabot.md b/data/reusables/dependabot/ip-allow-list-dependabot.md
@@ -1,7 +1,7 @@
-By default, dynamically provisioned {% data variables.product.github %}-hosted runners do not guarantee static IP addresses. This includes the runners that are used by default with {% data variables.product.prodname_dependabot %}.
+{% data variables.product.prodname_dependabot %} is a first-party {% data variables.product.github %} App whose repository access is exempt from IP allow list restrictions. This means {% data variables.product.prodname_dependabot %} can read dependency files and create pull requests regardless of your IP allow list configuration, even when running on standard {% data variables.product.github %}-hosted runners.
 
-If you use an IP allow list and {% data variables.product.prodname_dependabot %}, you must set up a self-hosted runner or enable {% data variables.product.prodname_dependabot %} for use with {% data variables.actions.hosted_runners %}. See [AUTOTITLE](/actions/concepts/runners/about-self-hosted-runners) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners).
+If your {% data variables.product.prodname_dependabot %} workflows require predictable, static IP addresses for other reasons (for example, to access private registries behind a firewall), you should set up a self-hosted runner or enable {% data variables.product.prodname_dependabot %} for use with {% data variables.actions.hosted_runners %}. See [AUTOTITLE](/actions/concepts/runners/about-self-hosted-runners) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners).
 
-Additionally, to learn more about setting up a {% data variables.actions.hosted_runners %} with a static IP address configured, see [AUTOTITLE](/actions/concepts/runners/about-larger-runners).
+Additionally, to learn more about setting up {% data variables.actions.hosted_runners %} with a static IP address configured, see [AUTOTITLE](/actions/concepts/runners/about-larger-runners).
 
 To allow your self-hosted runners or {% data variables.actions.hosted_runners %} to communicate with {% data variables.product.github %}, add the IP address or IP address range of your runners to the IP allow list that you have configured for your enterprise.
