From 4ca5e1fc366d3a236337dc084aadec0f5bd42a9c Mon Sep 17 00:00:00 2001 From: Gabriela Sanada Date: Thu, 4 Jun 2026 12:34:22 -0700 Subject: [PATCH 1/3] Clarify Dependabot IP allow list bypass behavior Add a warning note that Dependabot runs on standard GitHub-hosted runners may succeed despite an IP allow list being enabled, and that this behavior is not guaranteed or supported. This addresses customer confusion documented in github/enterprise-primitives#5258 where a Dependabot run succeeded on a GitHub-hosted runner while the organization IP allow list was enabled. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- data/reusables/dependabot/ip-allow-list-dependabot.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 data/reusables/dependabot/ip-allow-list-dependabot.md diff --git a/data/reusables/dependabot/ip-allow-list-dependabot.md b/data/reusables/dependabot/ip-allow-list-dependabot.md new file mode 100644 index 000000000000..98fc6d238519 --- /dev/null +++ b/data/reusables/dependabot/ip-allow-list-dependabot.md @@ -0,0 +1,10 @@ +By default, dynamically provisioned {% data variables.product.github %}-hosted runners do not guarantee static IP addresses. This includes the runners that are used by default with {% data variables.product.prodname_dependabot %}. + +> [!WARNING] +> In some cases, {% data variables.product.prodname_dependabot %} runs on standard {% data variables.product.github %}-hosted runners may succeed despite an IP allow list being enabled. This behavior is not guaranteed, not documented as supported, and may be changed or patched at any time without notice. Do not rely on this behavior for your security posture. + +If you use an IP allow list and {% data variables.product.prodname_dependabot %}, you must set up a self-hosted runner or enable {% data variables.product.prodname_dependabot %} for use with {% data variables.actions.hosted_runners %}. See [AUTOTITLE](/actions/concepts/runners/about-self-hosted-runners) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners). + +Additionally, to learn more about setting up a {% data variables.actions.hosted_runners %} with a static IP address configured, see [AUTOTITLE](/actions/concepts/runners/about-larger-runners). + +To allow your self-hosted runners or {% data variables.actions.hosted_runners %} to communicate with {% data variables.product.github %}, add the IP address or IP address range of your runners to the IP allow list that you have configured for your enterprise. From 4ebb6c338403e2150205d555e29f55ae15fa5317 Mon Sep 17 00:00:00 2001 From: Gabriela Sanada Date: Thu, 4 Jun 2026 12:55:42 -0700 Subject: [PATCH 2/3] Clarify Dependabot IP allow list exemption behavior Dependabot is a first-party GitHub App that is explicitly exempt from IP allow list enforcement. Update the docs to accurately reflect this: - Dependabot's own repo access (reading deps, creating PRs) is exempt - Additional workflow steps using GITHUB_TOKEN may still be blocked - Self-hosted/larger runners are only needed for those additional steps Previously the docs implied Dependabot would be blocked entirely by IP allow lists, which does not match the actual implementation. Addresses: github/enterprise-primitives#5258 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- data/reusables/dependabot/ip-allow-list-dependabot.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/data/reusables/dependabot/ip-allow-list-dependabot.md b/data/reusables/dependabot/ip-allow-list-dependabot.md index 98fc6d238519..fb2032346108 100644 --- a/data/reusables/dependabot/ip-allow-list-dependabot.md +++ b/data/reusables/dependabot/ip-allow-list-dependabot.md @@ -1,9 +1,8 @@ -By default, dynamically provisioned {% data variables.product.github %}-hosted runners do not guarantee static IP addresses. This includes the runners that are used by default with {% data variables.product.prodname_dependabot %}. +{% data variables.product.prodname_dependabot %} is a first-party {% data variables.product.github %} App whose access to repositories is exempt from IP allow list restrictions. This means {% data variables.product.prodname_dependabot %} can read repository contents and create pull requests regardless of your IP allow list configuration. -> [!WARNING] -> In some cases, {% data variables.product.prodname_dependabot %} runs on standard {% data variables.product.github %}-hosted runners may succeed despite an IP allow list being enabled. This behavior is not guaranteed, not documented as supported, and may be changed or patched at any time without notice. Do not rely on this behavior for your security posture. +However, if your {% data variables.product.prodname_dependabot %} workflows include additional steps that use the `GITHUB_TOKEN` or other tokens to make API calls, those steps may still be subject to IP allow list enforcement. In that case, dynamically provisioned {% data variables.product.github %}-hosted runners do not guarantee static IP addresses, so those calls may fail. -If you use an IP allow list and {% data variables.product.prodname_dependabot %}, you must set up a self-hosted runner or enable {% data variables.product.prodname_dependabot %} for use with {% data variables.actions.hosted_runners %}. See [AUTOTITLE](/actions/concepts/runners/about-self-hosted-runners) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners). +If your {% data variables.product.prodname_dependabot %} workflows need to make additional authenticated API calls beyond what {% data variables.product.prodname_dependabot %} itself performs, you must set up a self-hosted runner or enable {% data variables.product.prodname_dependabot %} for use with {% data variables.actions.hosted_runners %}. See [AUTOTITLE](/actions/concepts/runners/about-self-hosted-runners) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners). Additionally, to learn more about setting up a {% data variables.actions.hosted_runners %} with a static IP address configured, see [AUTOTITLE](/actions/concepts/runners/about-larger-runners). From 88f43730c0518297a9a375b3b689caf7d926ac39 Mon Sep 17 00:00:00 2001 From: Gabriela Sanada Date: Thu, 4 Jun 2026 13:17:47 -0700 Subject: [PATCH 3/3] Clarify Dependabot is exempt from IP allow list enforcement Dependabot is a first-party GitHub App with explicit IP allow list exemption. Update docs to: - State clearly that Dependabot repo access is exempt from IP allow lists - Remove misleading guidance that self-hosted runners are required - Keep self-hosted/larger runner guidance for other use cases (e.g., accessing private registries behind firewalls) Addresses: github/enterprise-primitives#5258 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- data/reusables/dependabot/ip-allow-list-dependabot.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/data/reusables/dependabot/ip-allow-list-dependabot.md b/data/reusables/dependabot/ip-allow-list-dependabot.md index fb2032346108..5e12ff0e1c01 100644 --- a/data/reusables/dependabot/ip-allow-list-dependabot.md +++ b/data/reusables/dependabot/ip-allow-list-dependabot.md @@ -1,9 +1,7 @@ -{% data variables.product.prodname_dependabot %} is a first-party {% data variables.product.github %} App whose access to repositories is exempt from IP allow list restrictions. This means {% data variables.product.prodname_dependabot %} can read repository contents and create pull requests regardless of your IP allow list configuration. +{% data variables.product.prodname_dependabot %} is a first-party {% data variables.product.github %} App whose repository access is exempt from IP allow list restrictions. This means {% data variables.product.prodname_dependabot %} can read dependency files and create pull requests regardless of your IP allow list configuration, even when running on standard {% data variables.product.github %}-hosted runners. -However, if your {% data variables.product.prodname_dependabot %} workflows include additional steps that use the `GITHUB_TOKEN` or other tokens to make API calls, those steps may still be subject to IP allow list enforcement. In that case, dynamically provisioned {% data variables.product.github %}-hosted runners do not guarantee static IP addresses, so those calls may fail. +If your {% data variables.product.prodname_dependabot %} workflows require predictable, static IP addresses for other reasons (for example, to access private registries behind a firewall), you should set up a self-hosted runner or enable {% data variables.product.prodname_dependabot %} for use with {% data variables.actions.hosted_runners %}. See [AUTOTITLE](/actions/concepts/runners/about-self-hosted-runners) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners). -If your {% data variables.product.prodname_dependabot %} workflows need to make additional authenticated API calls beyond what {% data variables.product.prodname_dependabot %} itself performs, you must set up a self-hosted runner or enable {% data variables.product.prodname_dependabot %} for use with {% data variables.actions.hosted_runners %}. See [AUTOTITLE](/actions/concepts/runners/about-self-hosted-runners) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners). - -Additionally, to learn more about setting up a {% data variables.actions.hosted_runners %} with a static IP address configured, see [AUTOTITLE](/actions/concepts/runners/about-larger-runners). +Additionally, to learn more about setting up {% data variables.actions.hosted_runners %} with a static IP address configured, see [AUTOTITLE](/actions/concepts/runners/about-larger-runners). To allow your self-hosted runners or {% data variables.actions.hosted_runners %} to communicate with {% data variables.product.github %}, add the IP address or IP address range of your runners to the IP allow list that you have configured for your enterprise.