Dependabot on Self Hosted Runners for GHEC and FPT - [GA] (#50362)
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>
This commit is contained in:
Vanessa
@@ -33,34 +33,13 @@ Before you configure self-hosted runners for {% data variables.product.prodname_
|
||||
|
||||
## Configuring self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
|
||||
|
||||
After you configure {% data variables.location.product_location %} to use {% data variables.product.prodname_actions %}, you need to add self-hosted runners for {% data variables.product.prodname_dependabot_updates %}.
|
||||
## # System requirements for {% data variables.product.prodname_dependabot %} runners
|
||||
|
||||
### System requirements for {% data variables.product.prodname_dependabot %} runners
|
||||
|
||||
Any VM that you use for {% data variables.product.prodname_dependabot %} runners must meet the requirements for self-hosted runners. In addition, they must meet the following requirements.
|
||||
|
||||
- Linux operating system
|
||||
- x64 architecture
|
||||
|
||||
- Docker installed with access for the runner users:
|
||||
- We recommend installing Docker in rootless mode and configuring the runners to access Docker without `root` privileges.
|
||||
- Alternatively, install Docker and give the runner users raised privileges to run Docker.
|
||||
|
||||
The CPU and memory requirements will depend on the number of concurrent runners you deploy on a given VM. As guidance, we have successfully set up 20 runners on a single 2 CPU 8GB machine, but ultimately, your CPU and memory requirements will heavily depend on the repositories being updated. Some ecosystems will require more resources than others.
|
||||
|
||||
If you specify more than 14 concurrent runners on a VM, you must also update the Docker `/etc/docker/daemon.json` configuration to increase the default number of networks Docker can create.
|
||||
|
||||
```json
|
||||
{
|
||||
"default-address-pools": [
|
||||
{"base":"10.10.0.0/16","size":24}
|
||||
]
|
||||
}
|
||||
```
|
||||
{% data reusables.dependabot.dependabot-runners-system-requirements %}
|
||||
|
||||
### Network requirements for {% data variables.product.prodname_dependabot %} runners
|
||||
|
||||
{% data variables.product.prodname_dependabot %} runners require access to the public internet, {% data variables.product.prodname_dotcom_the_website %}, and any internal registries that will be used in {% data variables.product.prodname_dependabot %} updates. To minimize the risk to your internal network, you should limit access from the Virtual Machine (VM) to your internal network. This reduces the potential for damage to internal systems if a runner were to download a hijacked dependency.
|
||||
{% data reusables.dependabot.dependabot-runners-network-requirements %}
|
||||
|
||||
### Certificate configuration for {% data variables.product.prodname_dependabot %} runners
|
||||
|
||||
@@ -81,4 +60,4 @@ If your {% data variables.product.prodname_ghe_server %} instance uses a self-si
|
||||
|
||||
1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner)."
|
||||
|
||||
1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see "[AUTOTITLE](/admin/github-actions/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise#enabling-workflows-triggered-by-dependabot-access-to-dependabot-secrets-and-increased-permissions)."
|
||||
1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see "[AUTOTITLE](/admin/github-actions/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise#providing-workflows-triggered-by-dependabot-access-to-secrets-and-increased-permissions)."
|
||||
|
||||
@@ -914,15 +914,6 @@ You can give {% data variables.product.prodname_dependabot %} access to private
|
||||
- Yarn
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% else %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Private registries behind firewalls on private networks are not supported.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
The value of the `registries` key is an associative array, each element of which consists of a key that identifies a particular registry and a value which is an associative array that specifies the settings required to access that registry. The following `dependabot.yml` file configures a registry identified as `dockerhub` in the `registries` section of the file and then references this in the `updates` section of the file.
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
title: About Dependabot on GitHub Actions runners
|
||||
intro: 'Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} allows for better performance, and increased visibility and control of {% data variables.product.prodname_dependabot %} jobs.'
|
||||
shortTitle: Dependabot on Actions
|
||||
shortTitle: About Dependabot on Actions
|
||||
permissions: 'Organization owners and repository administrators can enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}.'
|
||||
versions:
|
||||
feature: dependabot-on-actions-opt-in
|
||||
@@ -23,23 +23,21 @@ topics:
|
||||
|
||||
Using {% data variables.product.prodname_actions %} runners allows you to more easily identify {% data variables.product.prodname_dependabot %} job errors and manually detect and troubleshoot failed runs. You can also integrate {% data variables.product.prodname_dependabot %} into your CI/CD pipelines by using {% data variables.product.prodname_actions %} APIs and webhooks to detect {% data variables.product.prodname_dependabot %} job status such as failed runs, and perform downstream processing. For more information, see "[AUTOTITLE](/rest/actions)" and "[AUTOTITLE](/webhooks/webhook-events-and-payloads)."
|
||||
|
||||
You cannot run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} on self-hosted runners or {% data variables.actions.hosted_runners %}. Using private networking with an Azure Virtual Network (VNET) or Actions Runner Controller (ARC) is not supported.
|
||||
You can run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} on self-hosted and {% data variables.actions.hosted_runners %}. However, using private networking with an Azure Virtual Network (VNET) or Actions Runner Controller (ARC) is not supported.
|
||||
|
||||
Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_dotcom %}-hosted runners runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."
|
||||
Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_dotcom %}-hosted and self-hosted runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."
|
||||
|
||||
Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the {% data variables.contact.contact_support_portal %}, or contact your sales representative.
|
||||
|
||||
If you are transitioning to using {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that {% data variables.product.prodname_dependabot %} uses, you should update your allowlist to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses sourced from the meta API endpoint. For more information, see "[AUTOTITLE](/rest/meta)."
|
||||
|
||||
{% ifversion ghec %}
|
||||
When you enforce a policy to allow actions and reusable workflows from only in your enterprise, and you enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will not run. To enable {% data variables.product.prodname_dependabot %} to run with your enterprise actions and reusable workflows, you should choose either to allow actions created by {% data variables.product.prodname_dotcom %}, or allow specified actions and reusable workflows. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run)."
|
||||
{% endif %}
|
||||
{% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %}
|
||||
|
||||
## Enabling or disabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners
|
||||
|
||||
New repositories that you create in your user account or in your organization will automatically be configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} if any of the following is true:
|
||||
- {% data variables.product.prodname_dependabot %} is installed and enabled, and {% data variables.product.prodname_actions %} is enabled and in use.
|
||||
- The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" setting for your organization is enabled.
|
||||
- The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" setting for your organization is enabled.
|
||||
|
||||
For existing repositories, you can opt in to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} as follows.
|
||||
|
||||
@@ -47,9 +45,9 @@ Future releases of {% data variables.product.product_name %} will remove the abi
|
||||
|
||||
If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners. You can update your IP allow list to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses (instead of the {% data variables.product.prodname_dependabot %} IP addresses), sourced from the [meta](/rest/meta) REST API endpoint.
|
||||
|
||||
>[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. In a future release, you will be able to use a self-hosted runner or {% data variables.actions.hosted_runner %} to ensure greater control over your network access.
|
||||
>[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners)."
|
||||
|
||||
Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run.
|
||||
Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run.
|
||||
|
||||
### Enabling or disabling for your repository
|
||||
|
||||
@@ -58,7 +56,10 @@ You can manage {% data variables.product.prodname_dependabot %} on {% data varia
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
|
||||
1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners", click **Enable** to enable the feature or **Disable** to disable it.
|
||||
{% ifversion security-configurations %}
|
||||
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
|
||||
{% endif %}
|
||||
1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners", click **Enable** to enable the feature or **Disable** to disable it.
|
||||
|
||||
### Enabling or disabling for your organization
|
||||
|
||||
@@ -72,7 +73,10 @@ If a repository in your organization has {% data variables.product.prodname_depe
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
{% data reusables.organizations.security-and-analysis %}
|
||||
1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners", click **Enable all** to enable the feature or **Disable all** to disable it.
|
||||
{% ifversion security-configurations %}
|
||||
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
|
||||
{% endif %}
|
||||
1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners", click **Enable all** to enable the feature or **Disable all** to disable it.
|
||||
|
||||
## Managing {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Configuring access to private registries for Dependabot
|
||||
intro: 'You can configure {% data variables.product.prodname_dependabot %} to access dependencies stored in private registries. You can store authentication information, like passwords and access tokens, as encrypted secrets and then reference these in the {% data variables.product.prodname_dependabot %} configuration file.{% ifversion fpt or ghec %} You can also add {% data variables.product.prodname_dependabot %} to your registries IP allow list.{% endif %}'
|
||||
intro: 'You can configure {% data variables.product.prodname_dependabot %} to access dependencies stored in private registries. You can store authentication information, like passwords and access tokens, as encrypted secrets and then reference these in the {% data variables.product.prodname_dependabot %} configuration file.{% ifversion dependabot-on-actions-self-hosted %} If you have registries on private networks, you can also configure {% data variables.product.prodname_dependabot %} access when running {% data variables.product.prodname_dependabot %} on self-hosted runners.{% endif %}'
|
||||
redirect_from:
|
||||
- /github/administering-a-repository/managing-encrypted-secrets-for-dependabot
|
||||
- /code-security/supply-chain-security/managing-encrypted-secrets-for-dependabot
|
||||
@@ -30,6 +30,8 @@ In most ecosystems, private dependencies are usually published to private packag
|
||||
For specific ecosystems, you can configure {% data variables.product.prodname_dependabot %} to access _only_ private registries by removing calls to public registries. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries)."
|
||||
{% endif %}
|
||||
|
||||
{% ifversion dependabot-on-actions-self-hosted %}To allow {% data variables.product.prodname_dependabot %} access to registries hosted privately or restricted to internal networks, configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners)."{% endif %}
|
||||
|
||||
## Configuring private registries
|
||||
|
||||
You configure {% data variables.product.prodname_dependabot %}'s access to private registries in the `dependabot.yml` file.
|
||||
@@ -108,12 +110,12 @@ When creating a secret in an organization, you can use a policy to limit which r
|
||||
|
||||
The name of the secret is listed on the {% data variables.product.prodname_dependabot %} secrets page. You can click **Update** to change the secret value or its access policy. You can click **Remove** to delete the secret.
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
{% ifversion dependabot-on-actions-self-hosted %}
|
||||
|
||||
## Configuring firewall IP rules
|
||||
|
||||
You can add {% data variables.product.prodname_dependabot %} to your registries IP allow list.
|
||||
You can add {% data variables.product.prodname_dependabot %}-related IP addresses to your registries IP allow list.
|
||||
|
||||
If your private registry is configured with an IP allow list, you can find the IP addresses {% data variables.product.prodname_dependabot %} uses to access the registry in the meta API endpoint, under the `dependabot` key. For more information, see "[AUTOTITLE](/rest/meta)."
|
||||
If your private registry is configured with an IP allow list, you can find the IP addresses {% data variables.product.prodname_dependabot %} uses to access the registry in the meta API endpoint, under the `dependabot` key. If you run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners, you should instead use the IP addresses under the `actions` key. For more information, see "[AUTOTITLE](/rest/meta/meta)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -45,6 +45,8 @@ You'll also find recommendations for the setup of the following registry hosts:
|
||||
- [Nexus](#nexus)
|
||||
- [ProGet](#proget)
|
||||
|
||||
{% data reusables.dependabot.dependabot-on-actions-self-hosted-link %}
|
||||
|
||||
## Configuring package managers
|
||||
|
||||
### Bundler
|
||||
|
||||
@@ -16,6 +16,7 @@ topics:
|
||||
children:
|
||||
- /managing-pull-requests-for-dependency-updates
|
||||
- /about-dependabot-on-github-actions-runners
|
||||
- /managing-dependabot-on-self-hosted-runners
|
||||
- /automating-dependabot-with-github-actions
|
||||
- /keeping-your-actions-up-to-date-with-dependabot
|
||||
- /configuring-access-to-private-registries-for-dependabot
|
||||
|
||||
@@ -0,0 +1,101 @@
|
||||
---
|
||||
title: Managing Dependabot on self-hosted runners
|
||||
intro: 'You can configure {% data variables.product.prodname_actions %} self-hosted runners that {% data variables.product.prodname_dependabot %} uses to access your private registries and internal network resources.'
|
||||
shortTitle: Manage Dependabot on self-hosted runners
|
||||
permissions: 'Organization owners and repository administrators can configure {% data variables.product.prodname_dependabot %} to run on self-hosted runners.'
|
||||
versions:
|
||||
feature: dependabot-on-actions-self-hosted
|
||||
type: how_to
|
||||
topics:
|
||||
- Dependabot
|
||||
- Security updates
|
||||
- Version updates
|
||||
- Actions
|
||||
- Dependencies
|
||||
- Repositories
|
||||
---
|
||||
|
||||
{% data reusables.dependabot.dependabot-on-actions-opt-in-note %}
|
||||
|
||||
## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners
|
||||
|
||||
You can help users of your organization and repositories to create and maintain secure code by setting up {% data variables.product.prodname_dependabot %} security and version updates. With {% data variables.product.prodname_dependabot_updates %}, developers can configure repositories so that their dependencies are updated and kept secure automatically. Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} allows for better performance, and increased visibility and control of {% data variables.product.prodname_dependabot %} jobs.
|
||||
|
||||
To have greater control over {% data variables.product.prodname_dependabot %} access to your private registries and internal network resources, you can configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners.
|
||||
|
||||
For security reasons, when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners, {% data variables.product.prodname_dependabot_updates %} will not be run on public repositories.
|
||||
|
||||
For more information about configuring {% data variables.product.prodname_dependabot %} access to private registries when using {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot)." For information about which ecosystems are supported as private registries, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries)."
|
||||
|
||||
## Prerequisites
|
||||
|
||||
You must have {% data variables.product.prodname_dependabot %} installed and enabled, and {% data variables.product.prodname_actions %} enabled and in use. The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" setting for your organization should also be enabled. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
|
||||
|
||||
If {% data variables.product.prodname_actions %} is not enabled for your organization or repository, then the organization or repository level setting to enable "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" will not be visible in the web UI.
|
||||
|
||||
Your organization may have configured a policy to restrict actions and self-hosted runners from running in specific repositories, which in turn will not allow {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. In this case, the organization or repository level setting to enable "{% data variables.product.prodname_dependabot %} on self-hosted runners" will not be visible in the web UI. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)."
|
||||
|
||||
{% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %}
|
||||
|
||||
## Configuring self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
|
||||
|
||||
After you configure your organization or repository to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}, and before you enable {% data variables.product.prodname_dependabot %} on self-hosted runners, you need to configure self-hosted runners for {% data variables.product.prodname_dependabot_updates %}.
|
||||
|
||||
### System requirements for {% data variables.product.prodname_dependabot %} runners
|
||||
|
||||
{% data reusables.dependabot.dependabot-runners-system-requirements %}
|
||||
|
||||
### Network requirements for {% data variables.product.prodname_dependabot %} runners
|
||||
|
||||
{% data reusables.dependabot.dependabot-runners-network-requirements %}
|
||||
|
||||
### Certificate configuration for {% data variables.product.prodname_dependabot %} runners
|
||||
|
||||
If {% data variables.product.prodname_dependabot %} needs to interact with registries that use self-signed certificates, those certificates must also be installed on the self-hosted runners that run {% data variables.product.prodname_dependabot %} jobs. This security hardens the connection. You must also configure Node.js to use the certificate, because most actions are written in JavaScript and run using Node.js, which does not use the operating system certificate store.
|
||||
|
||||
### Adding self-hosted runners for {% data variables.product.prodname_dependabot %} updates
|
||||
|
||||
1. Provision self-hosted runners, at the repository or organization level. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)."
|
||||
|
||||
1. Set up the self-hosted runners with the requirements described above. For example, on a VM running Ubuntu 20.04 you would:
|
||||
- Install Docker and ensure that the runner users have access to Docker. For more information, see the Docker documentation.
|
||||
- [Install Docker Engine on Ubuntu](https://docs.docker.com/engine/install/ubuntu/)
|
||||
- Recommended approach: [Run the Docker daemon as a non-root user (Rootless mode)](https://docs.docker.com/engine/security/rootless/)
|
||||
- Alternative approach: [Manage Docker as a non-root user](https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user)
|
||||
- Verify that the runners have access to the public internet and can only access the internal networks that {% data variables.product.prodname_dependabot %} needs.
|
||||
- Install any self-signed certificates for registries that {% data variables.product.prodname_dependabot %} will need to interact with.
|
||||
|
||||
1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner)."
|
||||
|
||||
1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events)."
|
||||
|
||||
## Enabling self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
|
||||
|
||||
Once you have configured self-hosted runners for {% data variables.product.prodname_dependabot_updates %}, you can enable or disable {% data variables.product.prodname_dependabot_updates %} on self-hosted runners at the organization or repository level.
|
||||
|
||||
Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on self-hosted runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run.
|
||||
|
||||
### Enabling or disabling for your repository
|
||||
|
||||
You can manage {% data variables.product.prodname_dependabot %} on self-hosted runners for your {% ifversion ghec %}private or internal{% else %}private{% endif %} repository.
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
|
||||
{% ifversion security-configurations %}
|
||||
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling {% data variables.product.prodname_dependabot %} on on self-hosted runners and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
|
||||
{% endif %}
|
||||
1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} on self-hosted runners", click **Enable** to enable the feature or **Disable** to disable it.
|
||||
|
||||
### Enabling or disabling for your organization
|
||||
|
||||
You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_dependabot %} on self-hosted runners for all existing {% ifversion ghec %}private or internal{% else %}private{% endif %} repositories in an organization. Only repositories already configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} will be updated to run {% data variables.product.prodname_dependabot %} on self-hosted runners the next time a {% data variables.product.prodname_dependabot %} job is triggered.
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
{% data reusables.organizations.security-and-analysis %}
|
||||
{% ifversion security-configurations %}
|
||||
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling {% data variables.product.prodname_dependabot %} on on self-hosted runners and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
|
||||
{% endif %}
|
||||
1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} on self-hosted runners", click **Enable all** to enable the feature or **Disable all** to disable it.
|
||||
1. Optionally, select **Automatically enable for new repositories** to enable {% data variables.product.prodname_dependabot %} on self-hosted runners by default for your organization's new repositories.
|
||||
@@ -17,6 +17,8 @@ redirect_from:
|
||||
|
||||
{% data reusables.dependabot.private-registry-support %} For more information about private registry support and configuration, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot)." {% data reusables.dependabot.advanced-private-registry-config-link %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-on-actions-self-hosted-link %}
|
||||
|
||||
You can configure {% data variables.product.prodname_dependabot %} to access _only_ private registries by removing calls to public registries. This can only be configured for the ecosystems listed in this article.
|
||||
|
||||
{% ifversion dependabot-ghes-no-public-internet %}
|
||||
|
||||
@@ -31,7 +31,7 @@ You can customize several {% data variables.product.prodname_global_settings %}
|
||||
|
||||
- [Creating and managing {% data variables.dependabot.auto_triage_rules %}](#creating-and-managing-dependabot-auto-triage-rules)
|
||||
- [Grouping {% data variables.product.prodname_dependabot %} security updates](#grouping-dependabot-security-updates){% ifversion fpt or ghec %}
|
||||
- [Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.company_short %}-hosted runners](#enabling-dependabot-on-github-hosted-runners){% endif %}{% ifversion fpt %}
|
||||
- [Enabling dependency updates on {% data variables.product.prodname_actions %} runners](#enabling-dependency-updates-on-github-actions-runners){% endif %}{% ifversion fpt %}
|
||||
- [Granting {% data variables.product.prodname_dependabot %} access to private repositories](#granting-dependabot-access-to-private-repositories){% else %}
|
||||
- [Granting {% data variables.product.prodname_dependabot %} access to private and internal repositories](#granting-dependabot-access-to-private-and-internal-repositories){% endif %}
|
||||
|
||||
@@ -49,9 +49,11 @@ For more information on {% data variables.dependabot.auto_triage_rules %}, see "
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
### Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.company_short %}-hosted runners
|
||||
### Enabling dependency updates on {% data variables.product.prodname_actions %} runners
|
||||
|
||||
You can allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.company_short %}-hosted runners and the {% data variables.product.prodname_dependabot %} action to perform dependency updates. To enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on all repositories in your organization, click **Enable all**. To automatically enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on new repositories in your organization, select **Automatically enable for new repositories**. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
|
||||
You can allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.prodname_actions %} runners and the {% data variables.product.prodname_dependabot %} action to perform dependency updates. To enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on all repositories in your organization, click **Enable all**. To automatically enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on new repositories in your organization, select **Automatically enable for new repositories**. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
|
||||
|
||||
{% data reusables.dependabot.dependabot-on-actions-self-hosted-link %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
||||
4
data/features/dependabot-on-actions-self-hosted.yml
Normal file
4
data/features/dependabot-on-actions-self-hosted.yml
Normal file
@@ -0,0 +1,4 @@
|
||||
# Reference: Issue #13695 Dependabot on Actions on GHEC and FPT [GA]
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -0,0 +1,3 @@
|
||||
{% ifversion ghec %}
|
||||
When you enforce a policy to only allow actions and reusable workflows from your enterprise, and you enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will not run. To enable {% data variables.product.prodname_dependabot %} to run with your enterprise actions and reusable workflows, you should choose either to allow actions created by {% data variables.product.prodname_dotcom %}, or allow specified actions and reusable workflows. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run)."
|
||||
{% endif %}
|
||||
@@ -0,0 +1,3 @@
|
||||
{% ifversion dependabot-on-actions-self-hosted %}
|
||||
To have greater control over {% data variables.product.prodname_dependabot %}'s access to your private registries and internal network resources, you can configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners)."
|
||||
{% endif %}
|
||||
@@ -0,0 +1 @@
|
||||
{% data variables.product.prodname_dependabot %} runners require access to the public internet, {% data variables.product.prodname_dotcom_the_website %}, and any internal registries that will be used in {% data variables.product.prodname_dependabot_updates %}. To minimize the risk to your internal network, you should limit access from the Virtual Machine (VM) to your internal network. This reduces the potential for damage to internal systems if a runner were to download a hijacked dependency.
|
||||
@@ -0,0 +1,20 @@
|
||||
Any virtual machine (VM) that you use for {% data variables.product.prodname_dependabot %} runners must meet the requirements for self-hosted runners. In addition, they must meet the following requirements.
|
||||
|
||||
- Linux operating system
|
||||
- x64 architecture
|
||||
|
||||
- Docker installed with access for the runner users:
|
||||
- We recommend installing Docker in rootless mode and configuring the runners to access Docker without `root` privileges.
|
||||
- Alternatively, install Docker and give the runner users raised privileges to run Docker.
|
||||
|
||||
The CPU and memory requirements will depend on the number of concurrent runners you deploy on a given VM. As guidance, we have successfully set up 20 runners on a single 2 CPU 8GB machine, but ultimately, your CPU and memory requirements will heavily depend on the repositories being updated. Some ecosystems will require more resources than others.
|
||||
|
||||
If you specify more than 14 concurrent runners on a VM, you must also update the Docker `/etc/docker/daemon.json` configuration to increase the default number of networks Docker can create.
|
||||
|
||||
```json
|
||||
{
|
||||
"default-address-pools": [
|
||||
{"base":"10.10.0.0/16","size":24}
|
||||
]
|
||||
}
|
||||
```
|
||||
Reference in New Issue
Block a user