Revert "Revert "Dependabot on Actions (opt-in) - [GA]"" (#50273)
This commit is contained in:
mc
@@ -159,15 +159,7 @@ If any of these services are at or near 100% CPU utilization, or the memory is n
|
||||
|
||||
## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows
|
||||
|
||||
After you set up {% data variables.product.prodname_dependabot %} updates for {% data variables.location.product_location %}, you may see failures when existing workflows are triggered by {% data variables.product.prodname_dependabot %} events.
|
||||
|
||||
By default, {% data variables.product.prodname_actions %} workflow runs that are triggered by {% data variables.product.prodname_dependabot %} from `push`, `pull_request`, `pull_request_review`, or `pull_request_review_comment` events are treated as if they were opened from a repository fork. Unlike workflows triggered by other actors, this means they receive a read-only `GITHUB_TOKEN` and do not have access to any secrets that are normally available. This will cause any workflows that attempt to write to the repository to fail when they are triggered by {% data variables.product.prodname_dependabot %}.
|
||||
|
||||
There are three ways to resolve this problem:
|
||||
|
||||
1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)."
|
||||
1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events)."
|
||||
1. You can provide workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and allow the `permissions` term to increase the default scope of the `GITHUB_TOKEN`. For more information, see "[Providing workflows triggered by{% data variables.product.prodname_dependabot %} access to secrets and increased permissions](#providing-workflows-triggered-by-dependabot-access-to-secrets-and-increased-permissions)" below.
|
||||
{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} For more information, see "[Providing workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and increased permissions](#providing-workflows-triggered-by-dependabot-access-to-secrets-and-increased-permissions)" below.
|
||||
|
||||
### Providing workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and increased permissions
|
||||
|
||||
|
||||
@@ -50,7 +50,9 @@ You can enable a related feature, {% data variables.product.prodname_dependabot_
|
||||
|
||||
{% data reusables.dependabot.pull-request-security-vs-version-updates %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-updates-and-actions %}
|
||||
{% data reusables.dependabot.dependabot-updates-prs-and-actions %}
|
||||
|
||||
{% ifversion dependabot-on-actions-opt-in %}{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."{% endif %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-actions-support %}
|
||||
|
||||
|
||||
@@ -40,7 +40,9 @@ If you enable _security updates_, {% data variables.product.prodname_dependabot
|
||||
|
||||
{% data reusables.dependabot.dependabot-updates-signed-commits %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-updates-and-actions %}
|
||||
{% data reusables.dependabot.dependabot-updates-prs-and-actions %}
|
||||
|
||||
{% ifversion dependabot-on-actions-opt-in %}{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."{% endif %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-tos %}
|
||||
|
||||
|
||||
@@ -0,0 +1,104 @@
|
||||
---
|
||||
title: About Dependabot on GitHub Actions runners
|
||||
intro: 'Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} allows for better performance, and increased visibility and control of {% data variables.product.prodname_dependabot %} jobs.'
|
||||
shortTitle: Dependabot on Actions
|
||||
permissions: 'Organization owners and repository administrators can enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}.'
|
||||
versions:
|
||||
feature: dependabot-on-actions-opt-in
|
||||
type: how_to
|
||||
topics:
|
||||
- Dependabot
|
||||
- Security updates
|
||||
- Version updates
|
||||
- Actions
|
||||
- Dependencies
|
||||
- Repositories
|
||||
---
|
||||
|
||||
{% data reusables.dependabot.dependabot-on-actions-opt-in-note %}
|
||||
|
||||
## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners
|
||||
|
||||
{% data reusables.dependabot.dependabot-updates-and-actions %}
|
||||
|
||||
Using {% data variables.product.prodname_actions %} runners allows you to more easily identify {% data variables.product.prodname_dependabot %} job errors and manually detect and troubleshoot failed runs. You can also integrate {% data variables.product.prodname_dependabot %} into your CI/CD pipelines by using {% data variables.product.prodname_actions %} APIs and webhooks to detect {% data variables.product.prodname_dependabot %} job status such as failed runs, and perform downstream processing. For more information, see "[AUTOTITLE](/rest/actions)" and "[AUTOTITLE](/webhooks/webhook-events-and-payloads)."
|
||||
|
||||
You cannot run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} on self-hosted runners or {% data variables.actions.hosted_runners %}. Using private networking with an Azure Virtual Network (VNET) or Actions Runner Controller (ARC) is not supported.
|
||||
|
||||
Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_dotcom %}-hosted runners runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."
|
||||
|
||||
Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the {% data variables.contact.contact_support_portal %}, or contact your sales representative.
|
||||
|
||||
If you are transitioning to using {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that {% data variables.product.prodname_dependabot %} uses, you should update your allowlist to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses sourced from the meta API endpoint. For more information, see "[AUTOTITLE](/rest/meta)."
|
||||
|
||||
{% ifversion ghec %}
|
||||
When you enforce a policy to allow actions and reusable workflows from only in your enterprise, and you enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will not run. To enable {% data variables.product.prodname_dependabot %} to run with your enterprise actions and reusable workflows, you should choose either to allow actions created by {% data variables.product.prodname_dotcom %}, or allow specified actions and reusable workflows. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run)."
|
||||
{% endif %}
|
||||
|
||||
## Enabling or disabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners
|
||||
|
||||
New repositories that you create in your user account or in your organization will automatically be configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} if any of the following is true:
|
||||
- {% data variables.product.prodname_dependabot %} is installed and enabled, and {% data variables.product.prodname_actions %} is enabled and in use.
|
||||
- The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" setting for your organization is enabled.
|
||||
|
||||
For existing repositories, you can opt in to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} as follows.
|
||||
|
||||
Future releases of {% data variables.product.product_name %} will remove the ability to disable running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}.
|
||||
|
||||
If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners. You can update your IP allow list to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses (instead of the {% data variables.product.prodname_dependabot %} IP addresses), sourced from the [meta](/rest/meta) REST API endpoint.
|
||||
|
||||
>[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. In a future release, you will be able to use a self-hosted runner or {% data variables.actions.hosted_runner %} to ensure greater control over your network access.
|
||||
|
||||
Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run.
|
||||
|
||||
### Enabling or disabling for your repository
|
||||
|
||||
You can manage {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} for your public{% ifversion ghec %}, private or internal{% else %} or private{% endif %} repository.
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
|
||||
1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners", click **Enable** to enable the feature or **Disable** to disable it.
|
||||
|
||||
### Enabling or disabling for your organization
|
||||
|
||||
You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} for all existing repositories in an organization. Only repositories with the following configuration will be updated to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} the next time a {% data variables.product.prodname_dependabot %} job is triggered.
|
||||
|
||||
- {% data variables.product.prodname_dependabot %} is enabled in the repository.
|
||||
- {% data variables.product.prodname_actions %} is enabled in the repository.
|
||||
|
||||
If a repository in your organization has {% data variables.product.prodname_dependabot %} enabled but {% data variables.product.prodname_actions %} disabled, {% data variables.product.prodname_dependabot %} will not run on {% data variables.product.prodname_actions %}, but will continue to run using the built-in {% data variables.product.prodname_dependabot %} application.
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
{% data reusables.organizations.security-and-analysis %}
|
||||
1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners", click **Enable all** to enable the feature or **Disable all** to disable it.
|
||||
|
||||
## Managing {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners
|
||||
|
||||
When a {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} job is run, you can review the workflow run history directly from the Dependabot job logs. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs)."
|
||||
|
||||
You can also navigate to a {% data variables.product.prodname_dependabot %} workflow run from the **Actions** tab in a repository. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)."
|
||||
|
||||
To re-run a {% data variables.product.prodname_dependabot_version_updates %} or {% data variables.product.prodname_dependabot_security_updates %} job, use the appropriate procedure below. You cannot re-run a {% data variables.product.prodname_dependabot %} job on {% data variables.product.prodname_actions %} as you would for other {% data variables.product.prodname_actions %} workflows and jobs, that is, by using the **Actions** tab in a repository. You cannot view usage data for {% data variables.product.prodname_dependabot_updates %} workflows and jobs in your organization's {% data variables.product.prodname_actions %} usage metrics.
|
||||
|
||||
### Re-running a {% data variables.product.prodname_dependabot_version_updates %} job
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.accessing-repository-graphs %}
|
||||
{% data reusables.repositories.click-dependency-graph %}
|
||||
{% data reusables.dependabot.click-dependabot-tab %}
|
||||
1. To the right of the name of manifest file that you're interested in, click **Recent update jobs**.
|
||||
1. To the right of the affected manifest file, click **Check for updates** to re-run a {% data variables.product.prodname_dependabot_version_updates %} job and check for new updates to dependencies for that ecosystem.
|
||||
|
||||
### Re-running a {% data variables.product.prodname_dependabot_security_updates %} job
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
1. Under your repository name, click {% octicon "shield-lock" aria-hidden="true" %} **Security**.
|
||||
1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_dependabot %}**.
|
||||
1. Under "{% data variables.product.prodname_dependabot %}", click the alert you want to view.
|
||||
1. In the section displaying the error details for the alert, click **Try again** to re-run the {% data variables.product.prodname_dependabot_security_updates %} job.
|
||||
|
||||
## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows
|
||||
|
||||
{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets)" and "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions)."
|
||||
@@ -26,6 +26,10 @@ redirect_from:
|
||||
|
||||
{% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date, and you can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modifying the pull request.
|
||||
|
||||
{% ifversion dependabot-on-actions-opt-in %}
|
||||
>[!NOTE] This article explains how to automate {% data variables.product.prodname_dependabot %}-related tasks using {% data variables.product.prodname_actions %}. For more information about running {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)" instead.
|
||||
{% endif %}
|
||||
|
||||
## Responding to events
|
||||
|
||||
{% data variables.product.prodname_dependabot %} is able to trigger {% data variables.product.prodname_actions %} workflows on its pull requests and comments; however, certain events are treated differently.
|
||||
|
||||
@@ -15,6 +15,7 @@ topics:
|
||||
- Pull requests
|
||||
children:
|
||||
- /managing-pull-requests-for-dependency-updates
|
||||
- /about-dependabot-on-github-actions-runners
|
||||
- /automating-dependabot-with-github-actions
|
||||
- /keeping-your-actions-up-to-date-with-dependabot
|
||||
- /configuring-access-to-private-registries-for-dependabot
|
||||
|
||||
@@ -39,6 +39,10 @@ If anything prevents {% data variables.product.prodname_dependabot %} from raisi
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion dependabot-on-actions-opt-in %}
|
||||
For more information about troubleshooting when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
|
||||
{% endif %}
|
||||
|
||||
## Investigating errors with {% data variables.product.prodname_dependabot_security_updates %}
|
||||
|
||||
When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_alerts %} view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_alerts %}** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request.
|
||||
|
||||
@@ -93,4 +93,5 @@ You can configure {% data variables.product.prodname_dependabot %} to ignore spe
|
||||
- "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)"
|
||||
- "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)"
|
||||
- "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph)"
|
||||
- "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors)"
|
||||
- "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors)"{% ifversion dependabot-on-actions-opt-in %}
|
||||
- "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)"{% endif %}
|
||||
|
||||
@@ -51,7 +51,7 @@ For more information on {% data variables.dependabot.auto_triage_rules %}, see "
|
||||
|
||||
### Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.company_short %}-hosted runners
|
||||
|
||||
You can allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.company_short %}-hosted runners and the {% data variables.product.prodname_dependabot %} action to perform dependency updates. To enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on all repositories in your organization, click **Enable all**. To automatically enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on new repositories in your organization, select **Automatically enable for new repositories**.
|
||||
You can allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.company_short %}-hosted runners and the {% data variables.product.prodname_dependabot %} action to perform dependency updates. To enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on all repositories in your organization, click **Enable all**. To automatically enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on new repositories in your organization, select **Automatically enable for new repositories**. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
||||
@@ -81,11 +81,11 @@ The term "{% data variables.product.prodname_dependabot %}" encompasses the foll
|
||||
- {% data variables.product.prodname_dependabot_security_updates %}—Triggered updates to upgrade your dependencies to a secure version when an alert is triggered.
|
||||
- {% data variables.product.prodname_dependabot_version_updates %}—Scheduled updates to keep your dependencies up to date with the latest version.
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
{% ifversion fpt or ghec %}Pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions)."{% endif %}
|
||||
|
||||
{% data variables.product.prodname_dependabot_alerts %}, {% data variables.product.prodname_dependabot_security_updates %}, and {% data variables.product.prodname_dependabot_version_updates %} do not use {% data variables.product.prodname_actions %} when they run on {% data variables.product.product_name %}. However, pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions)."
|
||||
{% ifversion dependabot-on-actions-opt-in %}By default, {% data variables.product.prodname_dependabot_alerts %}, {% data variables.product.prodname_dependabot_security_updates %}, and {% data variables.product.prodname_dependabot_version_updates %} are run using the built-in {% data variables.product.prodname_dependabot %} application in {% data variables.product.product_name %}. You can instead choose to run {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_dependabot_version_updates %} on {% data variables.product.prodname_actions %}, to take advantage of better performance, and increased visibility and control of {% data variables.product.prodname_dependabot_updates %} jobs. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
|
||||
|
||||
{% elsif ghes %}
|
||||
{% else %}
|
||||
|
||||
{% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_dependabot_version_updates %} require {% data variables.product.prodname_actions %} to run on {% data variables.product.product_name %}. {% data variables.product.prodname_dependabot_alerts %} do not require {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
|
||||
|
||||
|
||||
4
data/features/dependabot-on-actions-opt-in.yml
Normal file
4
data/features/dependabot-on-actions-opt-in.yml
Normal file
@@ -0,0 +1,4 @@
|
||||
# Reference: Issue #13337 Dependabot on Actions (opt-in) GA
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -0,0 +1,5 @@
|
||||
{% ifversion dependabot-on-actions-opt-in %}
|
||||
|
||||
>[!NOTE] You must opt in to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. Future releases of {% data variables.product.product_name %} will remove the ability to opt in and always run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
|
||||
|
||||
{% endif %}
|
||||
@@ -0,0 +1,9 @@
|
||||
After you set up {% data variables.product.prodname_dependabot %} updates for {% data variables.location.product_location %}, you may see failures when existing workflows are triggered by {% data variables.product.prodname_dependabot %} events.
|
||||
|
||||
By default, {% data variables.product.prodname_actions %} workflow runs that are triggered by {% data variables.product.prodname_dependabot %} from `push`, `pull_request`, `pull_request_review`, or `pull_request_review_comment` events are treated as if they were opened from a repository fork. Unlike workflows triggered by other actors, this means they receive a read-only `GITHUB_TOKEN` and do not have access to any secrets that are normally available. This will cause any workflows that attempt to write to the repository to fail when they are triggered by {% data variables.product.prodname_dependabot %}.
|
||||
|
||||
There are three ways to resolve this problem:
|
||||
|
||||
1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)."
|
||||
1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events)."
|
||||
1. You can provide workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and allow the `permissions` term to increase the default scope of the `GITHUB_TOKEN`.
|
||||
@@ -1 +1 @@
|
||||
{% data variables.product.prodname_actions %} is {% ifversion ghec or fpt %}not {% endif %}required for {% data variables.product.prodname_dependabot_version_updates %} and {% data variables.product.prodname_dependabot_security_updates %} to run on {% data variables.product.product_name %}.{% ifversion fpt or ghec %} However, pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions)."{% elsif ghes %} {% data reusables.dependabot.enabling-actions-for-ghes %} For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."{% endif %}
|
||||
By default, {% data variables.product.prodname_dependabot_updates %} are run using the built-in {% data variables.product.prodname_dependabot %} application in {% data variables.product.product_name %}. You can instead choose to run {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.prodname_actions %}, to take advantage of better performance, and increased visibility and control of {% data variables.product.prodname_dependabot_updates %} jobs.
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
{% ifversion fpt or ghec %}Pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions)."{% elsif ghes %} {% data reusables.dependabot.enabling-actions-for-ghes %} {% data variables.product.prodname_actions %} is required for {% data variables.product.prodname_dependabot_version_updates %} and {% data variables.product.prodname_dependabot_security_updates %} to run on {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."{% endif %}
|
||||
Reference in New Issue
Block a user