From 3880c05abd76d32f324d16c9ba93a12421421c4f Mon Sep 17 00:00:00 2001
From: mc <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 23 Apr 2024 16:56:51 +0100
Subject: [PATCH] Revert "Revert "Dependabot on Actions (opt-in) - [GA]""
 (#50273)

---
 ...ting-github-actions-for-your-enterprise.md |  10 +-
 .../about-dependabot-security-updates.md      |   4 +-
 .../about-dependabot-version-updates.md       |   4 +-
 ...ut-dependabot-on-github-actions-runners.md | 104 ++++++++++++++++++
 ...tomating-dependabot-with-github-actions.md |   4 +
 .../working-with-dependabot/index.md          |   1 +
 .../troubleshooting-dependabot-errors.md      |   4 +
 ...he-detection-of-vulnerable-dependencies.md |   3 +-
 ...security-settings-for-your-organization.md |   2 +-
 .../about-supply-chain-security.md            |   6 +-
 .../features/dependabot-on-actions-opt-in.yml |   4 +
 .../dependabot-on-actions-opt-in-note.md      |   5 +
 ...ot-on-actions-troubleshooting-workflows.md |   9 ++
 .../dependabot-updates-and-actions.md         |   2 +-
 .../dependabot-updates-prs-and-actions.md     |   1 +
 15 files changed, 146 insertions(+), 17 deletions(-)
 create mode 100644 content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md
 create mode 100644 data/features/dependabot-on-actions-opt-in.yml
 create mode 100644 data/reusables/dependabot/dependabot-on-actions-opt-in-note.md
 create mode 100644 data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md
 create mode 100644 data/reusables/dependabot/dependabot-updates-prs-and-actions.md

diff --git a/content/admin/github-actions/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise.md b/content/admin/github-actions/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise.md
index 9f3fc93909..985c7e6cb1 100644
--- a/content/admin/github-actions/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise.md
+++ b/content/admin/github-actions/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise.md
@@ -159,15 +159,7 @@ If any of these services are at or near 100% CPU utilization, or the memory is n
 
 ## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows
 
-After you set up {% data variables.product.prodname_dependabot %} updates for {% data variables.location.product_location %}, you may see failures when existing workflows are triggered by {% data variables.product.prodname_dependabot %} events.
-
-By default, {% data variables.product.prodname_actions %} workflow runs that are triggered by {% data variables.product.prodname_dependabot %} from `push`, `pull_request`, `pull_request_review`, or `pull_request_review_comment` events are treated as if they were opened from a repository fork. Unlike workflows triggered by other actors, this means they receive a read-only `GITHUB_TOKEN` and do not have access to any secrets that are normally available. This will cause any workflows that attempt to write to the repository to fail when they are triggered by {% data variables.product.prodname_dependabot %}.
-
-There are three ways to resolve this problem:
-
-1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)."
-1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events)."
-1. You can provide workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and allow the `permissions` term to increase the default scope of the `GITHUB_TOKEN`. For more information, see "[Providing workflows triggered by{% data variables.product.prodname_dependabot %} access to secrets and increased permissions](#providing-workflows-triggered-by-dependabot-access-to-secrets-and-increased-permissions)" below.
+{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} For more information, see "[Providing workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and increased permissions](#providing-workflows-triggered-by-dependabot-access-to-secrets-and-increased-permissions)" below.
 
 ### Providing workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and increased permissions
 
diff --git a/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md b/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md
index 643b1eb4b0..d0a7cd798d 100644
--- a/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md
+++ b/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md
@@ -50,7 +50,9 @@ You can enable a related feature, {% data variables.product.prodname_dependabot_
 
 {% data reusables.dependabot.pull-request-security-vs-version-updates %}
 
-{% data reusables.dependabot.dependabot-updates-and-actions %}
+{% data reusables.dependabot.dependabot-updates-prs-and-actions %}
+
+{% ifversion dependabot-on-actions-opt-in %}{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."{% endif %}
 
 {% data reusables.dependabot.dependabot-actions-support %}
 
diff --git a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md
index 480cc016be..a15aed26a8 100644
--- a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md
+++ b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md
@@ -40,7 +40,9 @@ If you enable _security updates_, {% data variables.product.prodname_dependabot
 
 {% data reusables.dependabot.dependabot-updates-signed-commits %}
 
-{% data reusables.dependabot.dependabot-updates-and-actions %}
+{% data reusables.dependabot.dependabot-updates-prs-and-actions %}
+
+{% ifversion dependabot-on-actions-opt-in %}{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."{% endif %}
 
 {% data reusables.dependabot.dependabot-tos %}
 
diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md
new file mode 100644
index 0000000000..c469c3e3b6
--- /dev/null
+++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md
@@ -0,0 +1,104 @@
+---
+title: About Dependabot on GitHub Actions runners
+intro: 'Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} allows for better performance, and increased visibility and control of {% data variables.product.prodname_dependabot %} jobs.'
+shortTitle: Dependabot on Actions
+permissions: 'Organization owners and repository administrators can enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}.'
+versions:
+  feature: dependabot-on-actions-opt-in
+type: how_to
+topics:
+  - Dependabot
+  - Security updates
+  - Version updates
+  - Actions
+  - Dependencies
+  - Repositories
+---
+
+{% data reusables.dependabot.dependabot-on-actions-opt-in-note %}
+
+## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners
+
+{% data reusables.dependabot.dependabot-updates-and-actions %}
+
+Using {% data variables.product.prodname_actions %} runners allows you to more easily identify {% data variables.product.prodname_dependabot %} job errors and manually detect and troubleshoot failed runs. You can also integrate {% data variables.product.prodname_dependabot %} into your CI/CD pipelines by using {% data variables.product.prodname_actions %} APIs and webhooks to detect {% data variables.product.prodname_dependabot %} job status such as failed runs, and perform downstream processing. For more information, see "[AUTOTITLE](/rest/actions)" and "[AUTOTITLE](/webhooks/webhook-events-and-payloads)."
+
+You cannot run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} on self-hosted runners or {% data variables.actions.hosted_runners %}. Using private networking with an Azure Virtual Network (VNET) or Actions Runner Controller (ARC) is not supported.
+
+Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_dotcom %}-hosted runners runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."
+
+Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the {% data variables.contact.contact_support_portal %}, or contact your sales representative.
+
+If you are transitioning to using {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that {% data variables.product.prodname_dependabot %} uses, you should update your allowlist to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses sourced from the meta API endpoint. For more information, see "[AUTOTITLE](/rest/meta)."
+
+{% ifversion ghec %}
+When you enforce a policy to allow actions and reusable workflows from only in your enterprise, and you enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will not run. To enable {% data variables.product.prodname_dependabot %} to run with your enterprise actions and reusable workflows, you should choose either to allow actions created by {% data variables.product.prodname_dotcom %}, or allow specified actions and reusable workflows. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run)."
+{% endif %}
+
+## Enabling or disabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners
+
+New repositories that you create in your user account or in your organization will automatically be configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} if any of the following is true:
+- {% data variables.product.prodname_dependabot %} is installed and enabled, and {% data variables.product.prodname_actions %} is enabled and in use.
+- The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" setting for your organization is enabled.
+
+For existing repositories, you can opt in to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} as follows.
+
+Future releases of {% data variables.product.product_name %} will remove the ability to disable running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}.
+
+If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners. You can update your IP allow list to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses (instead of the {% data variables.product.prodname_dependabot %} IP addresses), sourced from the [meta](/rest/meta) REST API endpoint.
+
+>[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. In a future release, you will be able to use a self-hosted runner or {% data variables.actions.hosted_runner %} to ensure greater control over your network access.
+
+Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run.
+
+### Enabling or disabling for your repository
+
+You can manage {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} for your public{% ifversion ghec %}, private or internal{% else %} or private{% endif %} repository.
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners", click **Enable**  to enable the feature or **Disable** to disable it.
+
+### Enabling or disabling for your organization
+
+You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} for all existing repositories in an organization. Only repositories with the following configuration will be updated to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} the next time a {% data variables.product.prodname_dependabot %} job is triggered.
+
+  - {% data variables.product.prodname_dependabot %} is enabled in the repository.
+  - {% data variables.product.prodname_actions %} is enabled in the repository.
+
+If a repository in your organization has {% data variables.product.prodname_dependabot %} enabled but {% data variables.product.prodname_actions %} disabled, {% data variables.product.prodname_dependabot %} will not run on {% data variables.product.prodname_actions %}, but will continue to run using the built-in {% data variables.product.prodname_dependabot %} application.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.security-and-analysis %}
+1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners", click **Enable all**  to enable the feature or **Disable all** to disable it.
+
+## Managing {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners
+
+When a {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} job is run, you can review the workflow run history directly from the Dependabot job logs. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs)."
+
+You can also navigate to a {% data variables.product.prodname_dependabot %} workflow run from the **Actions** tab in a repository. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)."
+
+To re-run a {% data variables.product.prodname_dependabot_version_updates %} or {% data variables.product.prodname_dependabot_security_updates %} job, use the appropriate procedure below. You cannot re-run a {% data variables.product.prodname_dependabot %} job on {% data variables.product.prodname_actions %} as you would for other {% data variables.product.prodname_actions %} workflows and jobs, that is, by using the **Actions** tab in a repository. You cannot view usage data for {% data variables.product.prodname_dependabot_updates %} workflows and jobs in your organization's {% data variables.product.prodname_actions %} usage metrics.
+
+### Re-running a {% data variables.product.prodname_dependabot_version_updates %} job
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.accessing-repository-graphs %}
+{% data reusables.repositories.click-dependency-graph %}
+{% data reusables.dependabot.click-dependabot-tab %}
+1. To the right of the name of manifest file that you're interested in, click **Recent update jobs**.
+1. To the right of the affected manifest file, click **Check for updates** to re-run a {% data variables.product.prodname_dependabot_version_updates %} job and check for new updates to dependencies for that ecosystem.
+
+### Re-running a {% data variables.product.prodname_dependabot_security_updates %} job
+
+{% data reusables.repositories.navigate-to-repo %}
+1. Under your repository name, click {% octicon "shield-lock" aria-hidden="true" %} **Security**.
+1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_dependabot %}**.
+1. Under "{% data variables.product.prodname_dependabot %}", click the alert you want to view.
+1. In the section displaying the error details for the alert, click **Try again** to re-run the {% data variables.product.prodname_dependabot_security_updates %} job.
+
+## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows
+
+{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets)" and "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions)."
diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md
index 06820722e4..93ee3584a8 100644
--- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md
+++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md
@@ -26,6 +26,10 @@ redirect_from:
 
 {% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date, and you can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modifying the pull request.
 
+{% ifversion dependabot-on-actions-opt-in %}
+>[!NOTE] This article explains how to automate {% data variables.product.prodname_dependabot %}-related tasks using {% data variables.product.prodname_actions %}. For more information about running {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)" instead.
+{% endif %}
+
 ## Responding to events
 
 {% data variables.product.prodname_dependabot %} is able to trigger {% data variables.product.prodname_actions %} workflows on its pull requests and comments; however, certain events are treated differently.
diff --git a/content/code-security/dependabot/working-with-dependabot/index.md b/content/code-security/dependabot/working-with-dependabot/index.md
index 2df4314f17..155ae47abf 100644
--- a/content/code-security/dependabot/working-with-dependabot/index.md
+++ b/content/code-security/dependabot/working-with-dependabot/index.md
@@ -15,6 +15,7 @@ topics:
   - Pull requests
 children:
   - /managing-pull-requests-for-dependency-updates
+  - /about-dependabot-on-github-actions-runners
   - /automating-dependabot-with-github-actions
   - /keeping-your-actions-up-to-date-with-dependabot
   - /configuring-access-to-private-registries-for-dependabot
diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md
index 93e20498ed..786d867aa9 100644
--- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md
+++ b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md
@@ -39,6 +39,10 @@ If anything prevents {% data variables.product.prodname_dependabot %} from raisi
 {% endnote %}
 {% endif %}
 
+{% ifversion dependabot-on-actions-opt-in %}
+For more information about troubleshooting when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
+{% endif %}
+
 ## Investigating errors with {% data variables.product.prodname_dependabot_security_updates %}
 
 When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_alerts %} view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_alerts %}** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request.
diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md b/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md
index 5059ea4059..d0bd5ebddb 100644
--- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md
+++ b/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md
@@ -93,4 +93,5 @@ You can configure {% data variables.product.prodname_dependabot %} to ignore spe
 - "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)"
 - "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)"
 - "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph)"
-- "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors)"
+- "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors)"{% ifversion dependabot-on-actions-opt-in %}
+- "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)"{% endif %}
diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md
index ffe4e6181f..4204038fca 100644
--- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md
+++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md
@@ -51,7 +51,7 @@ For more information on {% data variables.dependabot.auto_triage_rules %}, see "
 
 ### Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.company_short %}-hosted runners
 
-You can allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.company_short %}-hosted runners and the {% data variables.product.prodname_dependabot %} action to perform dependency updates. To enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on all repositories in your organization, click **Enable all**. To automatically enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on new repositories in your organization, select **Automatically enable for new repositories**.
+You can allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.company_short %}-hosted runners and the {% data variables.product.prodname_dependabot %} action to perform dependency updates. To enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on all repositories in your organization, click **Enable all**. To automatically enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on new repositories in your organization, select **Automatically enable for new repositories**. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
 
 {% endif %}
 
diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md
index 6a43fc394f..cf8f193025 100644
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md
@@ -81,11 +81,11 @@ The term "{% data variables.product.prodname_dependabot %}" encompasses the foll
   - {% data variables.product.prodname_dependabot_security_updates %}—Triggered updates to upgrade your dependencies to a secure version when an alert is triggered.
   - {% data variables.product.prodname_dependabot_version_updates %}—Scheduled updates to keep your dependencies up to date with the latest version.
 
-{% ifversion fpt or ghec %}
+{% ifversion fpt or ghec %}Pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions)."{% endif %}
 
-{% data variables.product.prodname_dependabot_alerts %}, {% data variables.product.prodname_dependabot_security_updates %}, and {% data variables.product.prodname_dependabot_version_updates %} do not use {% data variables.product.prodname_actions %} when they run on {% data variables.product.product_name %}. However, pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions)."
+{% ifversion dependabot-on-actions-opt-in %}By default, {% data variables.product.prodname_dependabot_alerts %}, {% data variables.product.prodname_dependabot_security_updates %}, and {% data variables.product.prodname_dependabot_version_updates %} are run using the built-in {% data variables.product.prodname_dependabot %} application in {% data variables.product.product_name %}. You can instead choose to run {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_dependabot_version_updates %} on {% data variables.product.prodname_actions %}, to take advantage of better performance, and increased visibility and control of {% data variables.product.prodname_dependabot_updates %} jobs. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
 
-{% elsif ghes %}
+{% else %}
 
 {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_dependabot_version_updates %} require {% data variables.product.prodname_actions %} to run on {% data variables.product.product_name %}. {% data variables.product.prodname_dependabot_alerts %} do not require {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
 
diff --git a/data/features/dependabot-on-actions-opt-in.yml b/data/features/dependabot-on-actions-opt-in.yml
new file mode 100644
index 0000000000..7ce70899b0
--- /dev/null
+++ b/data/features/dependabot-on-actions-opt-in.yml
@@ -0,0 +1,4 @@
+# Reference: Issue #13337 Dependabot on Actions (opt-in) GA
+versions:
+  fpt: '*'
+  ghec: '*'
diff --git a/data/reusables/dependabot/dependabot-on-actions-opt-in-note.md b/data/reusables/dependabot/dependabot-on-actions-opt-in-note.md
new file mode 100644
index 0000000000..6eeb84d477
--- /dev/null
+++ b/data/reusables/dependabot/dependabot-on-actions-opt-in-note.md
@@ -0,0 +1,5 @@
+{% ifversion dependabot-on-actions-opt-in %}
+
+>[!NOTE] You must opt in to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. Future releases of {% data variables.product.product_name %} will remove the ability to opt in and always run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
+
+{% endif %}
diff --git a/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md b/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md
new file mode 100644
index 0000000000..72659bdb4c
--- /dev/null
+++ b/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md
@@ -0,0 +1,9 @@
+After you set up {% data variables.product.prodname_dependabot %} updates for {% data variables.location.product_location %}, you may see failures when existing workflows are triggered by {% data variables.product.prodname_dependabot %} events.
+
+By default, {% data variables.product.prodname_actions %} workflow runs that are triggered by {% data variables.product.prodname_dependabot %} from `push`, `pull_request`, `pull_request_review`, or `pull_request_review_comment` events are treated as if they were opened from a repository fork. Unlike workflows triggered by other actors, this means they receive a read-only `GITHUB_TOKEN` and do not have access to any secrets that are normally available. This will cause any workflows that attempt to write to the repository to fail when they are triggered by {% data variables.product.prodname_dependabot %}.
+
+There are three ways to resolve this problem:
+
+1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)."
+1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events)."
+1. You can provide workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and allow the `permissions` term to increase the default scope of the `GITHUB_TOKEN`.
diff --git a/data/reusables/dependabot/dependabot-updates-and-actions.md b/data/reusables/dependabot/dependabot-updates-and-actions.md
index 0c490a3d5c..31ec16f991 100644
--- a/data/reusables/dependabot/dependabot-updates-and-actions.md
+++ b/data/reusables/dependabot/dependabot-updates-and-actions.md
@@ -1 +1 @@
-{% data variables.product.prodname_actions %} is {% ifversion ghec or fpt %}not {% endif %}required for {% data variables.product.prodname_dependabot_version_updates %} and {% data variables.product.prodname_dependabot_security_updates %} to run on {% data variables.product.product_name %}.{% ifversion fpt or ghec %} However, pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions)."{% elsif ghes %} {% data reusables.dependabot.enabling-actions-for-ghes %} For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."{% endif %}
+By default, {% data variables.product.prodname_dependabot_updates %} are run using the built-in {% data variables.product.prodname_dependabot %} application in {% data variables.product.product_name %}. You can instead choose to run {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.prodname_actions %}, to take advantage of better performance, and increased visibility and control of {% data variables.product.prodname_dependabot_updates %} jobs.
diff --git a/data/reusables/dependabot/dependabot-updates-prs-and-actions.md b/data/reusables/dependabot/dependabot-updates-prs-and-actions.md
new file mode 100644
index 0000000000..ed221af284
--- /dev/null
+++ b/data/reusables/dependabot/dependabot-updates-prs-and-actions.md
@@ -0,0 +1 @@
+{% ifversion fpt or ghec %}Pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions)."{% elsif ghes %} {% data reusables.dependabot.enabling-actions-for-ghes %} {% data variables.product.prodname_actions %} is required for {% data variables.product.prodname_dependabot_version_updates %} and {% data variables.product.prodname_dependabot_security_updates %} to run on {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."{% endif %}