From ab09079af2d8520dcbe24b4bd9e213679da48783 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Wed, 25 Sep 2024 10:21:53 +0100 Subject: [PATCH] Ensure we use the correct wording for all FPT and GHEC Dependabot users, regardless of whether GitHub Actions are enabled on their repositories (#52183) Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- ...ut-dependabot-on-github-actions-runners.md | 10 ++++----- .../working-with-dependabot/index.md | 1 + ...aging-dependabot-on-self-hosted-runners.md | 10 ++++----- ...leshooting-dependabot-on-github-actions.md | 21 +++++++++++++++++++ ...security-settings-for-your-organization.md | 8 +++++-- .../about-supply-chain-security.md | 8 ++++++- .../dependabot-on-actions-future-note.md | 1 + .../dependabot-on-actions-opt-in-note.md | 5 ----- .../dependabot-updates-and-actions.md | 4 +++- 9 files changed, 49 insertions(+), 19 deletions(-) create mode 100644 content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md create mode 100644 data/reusables/dependabot/dependabot-on-actions-future-note.md delete mode 100644 data/reusables/dependabot/dependabot-on-actions-opt-in-note.md diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index d6e96c5994..609ba68be3 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -1,6 +1,6 @@ --- title: About Dependabot on GitHub Actions runners -intro: 'Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} allows for better performance, and increased visibility and control of {% data variables.product.prodname_dependabot %} jobs.' +intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} if you have {% data variables.product.prodname_actions %} enabled for the repository.' shortTitle: About Dependabot on Actions permissions: 'Organization owners and repository administrators can enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}.' versions: @@ -15,12 +15,12 @@ topics: - Repositories --- -{% data reusables.dependabot.dependabot-on-actions-opt-in-note %} - ## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners {% data reusables.dependabot.dependabot-updates-and-actions %} +{% data reusables.dependabot.dependabot-on-actions-future-note %} + Using {% data variables.product.prodname_actions %} runners allows you to more easily identify {% data variables.product.prodname_dependabot %} job errors and manually detect and troubleshoot failed runs. You can also integrate {% data variables.product.prodname_dependabot %} into your CI/CD pipelines by using {% data variables.product.prodname_actions %} APIs and webhooks to detect {% data variables.product.prodname_dependabot %} job status such as failed runs, and perform downstream processing. For more information, see "[AUTOTITLE](/rest/actions)" and "[AUTOTITLE](/webhooks/webhook-events-and-payloads)." You can run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} using: @@ -117,6 +117,6 @@ To re-run a {% data variables.product.prodname_dependabot_version_updates %} or 1. Under "{% data variables.product.prodname_dependabot %}", click the alert you want to view. 1. In the section displaying the error details for the alert, click **Try again** to re-run the {% data variables.product.prodname_dependabot_security_updates %} job. -## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows +## Further reading -{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets)" and "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions)." +* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions)" diff --git a/content/code-security/dependabot/working-with-dependabot/index.md b/content/code-security/dependabot/working-with-dependabot/index.md index b883d24ebc..d17916c339 100644 --- a/content/code-security/dependabot/working-with-dependabot/index.md +++ b/content/code-security/dependabot/working-with-dependabot/index.md @@ -25,4 +25,5 @@ children: - /viewing-dependabot-job-logs - /troubleshooting-the-detection-of-vulnerable-dependencies - /troubleshooting-dependabot-errors + - /troubleshooting-dependabot-on-github-actions --- diff --git a/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md b/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md index 386ca2d92a..81378376ca 100644 --- a/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md @@ -1,6 +1,6 @@ --- title: Managing Dependabot on self-hosted runners -intro: 'You can configure {% data variables.product.prodname_actions %} self-hosted runners that {% data variables.product.prodname_dependabot %} uses to access your private registries and internal network resources.' +intro: 'You can configure self-hosted runners that {% data variables.product.prodname_dependabot %} uses to access your private registries and internal network resources.' shortTitle: Manage Dependabot on self-hosted runners permissions: 'Organization owners and repository administrators can configure {% data variables.product.prodname_dependabot %} to run on self-hosted runners.' versions: @@ -15,10 +15,12 @@ topics: - Repositories --- -{% data reusables.dependabot.dependabot-on-actions-opt-in-note %} - ## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners +{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." + +{% data reusables.dependabot.dependabot-on-actions-future-note %} + You can help users of your organization and repositories to create and maintain secure code by setting up {% data variables.product.prodname_dependabot %} security and version updates. With {% data variables.product.prodname_dependabot_updates %}, developers can configure repositories so that their dependencies are updated and kept secure automatically. Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} allows for better performance, and increased visibility and control of {% data variables.product.prodname_dependabot %} jobs. To have greater control over {% data variables.product.prodname_dependabot %} access to your private registries and internal network resources, you can configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. @@ -31,8 +33,6 @@ For more information about configuring {% data variables.product.prodname_depend You must have {% data variables.product.prodname_dependabot %} installed and enabled, and {% data variables.product.prodname_actions %} enabled and in use. The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" setting for your organization should also be enabled. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." -If {% data variables.product.prodname_actions %} is not enabled for your organization or repository, then the organization or repository level setting to enable "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" will not be visible in the web UI. - Your organization may have configured a policy to restrict actions and self-hosted runners from running in specific repositories, which in turn will not allow {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. In this case, the organization or repository level setting to enable "{% data variables.product.prodname_dependabot %} on self-hosted runners" will not be visible in the web UI. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)." {% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %} diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md new file mode 100644 index 0000000000..f0206fe28e --- /dev/null +++ b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md @@ -0,0 +1,21 @@ +--- +title: Troubleshooting Dependabot on GitHub Actions +intro: 'This article provides troubleshooting information for issues you may encounter when using {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}.' +versions: + fpt: '*' + ghec: '*' +type: how_to +topics: + - Actions + - Dependabot + - Version updates + - Security updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Troubleshoot Dependabot on Actions +--- + +## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows + +{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets)" and "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions)." diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index a372eec3f3..45736c9813 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -45,11 +45,15 @@ For more information on {% data variables.dependabot.auto_triage_rules %}, see " {% data variables.product.prodname_dependabot %} can group all automatically suggested security updates into a single pull request to reduce noise. To enable grouped security updates, select **Grouped security updates**. For more information about grouped updates and customization options, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request)." -{% ifversion fpt or ghec %} +{% ifversion dependabot-on-actions-opt-in %} ### Enabling dependency updates on {% data variables.product.prodname_actions %} runners -You can allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.prodname_actions %} runners and the {% data variables.product.prodname_dependabot %} action to perform dependency updates. To enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on all repositories in your organization, select **Dependabot on Actions runners**. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." +If both {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %} are enabled for existing repositories in your organization, {% data variables.product.company_short %} will automatically use {% data variables.product.company_short %}-hosted runners to run dependency updates for those repositories. + +Otherwise, to allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.prodname_actions %} runners to perform dependency updates for all existing repositories in the organization, select "{% data variables.product.prodname_dependabot %} on Actions runners". + +For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." {% data reusables.dependabot.dependabot-on-actions-self-hosted-link %} diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md index 1a7c1945c0..33ab81d7b0 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md @@ -87,7 +87,13 @@ The term "{% data variables.product.prodname_dependabot %}" encompasses the foll {% ifversion fpt or ghec %}Pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions)."{% endif %} -{% ifversion dependabot-on-actions-opt-in %}By default, {% data variables.product.prodname_dependabot_alerts %}, {% data variables.product.prodname_dependabot_security_updates %}, and {% data variables.product.prodname_dependabot_version_updates %} are run using the built-in {% data variables.product.prodname_dependabot %} application in {% data variables.product.product_name %}. You can instead choose to run {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_dependabot_version_updates %} on {% data variables.product.prodname_actions %}, to take advantage of better performance, and increased visibility and control of {% data variables.product.prodname_dependabot_updates %} jobs. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." +{% ifversion dependabot-on-actions-opt-in %}By default: + +* If {% data variables.product.prodname_actions %} is enabled for the repository, {% data variables.product.prodname_dotcom %} runs {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.prodname_actions %}. + +* If {% data variables.product.prodname_actions %} is not enabled for the repository, {% data variables.product.prodname_dotcom %} generates {% data variables.product.prodname_dependabot_alerts %} using the built-in {% data variables.product.prodname_dependabot %} application in {% data variables.product.product_name %}. + +For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." {% else %} diff --git a/data/reusables/dependabot/dependabot-on-actions-future-note.md b/data/reusables/dependabot/dependabot-on-actions-future-note.md new file mode 100644 index 0000000000..dd65e6e893 --- /dev/null +++ b/data/reusables/dependabot/dependabot-on-actions-future-note.md @@ -0,0 +1 @@ +> [!NOTE] Future releases of {% data variables.product.prodname_dotcom %} will always run {% data variables.product.prodname_dependabot %} using {% data variables.product.prodname_actions %}, and you will no longer have the option to enable or disable this setting. diff --git a/data/reusables/dependabot/dependabot-on-actions-opt-in-note.md b/data/reusables/dependabot/dependabot-on-actions-opt-in-note.md deleted file mode 100644 index 6eeb84d477..0000000000 --- a/data/reusables/dependabot/dependabot-on-actions-opt-in-note.md +++ /dev/null @@ -1,5 +0,0 @@ -{% ifversion dependabot-on-actions-opt-in %} - ->[!NOTE] You must opt in to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. Future releases of {% data variables.product.product_name %} will remove the ability to opt in and always run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." - -{% endif %} diff --git a/data/reusables/dependabot/dependabot-updates-and-actions.md b/data/reusables/dependabot/dependabot-updates-and-actions.md index 31ec16f991..496f2e0ee2 100644 --- a/data/reusables/dependabot/dependabot-updates-and-actions.md +++ b/data/reusables/dependabot/dependabot-updates-and-actions.md @@ -1 +1,3 @@ -By default, {% data variables.product.prodname_dependabot_updates %} are run using the built-in {% data variables.product.prodname_dependabot %} application in {% data variables.product.product_name %}. You can instead choose to run {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.prodname_actions %}, to take advantage of better performance, and increased visibility and control of {% data variables.product.prodname_dependabot_updates %} jobs. +If you enable {% data variables.product.prodname_dependabot %} on a new repository and have {% data variables.product.prodname_actions %} enabled, {% data variables.product.prodname_dependabot %} will run on {% data variables.product.prodname_actions %} by default. + +If you enable {% data variables.product.prodname_dependabot %} on a new repository and have {% data variables.product.prodname_actions %} disabled, {% data variables.product.prodname_dependabot %} will run on the legacy application in {% data variables.product.product_name %} to perform {% data variables.product.prodname_dependabot_updates %}. This doesn't provide as good performance, visibility, or control of {% data variables.product.prodname_dependabot_updates %} jobs as {% data variables.product.prodname_actions %} does. If you want to use {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}, you must ensure that your repository enables {% data variables.product.prodname_actions %}, then enable "{% data variables.product.prodname_dependabot %} on Actions runners" from the repository's "Code security and analysis" settings page.