Skip to content

Clarify Dependabot is exempt from IP allow list enforcement#44599

Closed
emisanada wants to merge 1 commit into
github:mainfrom
emisanada:emisanada/clarify-dependabot-ip-allowlist-behavior
Closed

Clarify Dependabot is exempt from IP allow list enforcement#44599
emisanada wants to merge 1 commit into
github:mainfrom
emisanada:emisanada/clarify-dependabot-ip-allowlist-behavior

Conversation

@emisanada

@emisanada emisanada commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Updates the Dependabot IP allow list documentation to accurately reflect that Dependabot is a first-party GitHub App whose repository access is exempt from IP allow list restrictions.

Why

The current docs state that customers "must set up a self-hosted runner or enable Dependabot for use with larger runners" when using IP allow lists. This is inaccurate for Dependabot's core operations:

  • Dependabot is a privileged first-party app with explicit ip_allowlist_exempt: true capability
  • Its repository access (reading dependency files, creating PRs) bypasses IP allow list enforcement by design
  • Customers have observed this working and are confused because the docs say otherwise (internal ref)

Changes

Rewrites data/reusables/dependabot/ip-allow-list-dependabot.md to:

  1. State clearly that Dependabot's repository access is exempt from IP allow lists
  2. Remove misleading "must" language about requiring self-hosted/larger runners for basic Dependabot functionality
  3. Keep runner guidance for other use cases where static IPs are needed (e.g., accessing private package registries behind firewalls)

What this does NOT cover

The interaction between GITHUB_TOKEN in Dependabot workflow steps and IP allow list enforcement is nuanced and not fully documented here. The Actions app has a different exemption scope (ip_allowlist_exempt_for_internal_apis only). This PR focuses solely on clarifying Dependabot's own access, which is unambiguously exempt.

Affected pages

This reusable appears on:

@emisanada
Clarify Dependabot is exempt from IP allow list enforcement
4382031 
Dependabot is a first-party GitHub App with explicit IP allow list
exemption. Update docs to accurately state that Dependabot can access
repositories regardless of IP allow list configuration.

Addresses: github/enterprise-primitives#5258

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

How to review these changes 👓

Thank you for your contribution. To review these changes, choose one of the following options:

A Hubber will need to deploy your changes internally to review.

Table of review links

Note: Please update the URL for your staging server or codespace.

The table shows the files in the content directory that were changed in this pull request. This helps you review your changes on a staging server. Changes to the data directory are not included in this table.

Source Review Production What Changed
admin/configuring-settings/hardening-security-for-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md ghec
 ghec
 from reusable

Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server

🤖 This comment is automatically generated.

@github-actions github-actions Bot added the triage Do not begin working on this issue until triaged by the team label Jun 4, 2026
@emisanada emisanada marked this pull request as ready for review June 8, 2026 20:10
Copilot AI review requested due to automatic review settings June 8, 2026 20:10
Copilot AI reviewed Jun 8, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates Dependabot IP allow list guidance to clarify that Dependabot’s repository access is exempt from IP allow list restrictions, while still advising static IP solutions for workflows that need them.

Changes:

  • Replaces runner-IP-focused opening with a statement about Dependabot’s exemption from IP allow list restrictions.
  • Reframes the “must use self-hosted/larger runners” guidance as conditional on needing static IPs for other resources (e.g., private registries).
  • Minor wording cleanup in the larger runners/static IP sentence.
Show a summary per file
File Description
data/reusables/dependabot/ip-allow-list-dependabot.md Clarifies Dependabot’s IP allow list behavior and refines guidance on when static IP runners are needed.

Copilot's findings

  • Files reviewed: 1/1 changed files
  • Comments generated: 1

Comment thread data/reusables/dependabot/ip-allow-list-dependabot.md
@@ -1,7 +1,7 @@
By default, dynamically provisioned {% data variables.product.github %}-hosted runners do not guarantee static IP addresses. This includes the runners that are used by default with {% data variables.product.prodname_dependabot %}.
{% data variables.product.prodname_dependabot %} is a first-party {% data variables.product.github %} App whose repository access is exempt from IP allow list restrictions. This means {% data variables.product.prodname_dependabot %} can read dependency files and create pull requests regardless of your IP allow list configuration, even when running on standard {% data variables.product.github %}-hosted runners.
@emisanada

emisanada commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Closing — moving to docs-internal per DIY docs guidelines.

@emisanada emisanada closed this Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

triage Do not begin working on this issue until triaged by the team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emisanada