Skip to content

Clarify Dependabot is exempt from IP allow list enforcement#44594

Closed
emisanada wants to merge 3 commits into
github:mainfrom
emisanada:emisanada/clarify-dependabot-ip-allowlist-behavior
Closed

Clarify Dependabot is exempt from IP allow list enforcement#44594
emisanada wants to merge 3 commits into
github:mainfrom
emisanada:emisanada/clarify-dependabot-ip-allowlist-behavior

Conversation

@emisanada
Copy link
Copy Markdown
Contributor

@emisanada emisanada commented Jun 4, 2026
edited
Loading

Summary

Updates the Dependabot IP allow list documentation to accurately reflect that Dependabot is a first-party GitHub App whose repository access is exempt from IP allow list restrictions.

Why

The current docs state that customers "must set up a self-hosted runner or enable Dependabot for use with larger runners" when using IP allow lists. This is inaccurate for Dependabot's core operations:

  • Dependabot is a privileged first-party app with explicit ip_allowlist_exempt: true capability
  • Its repository access (reading dependency files, creating PRs) bypasses IP allow list enforcement by design
  • Customers have observed this working and are confused because the docs say otherwise (internal ref)

Changes

Rewrites data/reusables/dependabot/ip-allow-list-dependabot.md to:

  1. State clearly that Dependabot's repository access is exempt from IP allow lists
  2. Remove misleading "must" language about requiring self-hosted/larger runners for basic Dependabot functionality
  3. Keep runner guidance for other use cases where static IPs are needed (e.g., accessing private package registries behind firewalls)

What this does NOT cover

The interaction between GITHUB_TOKEN in Dependabot workflow steps and IP allow list enforcement is nuanced and not fully documented here. The Actions app has a different exemption scope (ip_allowlist_exempt_for_internal_apis only). This PR focuses solely on clarifying Dependabot's own access, which is unambiguously exempt.

Affected pages

This reusable appears on:

@emisanada
Clarify Dependabot IP allow list bypass behavior
4ca5e1f 
Add a warning note that Dependabot runs on standard GitHub-hosted
runners may succeed despite an IP allow list being enabled, and that
this behavior is not guaranteed or supported.

This addresses customer confusion documented in
github/enterprise-primitives#5258 where a Dependabot run succeeded
on a GitHub-hosted runner while the organization IP allow list was
enabled.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions Bot added the triage Do not begin working on this issue until triaged by the team label Jun 4, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 4, 2026
edited
Loading

How to review these changes 👓

Thank you for your contribution. To review these changes, choose one of the following options:

A Hubber will need to deploy your changes internally to review.

Table of review links

Note: Please update the URL for your staging server or codespace.

The table shows the files in the content directory that were changed in this pull request. This helps you review your changes on a staging server. Changes to the data directory are not included in this table.

Source Review Production What Changed
admin/configuring-settings/hardening-security-for-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md ghec
 ghec
 from reusable

Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server

🤖 This comment is automatically generated.

@emisanada
Clarify Dependabot IP allow list exemption behavior
4ebb6c3 
Dependabot is a first-party GitHub App that is explicitly exempt from
IP allow list enforcement. Update the docs to accurately reflect this:

- Dependabot's own repo access (reading deps, creating PRs) is exempt
- Additional workflow steps using GITHUB_TOKEN may still be blocked
- Self-hosted/larger runners are only needed for those additional steps

Previously the docs implied Dependabot would be blocked entirely by
IP allow lists, which does not match the actual implementation.

Addresses: github/enterprise-primitives#5258

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@emisanada emisanada changed the title Clarify Dependabot IP allow list bypass behavior Clarify Dependabot IP allow list exemption Jun 4, 2026
@emisanada
Clarify Dependabot is exempt from IP allow list enforcement
88f4373 
Dependabot is a first-party GitHub App with explicit IP allow list
exemption. Update docs to:

- State clearly that Dependabot repo access is exempt from IP allow lists
- Remove misleading guidance that self-hosted runners are required
- Keep self-hosted/larger runner guidance for other use cases (e.g.,
  accessing private registries behind firewalls)

Addresses: github/enterprise-primitives#5258

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@emisanada emisanada changed the title Clarify Dependabot IP allow list exemption Clarify Dependabot is exempt from IP allow list enforcement Jun 4, 2026
@emisanada emisanada closed this Jun 4, 2026
@emisanada emisanada deleted the emisanada/clarify-dependabot-ip-allowlist-behavior branch June 4, 2026 22:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

triage Do not begin working on this issue until triaged by the team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@emisanada