Skip to content

Clarify Dependabot is exempt from IP allow list enforcement#44598

Closed
emisanada wants to merge 1 commit into
github:mainfrom
emisanada:emisanada/clarify-dependabot-ip-allowlist-behavior
Closed

Clarify Dependabot is exempt from IP allow list enforcement#44598
emisanada wants to merge 1 commit into
github:mainfrom
emisanada:emisanada/clarify-dependabot-ip-allowlist-behavior

Conversation

@emisanada
Copy link
Copy Markdown
Contributor

@emisanada emisanada commented Jun 4, 2026

Summary

Updates the Dependabot IP allow list documentation to accurately reflect that Dependabot is a first-party GitHub App whose repository access is exempt from IP allow list restrictions.

Why

The current docs state that customers "must set up a self-hosted runner or enable Dependabot for use with larger runners" when using IP allow lists. This is inaccurate for Dependabot's core operations:

  • Dependabot is a privileged first-party app with explicit ip_allowlist_exempt: true capability
  • Its repository access (reading dependency files, creating PRs) bypasses IP allow list enforcement by design
  • Customers have observed this working and are confused because the docs say otherwise (internal ref)

Changes

Rewrites data/reusables/dependabot/ip-allow-list-dependabot.md to:

  1. State clearly that Dependabot's repository access is exempt from IP allow lists
  2. Remove misleading "must" language about requiring self-hosted/larger runners for basic Dependabot functionality
  3. Keep runner guidance for other use cases where static IPs are needed (e.g., accessing private package registries behind firewalls)

What this does NOT cover

The interaction between GITHUB_TOKEN in Dependabot workflow steps and IP allow list enforcement is nuanced and not fully documented here. The Actions app has a different exemption scope (ip_allowlist_exempt_for_internal_apis only). This PR focuses solely on clarifying Dependabot's own access, which is unambiguously exempt.

Affected pages

This reusable appears on:

@welcome
Copy link
Copy Markdown

welcome Bot commented Jun 4, 2026

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions github-actions Bot added the triage Do not begin working on this issue until triaged by the team label Jun 4, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 4, 2026
edited
Loading

How to review these changes 👓

Thank you for your contribution. To review these changes, choose one of the following options:

A Hubber will need to deploy your changes internally to review.

Table of review links

Note: Please update the URL for your staging server or codespace.

The table shows the files in the content directory that were changed in this pull request. This helps you review your changes on a staging server. Changes to the data directory are not included in this table.

Source Review Production What Changed
admin/configuring-settings/hardening-security-for-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md ghec
 ghec
 from reusable

Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server

🤖 This comment is automatically generated.

@emisanada
Clarify Dependabot is exempt from IP allow list enforcement
56180be 
Dependabot is a first-party GitHub App with explicit IP allow list
exemption. Update docs to accurately state that Dependabot can access
repositories regardless of IP allow list configuration.

Addresses: github/enterprise-primitives#5258

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@emisanada emisanada force-pushed the emisanada/clarify-dependabot-ip-allowlist-behavior branch from 08fcc46 to 56180be Compare June 4, 2026 22:59
@emisanada
Copy link
Copy Markdown
Contributor Author

emisanada commented Jun 4, 2026

Closing due to fork sync conflict (requires workflow scope to sync fork with upstream). Will recreate after syncing.

@emisanada emisanada closed this Jun 4, 2026
@emisanada emisanada deleted the emisanada/clarify-dependabot-ip-allowlist-behavior branch June 4, 2026 23:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

triage Do not begin working on this issue until triaged by the team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@emisanada