Skip to content

Clarify Dependabot is exempt from IP allow list enforcement#44599

Draft
emisanada wants to merge 1 commit into
github:mainfrom
emisanada:emisanada/clarify-dependabot-ip-allowlist-behavior
Draft

Clarify Dependabot is exempt from IP allow list enforcement#44599
emisanada wants to merge 1 commit into
github:mainfrom
emisanada:emisanada/clarify-dependabot-ip-allowlist-behavior

Conversation

@emisanada
Copy link
Copy Markdown
Contributor

@emisanada emisanada commented Jun 4, 2026

Summary

Updates the Dependabot IP allow list documentation to accurately reflect that Dependabot is a first-party GitHub App whose repository access is exempt from IP allow list restrictions.

Why

The current docs state that customers "must set up a self-hosted runner or enable Dependabot for use with larger runners" when using IP allow lists. This is inaccurate for Dependabot's core operations:

  • Dependabot is a privileged first-party app with explicit ip_allowlist_exempt: true capability
  • Its repository access (reading dependency files, creating PRs) bypasses IP allow list enforcement by design
  • Customers have observed this working and are confused because the docs say otherwise (internal ref)

Changes

Rewrites data/reusables/dependabot/ip-allow-list-dependabot.md to:

  1. State clearly that Dependabot's repository access is exempt from IP allow lists
  2. Remove misleading "must" language about requiring self-hosted/larger runners for basic Dependabot functionality
  3. Keep runner guidance for other use cases where static IPs are needed (e.g., accessing private package registries behind firewalls)

What this does NOT cover

The interaction between GITHUB_TOKEN in Dependabot workflow steps and IP allow list enforcement is nuanced and not fully documented here. The Actions app has a different exemption scope (ip_allowlist_exempt_for_internal_apis only). This PR focuses solely on clarifying Dependabot's own access, which is unambiguously exempt.

Affected pages

This reusable appears on:

@emisanada
Clarify Dependabot is exempt from IP allow list enforcement
4382031 
Dependabot is a first-party GitHub App with explicit IP allow list
exemption. Update docs to accurately state that Dependabot can access
repositories regardless of IP allow list configuration.

Addresses: github/enterprise-primitives#5258

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 4, 2026

How to review these changes 👓

Thank you for your contribution. To review these changes, choose one of the following options:

A Hubber will need to deploy your changes internally to review.

Table of review links

Note: Please update the URL for your staging server or codespace.

The table shows the files in the content directory that were changed in this pull request. This helps you review your changes on a staging server. Changes to the data directory are not included in this table.

Source Review Production What Changed
admin/configuring-settings/hardening-security-for-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md ghec
 ghec
 from reusable

Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server

🤖 This comment is automatically generated.

@github-actions github-actions Bot added the triage Do not begin working on this issue until triaged by the team label Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

triage Do not begin working on this issue until triaged by the team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@emisanada