Skip to content

Clarify that Dependabot workflows bypass Actions policy checks and disablement #38421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
May 19, 2025
Merged

Clarify that Dependabot workflows bypass Actions policy checks and disablement #38421

merged 16 commits into from
May 19, 2025

Conversation

kbukum1
Copy link
Contributor

@kbukum1 kbukum1 commented May 19, 2025
edited
Loading

Why:

Closes: https://github.com/github/docs-content/issues/14456

What's being changed (if available, include any code snippets, screenshots, or gifs):

This PR updates the documentation to clarify the behavior of Dependabot when GitHub Actions is disabled or restricted by policy checks.

Pages updated:

  • automating-dependabot-with-github-actions.md
  • about-dependabot-on-github-actions-runners.md

Key changes:

  • Clearly document that Dependabot workflows will always run when enabled, regardless of whether:
    • GitHub Actions is disabled at the repository or organization level
    • Enterprise or org-level policy checks block external actions
  • Added a [!IMPORTANT] note to both pages emphasizing this behavior
  • Rewrote the "📌 Dependabot and GitHub Actions Policies" section to first explain normal GitHub Actions enforcement, then describe Dependabot's exception
  • Updated intro: metadata in the second doc to reflect the bypass behavior

These updates ensure that customers understand why Dependabot workflows run even when other GitHub Actions workflows may be restricted or blocked.

Check off the following:

  • A subject matter expert (SME) has reviewed the technical accuracy of the content in this PR. In most cases, the author can be the SME. Open source contributions may require an SME review from GitHub staff.
  • The changes in this PR meet the docs fundamentals that are required for all content.
  • All CI checks are passing and the changes look good in the review environment.

@welcome Welcome
Copy link

welcome bot commented May 19, 2025

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label May 19, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 19, 2025
edited
Loading

How to review these changes 👓

Thank you for your contribution. To review these changes, choose one of the following options:

A Hubber will need to deploy your changes internally to review.

Table of review links

Note: Please update the URL for your staging server or codespace.

The table shows the files in the content directory that were changed in this pull request. This helps you review your changes on a staging server. Changes to the data directory are not included in this table.

Source Review Production What Changed
code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md fpt
ghec
 fpt
ghec
code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md fpt
ghec
ghes@ 3.17 3.16 3.15 3.14 3.13
fpt
ghec
ghes@ 3.17 3.16 3.15 3.14 3.13

Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server

🤖 This comment is automatically generated.

@docs-bot
Copy link
Collaborator

docs-bot commented May 19, 2025
edited
Loading

Previous broken links comment now moot. 👌😙

@kbukum1 kbukum1 marked this pull request as ready for review May 19, 2025 18:45
@Copilot Copilot AI review requested due to automatic review settings May 19, 2025 18:45
Copilot
Copilot AI reviewed May 19, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR clarifies that enabling Dependabot workflows bypasses GitHub Actions policy checks and disablement, ensuring users understand that these workflows always run regardless of repository or enterprise settings.

  • Adds an IMPORTANT callout to the "Automating Dependabot with GitHub Actions" page.
  • Introduces a new "📌 Dependabot and GitHub Actions Policies" section explaining policy and disablement bypass.
  • Updates the intro and adds an IMPORTANT callout in the "About Dependabot on GitHub Actions runners" page.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md Added an IMPORTANT note and a new policy section detailing how Dependabot bypasses Actions policies and disablement.
content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md Updated the intro to mention bypass behavior and added an IMPORTANT callout in the "About" section.

@Sharra-writes Sharra-writes added content This issue or pull request belongs to the Docs Content team dependabot Content related to Dependabot waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels May 19, 2025
jc-clark
jc-clark previously approved these changes May 19, 2025
View reviewed changes
Copy link
Contributor

@jc-clark jc-clark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good from docs content! I'll commit a couple small updates and then go ahead and merge. Thanks @kbukum1!

@jc-clark jc-clark enabled auto-merge May 19, 2025 22:46
@jc-clark jc-clark added this pull request to the merge queue May 19, 2025
Merged via the queue into main with commit 0b52168 May 19, 2025
44 checks passed
@jc-clark jc-clark deleted the kamil/update-dependabot-run-policies branch May 19, 2025 22:56
@github-actions GitHub Actions
Copy link
Contributor

Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours. If you're looking for your next contribution, check out our help wanted issues

@Sharra-writes Sharra-writes mentioned this pull request May 20, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@jc-clark jc-clark jc-clark approved these changes

Assignees
No one assigned
Labels
content This issue or pull request belongs to the Docs Content team dependabot Content related to Dependabot waiting for review Issue/PR is waiting for a writer's review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kbukum1 @docs-bot @jc-clark @Sharra-writes