Read more about Dependabot on GitHub Actions runners.
Dependabot on GitHub Actions and self-hosted runners is now generally available
A quick guide on the advantages of Dependabot as a GitHub Actions workflow and the benefits this unlocks, including self-hosted runner support.
Starting today, administrators using Github.com
accounts can enable their repositories and/or organizations to run Dependabot updates jobs as a GitHub Actions workflow using both hosted and self-hosted runners. Running Dependabot does not count towards GitHub Actions minutes–meaning that using Dependabot continues to be free for everyone.
Since its launch, Dependabot has used hosted compute to simplify the process of running update jobs, minimizing the amount of work developers need to do to stay on top of security vulnerabilities. However, this compute system wasn’t able to access some on-premises resources like private registries–a growing best practice outlined in frameworks like S2C2F–and it wasn’t as flexible as it could be. Further, as GitHub Actions has become more ubiquitous over the years, users told us they wanted to see the logs for all their jobs in just one place.
To tackle these challenges, GitHub is consolidating Dependabot’s compute platform to GitHub Actions, and jobs that generate pull requests can now be run as GitHub Actions workflows. This allows Dependabot to leverage GitHub Actions infrastructure, including connecting Dependabot to self-hosted runners. With this change, users can choose to run Dependabot on their private networks with self-hosted runners, allowing Dependabot to access on-premises private registries and update those packages. Developers will see performance improvements, like faster Dependabot runs and increased log visibility. APIs and webhooks for GitHub Actions can also detect failed runs and perform downstream processing should developers wish to configure this in their CI/CD pipelines.
For more information on how to enable your repositories with Dependabot as a GitHub Actions workflow, please see our documentation for Dependabot on GitHub Actions runners. If you’d like to learn more about or enable self-hosted runners, check out the differences between hosted and self-hosted runners.
Over the course of the next year, Dependabot will also migrate all update jobs to run on GitHub Actions. This migration will include faster runs, increased troubleshooting visibility, self-hosted runners, and other performance and feature benefits. For most users, the transition will be seamless; however, if your organization has disabled GitHub Actions by policy, your administrators will receive instructions about how to update your configuration to ensure that the Dependabot service is not interrupted.
Up next for Dependabot: in addition to gathering your feedback on Dependabot on the GitHub Actions compute infrastructure, the team is working to support additional dependabot.yml
configuration options for multiple directories and multiple ecosystems. Keep an eye on the GitHub Changelog for more and please let us know what you think by contributing to our community discussion!
Tags:
Written by
Related posts
Announcing GitHub Secure Open Source Fund: Help secure the open source ecosystem for everyone
Applications for the new GitHub Secure Open Source Fund are now open! Applications will be reviewed on a rolling basis until they close on January 7 at 11:59 pm PT. Programming and funding will begin in early 2025.
Software is a team sport: Building the future of software development together
Microsoft and GitHub are committed to empowering developers around the world to innovate, collaborate, and create solutions that’ll shape the next generation of technology.
Does GitHub Copilot improve code quality? Here’s what the data says
Findings in our latest study show that the quality of code written with GitHub Copilot is significantly more functional, readable, reliable, maintainable, and concise.