Read more about Dependabot on GitHub Actions runners.
Dependabot on GitHub Actions and self-hosted runners is now generally available
A quick guide on the advantages of Dependabot as a GitHub Actions workflow and the benefits this unlocks, including self-hosted runner support.
Starting today, administrators using Github.com
accounts can enable their repositories and/or organizations to run Dependabot updates jobs as a GitHub Actions workflow using both hosted and self-hosted runners. Running Dependabot does not count towards GitHub Actions minutes–meaning that using Dependabot continues to be free for everyone.
Since its launch, Dependabot has used hosted compute to simplify the process of running update jobs, minimizing the amount of work developers need to do to stay on top of security vulnerabilities. However, this compute system wasn’t able to access some on-premises resources like private registries–a growing best practice outlined in frameworks like S2C2F–and it wasn’t as flexible as it could be. Further, as GitHub Actions has become more ubiquitous over the years, users told us they wanted to see the logs for all their jobs in just one place.
To tackle these challenges, GitHub is consolidating Dependabot’s compute platform to GitHub Actions, and jobs that generate pull requests can now be run as GitHub Actions workflows. This allows Dependabot to leverage GitHub Actions infrastructure, including connecting Dependabot to self-hosted runners. With this change, users can choose to run Dependabot on their private networks with self-hosted runners, allowing Dependabot to access on-premises private registries and update those packages. Developers will see performance improvements, like faster Dependabot runs and increased log visibility. APIs and webhooks for GitHub Actions can also detect failed runs and perform downstream processing should developers wish to configure this in their CI/CD pipelines.
For more information on how to enable your repositories with Dependabot as a GitHub Actions workflow, please see our documentation for Dependabot on GitHub Actions runners. If you’d like to learn more about or enable self-hosted runners, check out the differences between hosted and self-hosted runners.
Over the course of the next year, Dependabot will also migrate all update jobs to run on GitHub Actions. This migration will include faster runs, increased troubleshooting visibility, self-hosted runners, and other performance and feature benefits. For most users, the transition will be seamless; however, if your organization has disabled GitHub Actions by policy, your administrators will receive instructions about how to update your configuration to ensure that the Dependabot service is not interrupted.
Up next for Dependabot: in addition to gathering your feedback on Dependabot on the GitHub Actions compute infrastructure, the team is working to support additional dependabot.yml
configuration options for multiple directories and multiple ecosystems. Keep an eye on the GitHub Changelog for more and please let us know what you think by contributing to our community discussion!
Tags:
Written by
Related posts
Code referencing now generally available in GitHub Copilot and with Microsoft Azure AI
Announcing the general availability of code referencing in GitHub Copilot and Microsoft Azure AI, allowing developers to permit code suggestions containing public code matches while receiving detailed information about the match.
The nuances and challenges of moderating a code collaboration platform
Sharing the latest data update to our Transparency Center alongside a new research article on what makes moderating a code collaboration platform unique.
GitHub Copilot now available in github.com for Copilot Individual and Copilot Business plans
With this public preview, we’re unlocking the context of your code and collaborators—and taking the next step in infusing AI into every developer’s workflow.