You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md
+15Lines changed: 15 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,6 +35,9 @@ You can use {% data variables.product.prodname_actions %} to perform automated t
35
35
36
36
## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %}
37
37
38
+
> [!IMPORTANT]
39
+
> If {% data variables.product.prodname_dependabot %} is enabled for a repository, it will always run—**bypassing both GitHub Actions policy checks and disablement**. This means Dependabot workflows will still execute even if GitHub Actions is disabled or restricted by enterprise or organization policies.
40
+
38
41
{% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date. You can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request.
39
42
40
43
{% data reusables.dependabot.working-with-actions-considerations %} For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions).
@@ -187,6 +190,18 @@ jobs:
187
190
> [!NOTE]
188
191
> If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless **all the required status checks pass**. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule).
189
192
193
+
## 📌 Dependabot and GitHub Actions Policies
194
+
195
+
Normally, whether a workflow can run in a repository depends on GitHub Actions **policy checks** and whether GitHub Actions is **enabled** at the organization or repository level. These controls can restrict workflows from running—especially when external actions are blocked or GitHub Actions is disabled entirely.
196
+
197
+
However, when {% data variables.product.prodname_dependabot %} is enabled for a repository, its workflows will always run—**bypassing both Actions policy checks and disablement**.
198
+
199
+
* {% data variables.product.prodname_dependabot %} workflows are not blocked by Actions disablement or enterprise policy restrictions.
200
+
* The actions referenced within these workflows are also allowed to run, even if external actions are disallowed.
201
+
* This behavior aligns with GitHub's organizational ruleset workflows, which may override repository-level settings.
202
+
203
+
For more details, see [About Dependabot on GitHub Actions Runners](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners).
0 commit comments