Managing Dependabot on self-hosted runners

About Dependabot on GitHub Actions self-hosted runners

You can help users of your organization and repositories to create and maintain secure code by setting up Dependabot security and version updates. With Dependabot updates, developers can configure repositories so that their dependencies are updated and kept secure automatically. Running Dependabot on GitHub Actions allows for better performance, and increased visibility and control of Dependabot jobs.

To have greater control over Dependabot access to your private registries and internal network resources, you can configure Dependabot to run on GitHub Actions self-hosted runners.

For security reasons, when running Dependabot on GitHub Actions self-hosted runners, Dependabot updates will not be run on public repositories.

For more information about configuring Dependabot access to private registries when using GitHub-hosted runners, see Guidance for the configuration of private registries for Dependabot. For information about which ecosystems are supported as private registries, see Removing Dependabot access to public registries.

Prerequisites

You must have Dependabot installed and enabled, and GitHub Actions enabled and in use. The "Dependabot on GitHub Actions Runners" setting for your organization should also be enabled. For more information, see 关于 GitHub Actions 运行程序上的 Dependabot.

Your organization may have configured a policy to restrict actions and self-hosted runners from running in specific repositories, which in turn will not allow Dependabot to run on GitHub Actions self-hosted runners. In this case, the organization or repository level setting to enable "Dependabot on self-hosted runners" will not be visible in the web UI. For more information, see 禁用或限制组织的 GitHub Actions.

强制实施策略以仅允许企业中的操作和可重用工作流，并且对 GitHub Actions 启用 Dependabot 时，Dependabot 将不会运行。 若要使 Dependabot 能够与企业操作和可重用工作流一起运行，应选择允许 GitHub 创建的操作，或允许指定的操作和可重用工作流。 有关详细信息，请参阅“在企业中为 GitHub Actions 实施策略”。

Configuring self-hosted runners for Dependabot updates

After you configure your organization or repository to run Dependabot on GitHub Actions, and before you enable Dependabot on self-hosted runners, you need to configure self-hosted runners for Dependabot updates.

System requirements for Dependabot runners

用于 Dependabot 运行器的任何虚拟机 (VM) 都必须满足自托管运行器的要求。 此外，它们还必须满足以下要求。

• Linux 操作系统

• x64 体系结构

• 安装有运行器用户访问权限的 Docker：

  • 建议在无根模式下安装 Docker，并将运行器配置为在没有 root 特权的情况下访问 Docker。
  • 或者，安装 Docker 并授予运行器用户提升的权限来运行 Docker。

CPU 和内存要求将取决于在给定 VM 上部署的并发运行器的数量。 作为指导，我们已在一台 2 CPU 8GB 的计算机上成功设置了 20 个运行器，但最终，CPU 和内存要求将在很大程度上取决于正在更新的存储库。 某些生态系统需要比其他生态系统更多的资源。

如果在 VM 上指定了 14 个以上的并发运行器，则还必须更新 Docker /etc/docker/daemon.json 配置，以增加 Docker 可以创建的默认网络数。

{
  "default-address-pools": [
    {"base":"10.10.0.0/16","size":24}
  ]
}

Network requirements for Dependabot runners

Dependabot 运行器需要访问公共互联网、GitHub.com 以及将在 Dependabot updates 更新中使用的任何内部注册表。 为了最大程度地降低内部网络的风险，应该限制虚拟机 (VM) 对内部网络的访问。 如果运行器下载了一个被劫持的依赖项，这将减少内部系统损坏的可能性。

还需要允许出站流量流往 dependabot-actions.githubapp.com 以阻止Dependabot security updates 的作业失败。 有关详细信息，请参阅“自托管运行程序参考”。

Certificate configuration for Dependabot runners

If Dependabot needs to interact with registries that use self-signed certificates, those certificates must also be installed on the self-hosted runners that run Dependabot jobs. This security hardens the connection. You must also configure Node.js to use the certificate, because most actions are written in JavaScript and run using Node.js, which does not use the operating system certificate store.

Adding self-hosted runners for Dependabot updates

1. Provision self-hosted runners, at the repository or organization level. For more information, see 自托管运行程序 and 添加自托管的运行器.

2. Set up the self-hosted runners with the requirements described above. For example, on a VM running Ubuntu 20.04 you would:

   • Install Docker and ensure that the runner users have access to Docker. For more information, see the Docker documentation.
     • Install Docker Engine on Ubuntu
     • Recommended approach: Run the Docker daemon as a non-root user (Rootless mode)
     • Alternative approach: Manage Docker as a non-root user
   • Verify that the runners have access to the public internet and can only access the internal networks that Dependabot needs.
   • Install any self-signed certificates for registries that Dependabot will need to interact with.

3. Assign a dependabot label to each runner you want Dependabot to use. For more information, see 将标签与自托管运行程序结合使用.

4. Optionally, enable workflows triggered by Dependabot to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see 对 GitHub Actions 上的 Dependabot 进行故障排除.

Enabling self-hosted runners for Dependabot updates

Once you have configured self-hosted runners for Dependabot updates, you can enable or disable Dependabot updates on self-hosted runners at the organization or repository level.

Note, disabling and re-enabling the "Dependabot on self-hosted runners" settings will not trigger a new Dependabot run.

Enabling or disabling for your repository

You can manage Dependabot on self-hosted runners for your private or internal repository.

1. 在 GitHub 上，导航到存储库的主页面。

2. 在仓库名称下，单击 “Settings”****。 如果看不到“设置”选项卡，请选择“”下拉菜单，然后单击“设置”。

   

3. 在边栏的“Security”部分中，单击“ Advanced Security”****。

4. Under "Dependabot", to the right of "Dependabot on self-hosted runners", click Enable to enable the feature or Disable to disable it.

Enabling or disabling for your organization

You can enable Dependabot on self-hosted runners for all existing private or internal repositories in an organization. Only repositories already configured to run Dependabot on GitHub Actions will be updated to run Dependabot on self-hosted runners the next time a Dependabot job is triggered.

1. 在 GitHub 的右上角，单击个人资料图片，然后单击“ Your organizations”****。
2. 在组织旁边，单击“设置”。
3. 在边栏的“Security”部分中，依次单击“ Advanced Security”和“Global settings”********。
4. Under "Dependabot", select "Dependabot on self-hosted runners" to enable the feature or deselect to disable it. This action enables or disables the feature for all new repositories in the organization.

For more information, see 配置组织的全局安全设置.