Setting up Dependabot to run on github-hosted action runners using the Azure Private Network

You can configure an Azure Virtual Network (VNET) to run Dependabot on GitHub-hosted runners.

谁可以使用此功能?

具有写入访问权限的用户

本文内容

Configuring VNET for Dependabot updates

注意

VNET support for Dependabot on GitHub Actions is currently in 公共预览版 and subject to change.

This article provides step-by-step instructions for running Dependabot on GitHub-hosted runners configured with VNET. The article explains:

  • How to create runner groups for your enterprise or organization with a VNET configuration.
  • How to create GitHub-hosted runners for Dependabot in the runner group.
  • How to enable Dependabot on large runners.
  • How to configure Azure VNET firewall IP rules.

To use GitHub-hosted runners with Azure VNET, you first need to configure your Azure resources, then create a private network configuration in GitHub.

Configuring Azure resources

To learn how to use GitHub-hosted runners with an Azure private network, see Configuring your Azure resources.

注意

  • The databaseId which is required in the script for configuring the Azure resources can refer to any of the following depending on whether you are configuring the resources for an enterprise or an organization:
  • The enterprise slug, which you can identify by looking at the URL for your enterprise, https://github.com/enterprises/SLUG, or
  • The login for the organization account, which you can identify by looking at the URL for your organization, https://github.com/organizations/ORGANIZATION_LOGIN.
  • The script will return the full payload for the created resource. The GitHubId hash value returned in the payload for the created resource is the network settings resource ID you will use in the next steps while setting up a network configuration in GitHub

Configuring a VNET-injected runner for Dependabot updates in your enterprise

After configuring your Azure resources, you can use an Azure Virtual Network (VNET) for private networking by creating a network configuration at the enterprise or organization level. Then, you can associate that network configuration to runner groups.

  1. Add a new network configuration for your enterprise. See Add a new network configuration for your enterprise
  2. Create a runner group for the enterprise and select the organizations that you want to run Dependabot updates for. See Create a runner group for your enterprise
  3. Create and add a GitHub-hosted runner to the enterprise runner group. See Adding a larger runner to an enterprise. Important points are as follows:

    • The runner name must be dependabot

    • Choose a Linux x64 platform.

    • Select the suitable Ubuntu version.

    • When adding your GitHub-hosted runner to a runner group, select the runner group you created in the previous step.

    注意

    Naming the GitHub-hosted runner dependabot assigns the dependabot label to the runner, which enables it to pick up jobs triggered by Dependabot on actions.

Enabling Dependabot for the organization

You now need to enable Dependabot on self-hosted runners for your organization in order to enable Dependabot on large runners. See Enabling or disabling Dependabot on larger runners.

  1. 在 GitHub 的右上角,选择个人资料照片,然后单击“ 你的组织”****。

  2. 在组织名称下,单击 “设置”****。 如果看不到“设置”选项卡,请选择“”下拉菜单,然后单击“设置”********。

    组织配置文件中选项卡的屏幕截图。 “设置”选项卡以深橙色标出。

  3. In the "Security" section of the sidebar, select the Advanced Security dropdown menu, then click Global settings.

  4. Under Dependabot, select Dependabot on self-hosted runners. This step is required, as it ensures that future Dependabot jobs will run on the larger GitHub-hosted runner that has the dependabot name.

Triggering a Dependabot run

Now that you've set up private networking with VNET, you can start a Dependabot run.

  1. 在 GitHub 上,导航到存储库的主页面。

  2. 在存储库名称下,单击“见解”选项卡****。

  3. 在左侧边栏中,单击“依赖项关系图”。

    “依赖项关系图”选项卡的屏幕截图。选项卡以橙色边框突出显示。

  4. Under "Dependency graph", click Dependabot.

  5. To the right of the name of manifest file you're interested in, click Recent update jobs.

  6. If there are no recent update jobs for the manifest file, click Check for updates to re-run a Dependabot version updates'job and check for new updates to dependencies for that ecosystem.

Checking logs and active jobs for Dependabot updates

  • You can view the logs of the Dependabot workflow in the Actions tab of your repository. Ensure you select the Dependabot job on the left sidebar of the Actions page.

    Example of log for a "Dependabot in vnet" workflow. The Dependabot job is highlighted with an orange outline.

  • You can view the active jobs in the page containing informatuon about the runner. To access that page, click the Policies tab for the enterprise, select Actions on the left sidebar, click the Runner group tab, and select your runner.

    Screenshot showing a Dependabot runner's active jobs.

Configuring Azure VNET firewall IP rules

If your Azure VNET environment is configured with a firewall with an IP allowlist, you may need to update your list of allowed IP addresses to use the GitHub-hosted runners IP addresses sourced from the meta API endpoint.

  • GitHub provides the following public endpoint for its IP ranges:

    GET https://api.github.com/meta

  • Copy and paste the following curl command in your terminal or command prompt and replace the placeholder bearer token value with your actual value.

    Bash
          curl -L \
      -H "Accept: application/vnd.github+json" \
      -H "Authorization: Bearer YOUR-TOKEN" \
      -H "X-GitHub-Api-Version: 2022-11-28" \
      https://api.github.com/meta

  • From the response, look for the actions key.

        "actions": [ ... ]

    These are the IP ranges used by GitHub Actions runners, including Dependabot and hosted runners.

  • Add these IPs to your firewall allowlist.