About Dependabot on GitHub Actions self-hosted runners
Si habilita Dependabot en un repositorio nuevo pero tiene GitHub Actions habilitado, Dependabot se ejecutará en la aplicación heredada en GitHub para llevar a cabo Dependabot updates.
Si habilita Dependabot en un repositorio nuevo pero tiene GitHub Actions deshabilitado, Dependabot se ejecutará en la aplicación heredada en GitHub para llevar a cabo Dependabot updates. Esto no proporciona un buen rendimiento, visibilidad ni control de los trabajos de Dependabot updates como lo hace GitHub Actions. Si quieres usar Dependabot con GitHub Actions, debes asegurarte de que el repositorio permita GitHub Actions y, a continuación, habilita "Dependabot on Actions runners" desde la página de configuración "Code security" del repositorio. For more information, see Acerca de Dependabot en ejecutores de Acciones de GitHub.
Note
Las versiones futuras de GitHub siempre ejecutarán Dependabot mediante GitHub Actions, y ya no tendrá la opción de habilitar o deshabilitar esta configuración.
You can help users of your organization and repositories to create and maintain secure code by setting up Dependabot security and version updates. With Dependabot updates, developers can configure repositories so that their dependencies are updated and kept secure automatically. Running Dependabot on GitHub Actions allows for better performance, and increased visibility and control of Dependabot jobs.
Note
Dependabot no admite el uso de redes privadas con una instancia de Azure Virtual Network (VNET) o Actions Runner Controller (ARC).
To have greater control over Dependabot access to your private registries and internal network resources, you can configure Dependabot to run on GitHub Actions self-hosted runners.
For security reasons, when running Dependabot on GitHub Actions self-hosted runners, Dependabot updates will not be run on public repositories.
For more information about configuring Dependabot access to private registries when using GitHub-hosted runners, see Guía para la configuración de registros privados para Dependabot. For information about which ecosystems are supported as private registries, see Removing Dependabot access to public registries.
Prerequisites
You must have Dependabot installed and enabled, and GitHub Actions enabled and in use. The "Dependabot on GitHub Actions Runners" setting for your organization should also be enabled. For more information, see Acerca de Dependabot en ejecutores de Acciones de GitHub.
Your organization may have configured a policy to restrict actions and self-hosted runners from running in specific repositories, which in turn will not allow Dependabot to run on GitHub Actions self-hosted runners. In this case, the organization or repository level setting to enable "Dependabot on self-hosted runners" will not be visible in the web UI. For more information, see Inhabilitar o limitar GitHub Actions para tu organización.
Configuring self-hosted runners for Dependabot updates
After you configure your organization or repository to run Dependabot on GitHub Actions, and before you enable Dependabot on self-hosted runners, you need to configure self-hosted runners for Dependabot updates.
System requirements for Dependabot runners
Cualquier máquina virtual (VM) que use para los ejecutores del Dependabot debe cumplir los requisitos de los ejecutores autohospedados. Además, deben cumplir los siguientes requisitos.
-
Sistema operativo Linux
-
Arquitectura x64
-
Tener Docker instalado con acceso para los usuarios del ejecutor:
- Se recomienda instalar Docker en modo sin raíz y configurar los ejecutores para acceder a Docker sin privilegios
root
. - Como alternativa, instale Docker y conceda a los usuarios del ejecutor privilegios para ejecutar Docker.
- Se recomienda instalar Docker en modo sin raíz y configurar los ejecutores para acceder a Docker sin privilegios
Los requisitos de CPU y memoria dependerán del número de ejecutores simultáneos que implemente en una máquina virtual determinada. A modo de guía, hemos configurado correctamente 20 ejecutores en una sola máquina de 8 GB de 2 CPU pero, en última instancia, los requisitos de CPU y memoria dependerán en gran medida de los repositorios que se actualicen. Algunos ecosistemas requerirán más recursos que otros.
Si especifica más de 14 ejecutores simultáneos en una máquina virtual, también debe actualizar la configuración /etc/docker/daemon.json
de Docker para aumentar el número predeterminado de redes que puede crear Docker.
{
"default-address-pools": [
{"base":"10.10.0.0/16","size":24}
]
}
Network requirements for Dependabot runners
Los ejecutores del Dependabot necesitan acceso al internet público, a GitHub.com y a cualquier registro interno que se utilizará en Dependabot updates. Para minimizar el riesgo de la red interna, debe limitar el acceso desde la máquina virtual (VM) a la red interna. Esto reduce la posibilidad de que se produzcan daños en los sistemas internos si un ejecutor descarga una dependencia secuestrada.
También debes permitir el tráfico saliente a dependabot-actions.githubapp.com
para evitar que se produzcan errores en los trabajos para Dependabot security updates. Para obtener más información, vea «Acerca de los ejecutores autohospedados».
Certificate configuration for Dependabot runners
If Dependabot needs to interact with registries that use self-signed certificates, those certificates must also be installed on the self-hosted runners that run Dependabot jobs. This security hardens the connection. You must also configure Node.js to use the certificate, because most actions are written in JavaScript and run using Node.js, which does not use the operating system certificate store.
Adding self-hosted runners for Dependabot updates
-
Provision self-hosted runners, at the repository or organization level. For more information, see Acerca de los ejecutores autohospedados and Agrega ejecutores auto-hospedados.
-
Set up the self-hosted runners with the requirements described above. For example, on a VM running Ubuntu 20.04 you would:
- Install Docker and ensure that the runner users have access to Docker. For more information, see the Docker documentation.
- Install Docker Engine on Ubuntu
- Recommended approach: Run the Docker daemon as a non-root user (Rootless mode)
- Alternative approach: Manage Docker as a non-root user
- Verify that the runners have access to the public internet and can only access the internal networks that Dependabot needs.
- Install any self-signed certificates for registries that Dependabot will need to interact with.
- Install Docker and ensure that the runner users have access to Docker. For more information, see the Docker documentation.
-
Assign a
dependabot
label to each runner you want Dependabot to use. For more information, see Uso de etiquetas con ejecutores autohospedados. -
Optionally, enable workflows triggered by Dependabot to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see Troubleshooting Dependabot on GitHub Actions.
Enabling self-hosted runners for Dependabot updates
Once you have configured self-hosted runners for Dependabot updates, you can enable or disable Dependabot updates on self-hosted runners at the organization or repository level.
Note, disabling and re-enabling the "Dependabot on self-hosted runners" settings will not trigger a new Dependabot run.
Enabling or disabling for your repository
You can manage Dependabot on self-hosted runners for your private repository.
-
En GitHub, navegue hasta la página principal del repositorio.
-
En el nombre del repositorio, haz clic en Configuración. Si no puedes ver la pestaña "Configuración", selecciona el menú desplegable y, a continuación, haz clic en Configuración.
-
En la sección "Security" de la barra lateral, haz clic en Code security.
-
Under "Dependabot", to the right of "Dependabot on self-hosted runners", click Enable to enable the feature or Disable to disable it.
Enabling or disabling for your organization
You can enable Dependabot on self-hosted runners for all existing private repositories in an organization. Only repositories already configured to run Dependabot on GitHub Actions will be updated to run Dependabot on self-hosted runners the next time a Dependabot job is triggered.
Note
You need to enable self-hosted runners for your organization if you use ejecutores más grandes. For more information, see Acerca de Dependabot en ejecutores de Acciones de GitHub.
- En la esquina superior derecha de GitHub, seleccione la foto del perfil y haga clic en Sus organizaciones.
- Junto a la organización, haga clic en Settings.
- In the "Security" section of the sidebar, click Code security then Global settings.
- Under "Dependabot", select "Dependabot on self-hosted runners" to enable the feature or deselect to disable it. This action enables or disables the feature for all new repositories in the organization.
For more information, see Configuración de seguridad global para su organización.