The "About Dependabot on GitHub Actions runners" information may be outdated

[yeikel]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#about-dependabot-on-github-actions-runners

What part(s) of the article would you like to see updated?

I think that the following sentences contradict each other

If Dependabot is enabled for a repository, it will always run on GitHub Actions, bypassing both Actions policy checks and disablement at the repository or organization level.

If you enable Dependabot on a new repository and have GitHub Actions disabled, Dependabot will run on the legacy application in GitHub to perform Dependabot updates

From my testing, even if Actions are disabled, Dependabot will still run using GitHub Actions. This "legacy application" the docs refer to may no longer exist or may only be triggered for very specific scenarios that are not clear.

With that, the note below may also be outdated as this is what seems to be the only behavior

Future releases of GitHub will always run Dependabot using GitHub Actions, and you will no longer have the option to enable or disable this setting.

Additional information

I executed dependabot from a repository with Actions disabled but the job execution was still using GitHub Actions:

See https://github.com/yeikel/log-captor/actions/runs/19252685897/job/55040666747

I also tried the following workflow:

• Create a repository
• Disable Actions
• Enable Dependabot

Even with that workflow, Dependabot still ran using GitHub Actions.

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[Sharra-writes]

@yeikel Thanks for opening an issue! I will ask the Dependabot team to clarify so we can update the documentation appropriately!

[singdong4132-web]

Ok

[Sharra-writes]

@yeikel Since the problem here is a reusable and the Dependabot team wants it removed from all the articles where it's currently being used, I went ahead and opened an internal PR to get this taken care of. This issue should close when it merges.

[yeikel]

@yeikel Since the problem here is a reusable and the Dependabot team wants it removed from all the articles where it's currently being used, I went ahead and opened an internal PR to get this taken care of. This issue should close when it merges.

Awesome. Thank you for the update

[yeikel]

@Sharra-writes I saw the issue was closed. Are the changes deployed?

I think that there is still room for improvement to the page if so. In particular, this sentence should be deleted as well

Future releases of GitHub will always run Dependabot using GitHub Actions, and you will no longer have the option to enable or disable this setting.

[Sharra-writes]

@yeikel Changes should be live. If you want to open an issue or PR to delete that line, I can definitely take it to the Dependabot team (I say, before making it through my notifications to find out if you've already done it).

[yeikel]

Thank you @Sharra-writes. I sent #41383 as a follow up