[Improvement]: Clarify documentation around Dependabot on self-hosted runners setting (#60125)

sophietheking · Copilot · web-flow · commit 2e9bd3359a97 · 2026-03-11T07:25:15.000Z
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md b/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md
@@ -43,6 +43,16 @@ Running {% data variables.product.prodname_dependabot %} on standard {% data var
 
 {% data reusables.dependabot.vnet-arc-note %}
 
+## How runner settings interact
+
+The {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners and {% data variables.product.prodname_dependabot %} on self-hosted runners settings are interdependent:
+
+* Enabling "{% data variables.product.prodname_dependabot %} on self-hosted runners" automatically enables "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners". Disabling "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" automatically disables "{% data variables.product.prodname_dependabot %} on self-hosted runners".
+* When both settings are enabled, {% data variables.product.prodname_dependabot %} jobs run **only** on self-hosted runners or {% data variables.actions.hosted_runners %} with a `dependabot` label—not on standard {% data variables.product.prodname_dotcom %}-hosted runners.
+
+> [!WARNING]
+> If both settings are enabled but no self-hosted runners or {% data variables.actions.hosted_runners %} with a `dependabot` label are available, {% data variables.product.prodname_dependabot %} jobs will remain queued indefinitely. Ensure runners with this label are configured before enabling "{% data variables.product.prodname_dependabot %} on self-hosted runners".
+
 ## Access and permissions
 
 If you are transitioning to using {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that {% data variables.product.prodname_dependabot %} uses, you should update your allowlist to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses sourced from the meta API endpoint. For more information, see [AUTOTITLE](/rest/meta).
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md
@@ -36,6 +36,9 @@ contentType: how-tos
 
 ## Enabling self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
 
+> [!WARNING]
+> Before enabling "{% data variables.product.prodname_dependabot %} on self-hosted runners", ensure that your self-hosted runners or {% data variables.actions.hosted_runners %} are configured with the runner label used by {% data variables.product.prodname_dependabot %} (by default, `dependabot`). When this setting is enabled, {% data variables.product.prodname_dependabot %} jobs will only run on runners with this label. If no runners with this label are available, jobs will remain queued indefinitely. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#how-runner-settings-interact).
+
 Once you have configured self-hosted runners for {% data variables.product.prodname_dependabot_updates %}, you can enable or disable {% data variables.product.prodname_dependabot_updates %} on self-hosted runners at the organization or repository level.
 
 > [!NOTE]
