From 97600f0606458941cc1bc26e3129a96e3e7eae56 Mon Sep 17 00:00:00 2001
From: Sophie <29382425+sophietheking@users.noreply.github.com>
Date: Mon, 20 Feb 2023 09:47:29 +0100
Subject: [PATCH] [Improvement]: Tell GHES admins that they can download the
 latest Dependabot action to get better ecosystem support  (#33659)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
---
 .../enabling-dependabot-for-your-enterprise.md    | 12 +++++++++++-
 .../about-dependabot-version-updates.md           | 15 +++++++++++++--
 ...uration-options-for-the-dependabot.yml-file.md | 10 +++++++++-
 data/reusables/actions/action-bundled-actions.md  |  1 +
 tests/meta/repository-references.js               |  1 +
 5 files changed, 35 insertions(+), 4 deletions(-)
 create mode 100644 data/reusables/actions/action-bundled-actions.md

diff --git a/content/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise.md b/content/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise.md
index 9461ce7d6efe..8954dc124943 100644
--- a/content/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise.md
+++ b/content/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise.md
@@ -107,6 +107,16 @@ After you enable {% data variables.product.prodname_dependabot_alerts %} for you
 {% data variables.product.prodname_dependabot_updates %} are not supported on {% data variables.product.product_name %} if your enterprise uses clustering.
 {% endif %}
 
+{% ifversion ghes > 3.4 %}
+
+{% note %}
+
+**Note:** After you enable the dependency graph, you can use the [{% data variables.product.prodname_dependabot %} action](https://github.com/github/dependabot-action). The action will raise an error if any vulnerabilities or invalid licenses are being introduced. {% data reusables.actions.action-bundled-actions %}
+
+{% endnote %}
+
+{% endif %}
+
 {% data reusables.enterprise_site_admin_settings.sign-in %}
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
@@ -114,7 +124,7 @@ After you enable {% data variables.product.prodname_dependabot_alerts %} for you
 1. Under "Security", select **{% data variables.product.prodname_dependabot_security_updates %}**.
 {% data reusables.enterprise_management_console.save-settings %}
 1. Click **Visit your instance**.
-1. Configure dedicated self-hosted runners to create the pull requests that will update dependencies. This is required because the workflows use a specific runner label. For more information, see "[AUTOTITLE](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates)."
+2. Configure dedicated self-hosted runners to create the pull requests that will update dependencies. This is required because the workflows use a specific runner label. For more information, see "[AUTOTITLE](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates)."
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.github-connect-tab %}
 1. Under "{% data variables.product.prodname_dependabot %}", to the right of "Users can easily upgrade to non-vulnerable open source code dependencies", click **Enable**.
diff --git a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md
index 920a0d323199..2cb90755886a 100644
--- a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md
+++ b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md
@@ -31,7 +31,7 @@ shortTitle: Dependabot version updates
 
 {% data variables.product.prodname_dependabot %} takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on.
 
-You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a `dependabot.yml` configuration file into your repository. The configuration file specifies the location of the manifest, or of other package definition files, stored in your repository. {% data variables.product.prodname_dependabot %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary. 
+You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a `dependabot.yml` configuration file into your repository. The configuration file specifies the location of the manifest, or of other package definition files, stored in your repository. {% data variables.product.prodname_dependabot %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary.
 
 When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)."
 
@@ -55,9 +55,20 @@ If you've enabled security updates, you'll sometimes see extra pull requests for
 <!-- If you make changes to this feature, check whether any of the changes affect languages listed in /get-started/learning-about-github/github-language-support. If so, please update the language support article accordingly. -->
 
 You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#vendor)."
+
+{% ifversion ghes > 3.4 %}
+
+{% note %}
+
+**Note**: To ensure that {% data variables.product.product_name %} supports {% data variables.product.prodname_dependabot_updates %} for the latest supported ecosystem versions, your enterprise owner must download the most recent version of the [{% data variables.product.prodname_dependabot %} action](https://github.com/github/dependabot-action). {% data reusables.actions.action-bundled-actions %}
+
+{% endnote %}
+
+{% endif %}
+
 {% note %}
 
-{% data reusables.dependabot.private-dependencies-note %} 
+**Note**: {% data reusables.dependabot.private-dependencies-note %}
 
 {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. See the details in the table below.
 
diff --git a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md
index b241e9f946d2..5259c14db6d2 100644
--- a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md
+++ b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md
@@ -68,7 +68,15 @@ In general, security updates use any configuration options that affect pull requ
 
 ### `package-ecosystem`
 
-**Required**. You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below.
+**Required**. You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below.{% ifversion ghes > 3.4 %}
+
+{% note %}
+
+**Note:** Enterprise owners can download the most recent version of the [{% data variables.product.prodname_dependabot %} action](https://github.com/github/dependabot-action) to get the best ecosystem coverage. {% data reusables.actions.action-bundled-actions %}
+
+{% endnote %}
+
+{% endif %}
 
 {% data reusables.dependabot.supported-package-managers %}
 
diff --git a/data/reusables/actions/action-bundled-actions.md b/data/reusables/actions/action-bundled-actions.md
new file mode 100644
index 000000000000..738534d2281b
--- /dev/null
+++ b/data/reusables/actions/action-bundled-actions.md
@@ -0,0 +1 @@
+For more information about the action, and for instructions about how to download the most recent version, see "[AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom/using-the-latest-version-of-the-official-bundled-actions)."
\ No newline at end of file
diff --git a/tests/meta/repository-references.js b/tests/meta/repository-references.js
index df8d1eae1f0f..2017360ad672 100644
--- a/tests/meta/repository-references.js
+++ b/tests/meta/repository-references.js
@@ -68,6 +68,7 @@ const PUBLIC_REPOS = new Set([
   'tweetsodium',
   'VisualStudio',
   'codespaces-getting-started-ml',
+  'dependabot-action',
 ])
 
 const ALLOW_DOCS_PATHS = [