Clarify Dependabot is exempt from IP allow list enforcement

Dependabot is a first-party GitHub App with explicit IP allow list
exemption. Update docs to:

- State clearly that Dependabot repo access is exempt from IP allow lists
- Remove misleading guidance that self-hosted runners are required
- Keep self-hosted/larger runner guidance for other use cases (e.g.,
  accessing private registries behind firewalls)

Addresses: github/enterprise-primitives#5258

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: emisanada

data/reusables/dependabot/ip-allow-list-dependabot.md

@@ -1,9 +1,7 @@
-{% data variables.product.prodname_dependabot %} is a first-party {% data variables.product.github %} App whose access to repositories is exempt from IP allow list restrictions. This means {% data variables.product.prodname_dependabot %} can read repository contents and create pull requests regardless of your IP allow list configuration.
+{% data variables.product.prodname_dependabot %} is a first-party {% data variables.product.github %} App whose repository access is exempt from IP allow list restrictions. This means {% data variables.product.prodname_dependabot %} can read dependency files and create pull requests regardless of your IP allow list configuration, even when running on standard {% data variables.product.github %}-hosted runners.
 
-However, if your {% data variables.product.prodname_dependabot %} workflows include additional steps that use the `GITHUB_TOKEN` or other tokens to make API calls, those steps may still be subject to IP allow list enforcement. In that case, dynamically provisioned {% data variables.product.github %}-hosted runners do not guarantee static IP addresses, so those calls may fail.
+If your {% data variables.product.prodname_dependabot %} workflows require predictable, static IP addresses for other reasons (for example, to access private registries behind a firewall), you should set up a self-hosted runner or enable {% data variables.product.prodname_dependabot %} for use with {% data variables.actions.hosted_runners %}. See [AUTOTITLE](/actions/concepts/runners/about-self-hosted-runners) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners).
 
-If your {% data variables.product.prodname_dependabot %} workflows need to make additional authenticated API calls beyond what {% data variables.product.prodname_dependabot %} itself performs, you must set up a self-hosted runner or enable {% data variables.product.prodname_dependabot %} for use with {% data variables.actions.hosted_runners %}. See [AUTOTITLE](/actions/concepts/runners/about-self-hosted-runners) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners).
-
-Additionally, to learn more about setting up a {% data variables.actions.hosted_runners %} with a static IP address configured, see [AUTOTITLE](/actions/concepts/runners/about-larger-runners).
+Additionally, to learn more about setting up {% data variables.actions.hosted_runners %} with a static IP address configured, see [AUTOTITLE](/actions/concepts/runners/about-larger-runners).
 
 To allow your self-hosted runners or {% data variables.actions.hosted_runners %} to communicate with {% data variables.product.github %}, add the IP address or IP address range of your runners to the IP allow list that you have configured for your enterprise.