How to use Dependabot with private packages

Asked 20/11, 2020 at 8:59 Answered 1/3, 2023 at 19:45

I need some help with Dependabot. I found out recently about this amazing package, but some of my repositories require dependencies that are private packages, created by me and used in my personal projects. Dependabot says that for any repositories using private packages, it is advised better to be configured from their website's dashboard.

In my repo, I have moved Dependabot's configuration into the .github/dependabot.yml file, from the dashboard that was located before. In the Insights tab of the repo, and in the Dependact Graph section, the error about not finding the private package is also being thrown there. Has anyone implemented something similar? I would really appreciate your support here.

Paulson answered 20/11, 2020 at 8:59 Comment(0)

There is now more documentation on this, considering since Dec. 2nd, 2020:

Dependabot: version updates from private GitHub repositories

Dependabot already updates your public dependencies, such as open source dependencies from a public GitHub repository, npm, Maven Central, or similar.

Now, you can also update dependencies from private GitHub repositories. This feature is available for most package managers supported by Dependabot version updates, except bundler, hex, and pip.

To get started, grant Dependabot access to some or all of your private repositories on your organization's security & analysis settings page:
https://github.com/organizations/YOUR-ORGANIZATION/settings/security_analysis.
Learn more about Dependabot version updates.

March 2021:

Dependabot private registry support public beta

Dependabot can now access dependencies from authenticated private registries, such as GitHub Packages, Azure Artifacts, and Artifactory. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. With this release, Dependabot version updates can help keep inner source as up-to-date as open source.

To enable this feature, add a registries section to your dependabot.yml, reference your new registries in the relevant updates, and add any secrets to Dependabot's secret store.

This complements your ability to give Dependabot version updates access to private repositories, which is common for ecosystems like go modules and npm.

Dec. 2021:

whenever this workflow runs on a PR that was issued by Dependabot - it fails as Dependabot PRs don't have the same secret access as other pull requests do.

This should no longer (Nov./Dec. 2021) be the case:

GitHub Actions: Workflows triggered by Dependabot receive dependabot secrets.

GitHub Actions workflows triggered by Dependabot will now be sent the Dependabot secrets.

This change will enable you to pull from private package registries in your CI using the same secrets you have configured for Dependabot to use and will improve how Actions and Dependabot work together.

Learn more about using Actions and Dependabot together.

Sunroom answered 2/12, 2020 at 20:31 Comment(6)

Is there any way I can configure Dependabot to create PR only on minor and major updates? – Paulson 5/12, 2020 at 16:19

@Paulson I don't think there is a simple option for that. But considering you enable Dependabot version updates by checking a configuration file in to your repository, you could add that config file only for minor and major updates, leaving that same file out of your sources between releases. – Sunroom 6/12, 2020 at 0:1

Thank you for your help, but I do not know if I can add a configuration file to my repo, as Dependabot works with private packages only through their dashboard and website – Paulson 6/12, 2020 at 12:44

@Paulson Oh you mean minor and major updates of your project dependencies. I thought you meant minor/major updates of your own project. – Sunroom 6/12, 2020 at 13:53

Yes, that's right. I meant Dependabot to update and create PR only minor and major updates of dependencies, of other packages – Paulson 6/12, 2020 at 16:11

@Paulson OK. Not sure then. Maybe one if the Configuration options for dependency updates, like the versioning-strategy one – Sunroom 6/12, 2020 at 16:21

For Google Cloud users looking to set up Dependabot with private npm packages repository in Artifact Registry this is how I configured Dependabot:

version: 2
registries:
  artifact-registry:
    type: npm-registry
    url: https://<location>-npm.pkg.dev/<project-id>/<repository-name>
    username: "_json_key_base64" # <- Note the username
    password: ${{ secrets.ARTIFACT_REGISTRY_CREDENTIALS }} # base64 encoded service account key stored as Github secret. SA must have reader permissions in npm repository.
updates:
  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: monthly
      time: "08:00"
      timezone: "Europe/Tallinn"
    registries:
      - artifact-registry
    commit-message:
      prefix: "chore: "
    open-pull-requests-limit: 10
    pull-request-branch-name:
      separator: "-"

Reparable answered 1/3, 2023 at 19:45 Comment(2)

Not limited to Google Cloud, see docs.github.com/en/code-security/dependabot/… – Illumine 23/3, 2023 at 16:11

@MarkusSchulte Thanks, but I was more pointing out the authentication username which is not documented clearly(or at all) by Google Cloud. – Reparable 29/3, 2023 at 10:50

Although, there is not much information and documentation for this particular topic, I managed to solve my issue. It is a combination of GitHub Secrets and configuration of the .npmrc & .yarnrc files. You can found the related issue, as well as my official answer, here.

Paulson answered 20/11, 2020 at 18:54 Comment(0)

Dependabot: version updates from private GitHub repositories

Dependabot private registry support public beta

GitHub Actions: Workflows triggered by Dependabot receive dependabot secrets.

Recommended topics

Hot tags