8

I need some help with Dependabot. I found out recently about this amazing package, but some of my repositories require dependencies that are private packages, created by me and used in my personal projects. Dependabot says that for any repositories using private packages, it is advised better to be configured from their website's dashboard.

In my repo, I have moved Dependabot's configuration into the .github/dependabot.yml file, from the dashboard that was located before. In the Insights tab of the repo, and in the Dependact Graph section, the error about not finding the private package is also being thrown there. Has anyone implemented something similar? I would really appreciate your support here.

georgekrax
  • 1,065
  • 1
  • 11
  • 22

3 Answers3

4

There is now more documentation on this, considering since Dec. 2nd, 2020:

Dependabot: version updates from private GitHub repositories

Dependabot already updates your public dependencies, such as open source dependencies from a public GitHub repository, npm, Maven Central, or similar.

Now, you can also update dependencies from private GitHub repositories. This feature is available for most package managers supported by Dependabot version updates, except bundler, hex, and pip.

To get started, grant Dependabot access to some or all of your private repositories on your organization's security & analysis settings page:

https://github.com/organizations/YOUR-ORGANIZATION/settings/security_analysis.

Learn more about Dependabot version updates.

March 2021:

Dependabot private registry support public beta

Dependabot can now access dependencies from authenticated private registries, such as GitHub Packages, Azure Artifacts, and Artifactory. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. With this release, Dependabot version updates can help keep inner source as up-to-date as open source.

To enable this feature, add a registries section to your dependabot.yml, reference your new registries in the relevant updates, and add any secrets to Dependabot's secret store.

This complements your ability to give Dependabot version updates access to private repositories, which is common for ecosystems like go modules and npm.

Dec. 2021:

whenever this workflow runs on a PR that was issued by Dependabot - it fails as Dependabot PRs don't have the same secret access as other pull requests do.

This should no longer (Nov./Dec. 2021) be the case:

GitHub Actions: Workflows triggered by Dependabot receive dependabot secrets.

GitHub Actions workflows triggered by Dependabot will now be sent the Dependabot secrets.

This change will enable you to pull from private package registries in your CI using the same secrets you have configured for Dependabot to use and will improve how Actions and Dependabot work together.

Learn more about using Actions and Dependabot together.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Is there any way I can configure Dependabot to create PR only on **minor** and **major** updates? – georgekrax Dec 05 '20 at 16:19
  • @georgekrax I don't think there is a simple option for that. But considering you enable Dependabot version updates by checking a configuration file in to your repository, you could add that config file *only* for minor and major updates, leaving that same file out of your sources between releases. – VonC Dec 06 '20 at 00:01
  • Thank you for your help, but I do not know if I can add a configuration file to my repo, as Dependabot works with private packages only through their dashboard and website – georgekrax Dec 06 '20 at 12:44
  • @georgekrax Oh you mean minor and major updates of your project dependencies. I thought you meant minor/major updates of your own project. – VonC Dec 06 '20 at 13:53
  • Yes, that's right. I meant Dependabot to update and create PR only minor and major updates of dependencies, of other packages – georgekrax Dec 06 '20 at 16:11
  • @georgekrax OK. Not sure then. Maybe one if the [Configuration options for dependency updates](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates), like the [`versioning-strategy` one](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#versioning-strategy) – VonC Dec 06 '20 at 16:21
2

Although, there is not much information and documentation for this particular topic, I managed to solve my issue. It is a combination of GitHub Secrets and configuration of the .npmrc & .yarnrc files. You can found the related issue, as well as my official answer, here.

georgekrax
  • 1,065
  • 1
  • 11
  • 22
2

For Google Cloud users looking to set up Dependabot with private npm packages repository in Artifact Registry this is how I configured Dependabot:

version: 2
registries:
  artifact-registry:
    type: npm-registry
    url: https://<location>-npm.pkg.dev/<project-id>/<repository-name>
    username: "_json_key_base64" # <- Note the username
    password: ${{ secrets.ARTIFACT_REGISTRY_CREDENTIALS }} # base64 encoded service account key stored as Github secret. SA must have reader permissions in npm repository.
updates:
  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: monthly
      time: "08:00"
      timezone: "Europe/Tallinn"
    registries:
      - artifact-registry
    commit-message:
      prefix: "chore: "
    open-pull-requests-limit: 10
    pull-request-branch-name:
      separator: "-"
lkallas
  • 1,310
  • 5
  • 22
  • 36
  • Not limited to Google Cloud, see https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry – Markus Schulte Mar 23 '23 at 16:11
  • @MarkusSchulte Thanks, but I was more pointing out the authentication username which is not documented clearly(or at all) by Google Cloud. – lkallas Mar 29 '23 at 10:50