Dependabot can now access dependencies from authenticated private registries, such as GitHub Packages, Azure Artifacts, and Artifactory. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. With this release, Dependabot version updates can help keep inner source as up-to-date as open source.
To enable this feature, add a registries
section to your dependabot.yml
, reference your new registries in the relevant updates
, and add any secrets to Dependabot’s secret store. For example, here’s how to use GitHub Packages with Dependabot:
registries:
npm-ghp-octocat:
type: npm-registry
url: https://npm.pkg.github.com
token: ${{secrets.GITHUB_PERSONAL_ACCESS_TOKEN}} # make sure to store this in your Dependabot secrets!
updates:
package-ecosystem: npm
directory: "/"
registries:
- npm-ghp-octocat
schedule:
interval: daily
This complements your ability to give Dependabot version updates access to private repositories, which is common for ecosystems like go modules and npm.