Dependabot can now read from private GitHub Packages registries without a personal access token. If a package has granted your repository access through “Manage Actions access” in the package settings, Dependabot reuses that grant.

What’s new

Dependabot’s GITHUB_TOKEN can now request packages: read, and Dependabot jobs send that token when pulling from *.pkg.github.com and ghcr.io. Any package that has granted your repository access through “Manage Actions access” will accept it, the same as a regular GitHub Actions workflow.

This is available for every GitHub Packages ecosystem that Dependabot supports.

How to enable it

For each package Dependabot needs to read:

  1. Open the package’s settings page (under your organization’s or personal account’s Packages tab).
  2. Under “Manage Actions access”, add the repository that runs Dependabot with Read access.

You don’t need to change dependabot.yml, and you can remove any PAT-based registry entries you added for these packages.

Learn more