Dependabot cannot update this dependency (Private Registry) #23371
-
Using the .dependabot/config.yml file for configuring Dependabot on our projects that use private registries such as php.fury.io works fine, but when using the .github/dependabot.yml file instead, GitHub says: “Dependabot doesn’t support updating dependency files that use private package registries.” Do we know if there will be support for this in the future? Is there action I can take now to make it work in the mean time? |
Beta Was this translation helpful? Give feedback.
Replies: 13 comments
-
Hi @zachwright, |
Beta Was this translation helpful? Give feedback.
-
Also waiting for this. Is this any time frame? |
Beta Was this translation helpful? Give feedback.
-
Would really like an update… I migrated from |
Beta Was this translation helpful? Give feedback.
-
github.com/github/roadmap
Dependabot support for private registries
Summary Dependabot support for private registries and private git repos allows users to keep private repos and packages secure by opening pull...
all
beta
cloud
security & compliance
|
Beta Was this translation helpful? Give feedback.
-
GitHub announced yesterday that Dependabot now supports private repositories. I tried this today with an npm package associated with a private repository with no luck. I suspect it works with private repositories (as in: a dependency which is a GitHub URL for a private repo) and not for packages in private repositories. I’ve filed a feedback hoping for some clarification, hopefully in the form of some update in the documentation. |
Beta Was this translation helpful? Give feedback.
-
Hi there, Despite this blog post, the documentation still shows both private registries and private repositories not being supported. Plus, the public roadmap issue for this feature was closed with label Can we have some piece of information about:
|
Beta Was this translation helpful? Give feedback.
-
However it seems like GitHub is distinguishing between private external registries and private GitHub repos: Dependabot version updates: support for private repositories (Cloud Beta) · Issue #155 · github/roadmap · GitHub |
Beta Was this translation helpful? Give feedback.
-
About that: Using dependabot with the private github registry isn’t generally working for me. However editing the content of the
To:
As described here: Configuring npm for use with GitHub Packages - GitHub Docs Will at least let dependabot check for the other packages not in the private registry |
Beta Was this translation helpful? Give feedback.
-
Bumping @david-guillot’s comment - this does not work yet, which is odd given the blog post is still up. |
Beta Was this translation helpful? Give feedback.
-
Some news:
This new feature seems to be related to private registries, which seems to be supported for all languages. Doesn’t fit my needs (private repositories for Python/pip), but could be useful for some :slight_smile: |
Beta Was this translation helpful? Give feedback.
-
The feature is shipped but now I have this issue: Dependabot doesn't see GitHub actions secrets - #32 by ryanhiebert |
Beta Was this translation helpful? Give feedback.
-
Same here, it looks like the dependabot secrets are accessible only for dependabot configuration in |
Beta Was this translation helpful? Give feedback.
-
I’ve had to read the blog post, docs, and dependabot.yml docs several times because it seems that, and I can’t quite believe it, you once again need to generate Personal Access Tokens to access private repositories and packages. that are all part of the same GitHub organisation? |
Beta Was this translation helpful? Give feedback.
Hi @zachwright,
Welcome to the community! We’re working adding private registry support over the coming months. For now, I would recommend you keep using Dependabot Preview. You can migrate back by removing the new config file and adding the repository in https://app.dependabot.com/