Dependabot private Composer repositories formatting

I realize this is sort of a beta feature, but I’m tinkering with private repositories in dependabot.yml and am having trouble with an endpoint that doesn’t require a username or password, and also has a URL format that doesn’t end in the TLD:

version: 2
registries:
  beaverbuilder:
    type: composer-repository
    url: "https://composer.wpbeaverbuilder.com/${{ secrets.BEAVER_BUILDER_KEY }}"
    username: ""
    password: ""
updates:
  - package-ecosystem: "composer"
    directory: "/"
    schedule:
      interval: "monthly"

Dependabot insisted I add username/password even though this endpoint doesn’t actually require them, and it doesn’t like the URL that doesn’t end in a TLD:

PHP registries must specify a url in a format like `https://repo.packagist.com` or `https://php.fury.io`.
Tokens should be stored as a GitHub secret.

Where’s the best place to drop feedback on this feature?

1 Like

Hi there @ethanclevenger91! I have also had this issue. It looks like the password without a secret is what is causing the issue. I have also tried to make use of empty password only to receive same error.

The workaround, as dumb as it sounds, create an EMPTY_STRING secret (or any name really that work) with only a space as the content. Then replace the password with: ${{ secrets.EMPTY_STRING }}

I have also created a GH issue on their repo: Cannot provide empty password · Issue #3783 · dependabot/dependabot-core · GitHub