I'm trying to use dependabot on a private github repo (let's call it RepoA. They're npm packages, and depend on other private github repos that I serve via Github Packages (let's call them LibA and LibB.
I read some blog posts and tried the following:
- Created a
dependabot.ymlfile
version: 2
registries:
npm-github:
type: npm-registry
url: https://npm.pkg.github.com
token: ${{secrets.MY_DEPENDABOT_TOKEN}}
replaces-base: true
Within my organization, I went to Secrets and variables -> Dependabot and added
MY_DEPENDABOT_TOKENto all my packages. Link: https://github.com/organizations/[MY_ORGANIZATION]/settings/secrets/dependabotWithin my organization, I went to Code security and analysis -> Grant Dependabot access to private repositories and selected
RepoA,LibAandLibB. Link: https://github.com/organizations/[MY_ORGANIZATION]/settings/security_analysis
And still, when I try to run dependabot to generate a PR by itself, I get an warning, and while checking the log, I noticed this:
proxy | 2023/10/25 19:52:55 [075] 401 https://npm.pkg.github.com:443/download/[MY_ORGANIZATION]/[MY_PACKAGE]/1.0.5/5c0cb9bfd2777ff51791408115241a26f694f8e9
proxy | 2023/10/25 19:52:55 [075] {"error":"authentication token not provided"}
What am I missing? How can i grant authorization for dependabot to work with and download my private packages?
I discovered two things that were missing.
The first thing is that
dependabot.yml, if using the embeded github version, should be placed inside.githubfolder.The second one is that you need to check your npm / yarn / pnpm configuration files and setup them properly. The following blog post describes how to do it:
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot
npm
You need to add the registry to the
.npmrcfile:yarn berry
You need to add the registry to the
.yarnrc.ymlfile: