stackoom
  简体   繁体   中英

How to use Dependabot with private packages

 原文  2020-11-20 08:59:18       github/ dependabot

Question

I need some help with Dependabot . I found out recently about this amazing package, but some of my repositories require dependencies that are private packages , created by me and used in my personal projects. Dependabot says that for any repositories using private packages, it is advised better to be configured from their website's dashboard .

In my repo , I have moved Dependabot's configuration into the .github/dependabot.yml file, from the dashboard that was located before. In the Insights tab of the repo, and in the Dependact Graph section, the error about not finding the private package is also being thrown there. Has anyone implemented something similar? I would really appreciate your support here.

2 answers

solution1
 3  2020-12-02 20:31:01

There is now more documentation on this, considering since Dec. 2nd, 2020:

Dependabot: version updates from private GitHub repositories

Dependabot already updates your public dependencies, such as open source dependencies from a public GitHub repository, npm , Maven Central, or similar.

Now, you can also update dependencies from private GitHub repositories. This feature is available for most package managers supported by Dependabot version updates , except bundler , hex , and pip .

To get started, grant Dependabot access to some or all of your private repositories on your organization's security & analysis settings page:

 https://github.com/organizations/YOUR-ORGANIZATION/settings/security_analysis.

Learn more about Dependabot version updates .

March 2021:

Dependabot private registry support public beta

Dependabot can now access dependencies from authenticated private registries, such as GitHub Packages, Azure Artifacts, and Artifactory. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. With this release, Dependabot version updates can help keep inner source as up-to-date as open source.

To enable this feature, add a registries section to your dependabot.yml, reference your new registries in the relevant updates, and add any secrets to Dependabot's secret store .

This complements your ability to give Dependabot version updates access to private repositories , which is common for ecosystems like go modules and npm.

solution2
 1  2020-11-20 18:54:10

Although, there is not much information and documentation for this particular topic, I managed to solve my issue. It is a combination of GitHub Secrets and configuration of the .npmrc & .yarnrc files. You can found the related issue, as well as my official answer, here .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Dependabot rebase does use the updated workflows How to access git hub private packages How to get dependabot to trigger for security updates only How to disable or ignore Dependabot pull requests? R packages in private organization - how to install private dependencies within organization? How to GET the list of dependabot alerts via GitHub API? How do I test dependabot before merging config How to support multiple private npm packages living in one git repo? How can I check if Dependabot is enabled for a Repo using Github APIs? How do I automerge dependabot updates (config version 2)?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM