How to allow Dependabot access to private repos? Docs are incorrect

[GeekOnIce]

Select Topic Area

Question

Body

I have recently added Dependabot to a Swift project, which pulls in several dependencies via SPM, by accessing the GitHub URLs directly for some external as well as some private internal repos. However, I've yet to get it to work due to the private repos it is attempting to access. In the Dependabot logs, I see that it first gets a 404 accessing the private repo with default auth, followed by a 401 when it tries again without auth.

Digging around the docs, I found that a setting for this is supposed to exist in an organizational setting under Code security and analysis section called "Grant Dependabot private repository access", which allows one to add the private repositories you want Dependabot to have access to. However, this setting does not exist in the two different organizations I've looked in (the one having the error, as well as a separate one I have access to), so I've been unable to resolve the issue.

Did the location of this setting move? I've dug around quite a bit in the org settings and have been unable to find it.

[Nishnha]

Hi I believe only organization owners will be able to view the Code security and analysis section. You can grant access by following the instructions in https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts

If you're trying to grant Dependabot access to private repositories within your organization, you can alternatively configure a git private registry in your repo's dependabot.yml with a GitHub PAT as the password. Dependabot will be able to use this private registry to access any repository that the PAT is authorized for.

registries:
  github:
    type: git
    url: https://github.com/
    username: x-access-token
    password: ${{ secrets.MY_GITHUB_PAT }} # saved as a dependabot secret

[GeekOnIce]

When posted my message, the Grant Dependabot private repository access section was not there - I looked in an org that I'm the owner of, and a couple of people who are admins in my work org looked in that one, but the section was missing so we were unable to add our private repos to it. I assumed that the docs were outdated and the setting moved somewhere, but since they're back it seems this was just a temporary bug that has been fixed since then. I was now able to find it in my owned org, and my coworkers were able to find it and add the repos to it that we needed access for. However, even after this was done I'm still seeing the same errors as I was seeing before so doesn't seem like that setting is enough. I'll have to look into doing the alternate method you indicate.

[GeekOnIce]

To remove any potential permissions issues and shorten test cycles, I created a test org that I'm the owner of which contains a few simple repos in it. When I add my dependency repos in the Grant Dependabot private repository access section and try to run dependabot, the run fails, the same as indicated above. If I add the registry as indicated in an earlier reply to the dependabot.yml file, I can get the dependabot run to pass, and this works whether I have my private repos setup in the Grant Dependabot private repository access setting or not. It doesn't seem like I should need to do this though, as all of my repos are within the same org.

This brings up the question of what does this setting actually do? The Allowing Dependabot to access private dependencies documentation indicates that if your dependency is within the same org, all you should need to do is add the repo to the Grant Dependabot private repository access section and it should just work. It doesn't though. To get it to work I need to add a registry entry with an access token - the same as I'd need to do with a private registry that isn't in the org. Is there some other setting I'm missing somewhere, or is this feature broken?

[GeekOnIce]

Perhaps this is just a bug with Swift and Dependabot? I just ran across this bug report against dependabot-core, which matches my current experience with it.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬