jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-22 03:16:52 -05:00
Code Issues Projects Releases Wiki Activity

[March 15] Dependabot version updates support for private registries (#17985)

Browse Source 
* Update the UI for allowing private repos

* Private reg support WiP

* More WiP for private reg support

* Apply review comment about internal repos

* Add Dependabot secrets article

plus details of allowing remote code execution

* Add link to private registries info

* Fix conflict on PR

* Add 'private_source_*' errors to troubleshooting

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update data/reusables/dependabot/private-dependencies-note.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update data/reusables/dependabot/supported-package-managers.md

Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md

Co-authored-by: Jason Rudolph <jason@jasonrudolph.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>

* Move registries section below updates

as requested by reviewer.

* Correct heading level of 'allow' subheading

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>
Co-authored-by: Jason Rudolph <jason@jasonrudolph.com>
This commit is contained in:
hubwriter
2021-03-15 17:03:35 +00:00
committed by GitHub
parent 83f1e3af44
commit 9eccffecd1
14 changed files with 442 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/images/help/dependabot/dependabot-secrets.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
assets/images/help/dependabot/secret-repository-access.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 107 KiB

BIN
assets/images/help/dependabot/update-remove-org-secret.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
assets/images/help/dependabot/update-remove-repo-secret.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

4
content/github/administering-a-repository/about-dependabot-version-updates.md
View File

@@ -40,7 +40,9 @@ You can configure version updates for repositories that contain a dependency man
{% note %}
{% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. See the details in the table below.
{% data reusables.dependabot.private-dependencies-note %}
{% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. See the details in the table below.
{% endnote %}

350
content/github/administering-a-repository/configuration-options-for-dependency-updates.md
View File

@@ -2,6 +2,7 @@
title: Configuration options for dependency updates
intro: 'Detailed information for all the options you can use to customize how {% data variables.product.prodname_dependabot %} maintains your repositories.'
permissions: 'People with write permissions to a repository can configure {% data variables.product.prodname_dependabot %} for the repository.'
miniTocMaxHeadingLevel: 4
versions:
free-pro-team: '*'
---
@@ -14,9 +15,11 @@ The {% data variables.product.prodname_dependabot %} configuration file, *depend
You must store this file in the `.github` directory of your repository. When you add or update the *dependabot.yml* file, this triggers an immediate check for version updates. Any options that also affect security updates are used the next time a security alert triggers a pull request for a security update. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)."
### Configuration options for *dependabot.yml*
The *dependabot.yml* file has two mandatory top-level keys: `version`, and `updates`. You can, optionally, include a top-level `registries` key. The file must start with `version: 2`.
The *dependabot.yml* file must start with `version: 2` followed by an array of `updates`.
### Configuration options for updates
The top-level `updates` key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. You can use the following options.
| Option | Required | Description |
|:---|:---:|:---|
@@ -27,11 +30,13 @@ The *dependabot.yml* file must start with `version: 2` followed by an array of `
| [`assignees`](#assignees) | | Assignees to set on pull requests |
| [`commit-message`](#commit-message) | | Commit message preferences |
| [`ignore`](#ignore) | | Ignore certain dependencies or versions |
| [`insecure-external-code-execution`](#insecure-external-code-execution) | | Allow or deny code execution in manifest files |
| [`labels`](#labels) | | Labels to set on pull requests |
| [`milestone`](#milestone) | | Milestone to set on pull requests |
| [`open-pull-requests-limit`](#open-pull-requests-limit) | | Limit number of open pull requests for version updates|
| [`pull-request-branch-name.separator`](#pull-request-branch-nameseparator) | | Change separator for pull request branch names |
| [`rebase-strategy`](#rebase-strategy) | | Disable automatic rebasing |
| [`registries`](#registries) | | Private registries that {% data variables.product.prodname_dependabot %} can access|
| [`reviewers`](#reviewers) | | Reviewers to set on pull requests |
| [`schedule.day`](#scheduleday) | | Day of week to check for updates |
| [`schedule.time`](#scheduletime) | | Time of day to check for updates (hh:mm) |
@@ -60,9 +65,9 @@ In general, security updates use any configuration options that affect pull requ
{% endnote %}
### `package-ecosystem`
#### `package-ecosystem`
**Required** You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below.
**Required**. You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below.
{% data reusables.dependabot.supported-package-managers %}
@@ -91,9 +96,9 @@ updates:
interval: "daily"
```
### `directory`
#### `directory`
**Required** You must define the location of the package manifests for each package manager (for example, the *package.json* or *Gemfile*). You define the directory relative to the root of the repository for all ecosystems except GitHub Actions. For GitHub Actions, set the directory to `/` to check for workflow files in `.github/workflows`.
**Required**. You must define the location of the package manifests for each package manager (for example, the *package.json* or *Gemfile*). You define the directory relative to the root of the repository for all ecosystems except GitHub Actions. For GitHub Actions, set the directory to `/` to check for workflow files in `.github/workflows`.
```yaml
# Specify location of manifest files for each package manager
@@ -120,9 +125,9 @@ updates:
interval: "daily"
```
### `schedule.interval`
#### `schedule.interval`
**Required** You must define how often to check for new versions for each package manager. By default, this is at 5am UTC. To modify this, use [`schedule.time`](#scheduletime) and [`schedule.timezone`](#scheduletimezone).
**Required**. You must define how often to check for new versions for each package manager. By default, this is at 5am UTC. To modify this, use [`schedule.time`](#scheduletime) and [`schedule.timezone`](#scheduletimezone).
- `daily`—runs on every weekday, Monday to Friday.
- `weekly`—runs once each week. By default, this is on Monday. To modify this, use [`schedule.day`](#scheduleday).
@@ -153,7 +158,7 @@ updates:
{% endnote %}
### `allow`
#### `allow`
{% data reusables.dependabot.default-dependencies-allow-ignore %}
@@ -171,7 +176,7 @@ Use the `allow` option to customize which dependencies are updated. This has no
| `development`| `bundler`, `composer`, `mix`, `maven`, `npm`, `pip` | Only dependencies in the "Development dependency group". |
```yaml
# Customizing the dependencies to maintain with `allow`
# Use `allow` to specify which dependencies to maintain
version: 2
updates:
@@ -207,7 +212,7 @@ updates:
dependency-type: "production"
```
### `assignees`
#### `assignees`
Use `assignees` to specify individual assignees for all pull requests raised for a package manager.
@@ -227,7 +232,7 @@ updates:
- "octocat"
```
### `commit-message`
#### `commit-message`
By default, {% data variables.product.prodname_dependabot %} attempts to detect your commit message preferences and use similar patterns. Use the `commit-message` option to specify your preferences explicitly.
@@ -240,7 +245,7 @@ Supported options
{% data reusables.dependabot.option-affects-security-updates %}
```yaml
# Customizing commit messages
# Customize commit messages
version: 2
updates:
@@ -274,17 +279,17 @@ updates:
include: "scope"
```
### `ignore`
#### `ignore`
{% data reusables.dependabot.warning-ignore-option %}
#### Checking for existing ignore preferences
##### Checking for existing ignore preferences
Before you add an `ignore` option to the configuration file, check whether you've previously used any of the `@dependabot ignore` commands on a security update or version update pull request. {% data variables.product.prodname_dependabot %} stores these preferences for each package manager centrally and this information is overwritten by the `ignore` option. For more information about the `@dependabot ignore` commands, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates)."
You can check whether a repository has stored preferences by searching the repository for `"@dependabot ignore" in:comments`. If you review any pull requests in the results, you can decide whether or not to specify those ignored dependencies or versions in the configuration file.
#### Specifying dependencies and versions to ignore
##### Specifying dependencies and versions to ignore
{% data reusables.dependabot.default-dependencies-allow-ignore %}
@@ -296,7 +301,7 @@ You can use the `ignore` option to customize which dependencies are updated. The
{% data reusables.dependabot.option-affects-security-updates %}
```yaml
# Customizing the dependencies to maintain with `ignore`
# Use `ignore` to specify dependencies that should not be updated
version: 2
updates:
@@ -314,12 +319,38 @@ updates:
{% note %}
**Note**: {% data variables.product.prodname_dependabot %} can only run version updates on manifest or lock files if it can access all of the dependencies in the file, even if you add inaccessible dependencies to the `ignore` option of your configuration file. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-repositories)" and "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors#dependabot-cant-resolve-your-dependency-files)."
**Note**: {% data variables.product.prodname_dependabot %} can only run version updates on manifest or lock files if it can access all of the dependencies in the file, even if you add inaccessible dependencies to the `ignore` option of your configuration file. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-dependencies)" and "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors#dependabot-cant-resolve-your-dependency-files)."
{% endnote %}
### `labels`
#### `insecure-external-code-execution`
Package managers with the `package-ecosystem` values `bundler`, `mix`, and `pip` may execute external code in the manifest as part of the version update process. This might allow a compromised package to steal credentials or gain access to configured registries. When you add a [`registries`](#registries) setting within an `updates` configuration, {% data variables.product.prodname_dependabot %} automatically prevents external code execution, in which case the version update may fail. You can choose to override this behavior and allow external code execution for `bundler`, `mix`, and `pip` package managers by setting `insecure-external-code-execution` to `allow`.
You can explicitly deny external code execution, irrespective of whether there is a `registries` setting for this update configuration, by setting `insecure-external-code-execution` to `deny`.
{% raw %}
```yaml
# Allow external code execution when updating dependencies from private registries
version: 2
registries:
ruby-github:
type: rubygems-server
url: https://rubygems.pkg.github.com/octocat/github_api
token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
updates:
- package-ecosystem: "bundler"
directory: "/rubygems-server"
insecure-external-code-execution: allow
registries: "*"
schedule:
interval: "monthly"
```
{% endraw %}
#### `labels`
{% data reusables.dependabot.default-labels %}
@@ -343,7 +374,7 @@ updates:
- "dependencies"
```
### `milestone`
#### `milestone`
Use `milestone` to associate all pull requests raised for a package manager with a milestone. You need to specify the numeric identifier of the milestone and not its label. If you view a milestone, the final part of the page URL, after `milestone`, is the identifier. For example: `https://github.com/<org>/<repo>/milestone/3`.
@@ -362,14 +393,14 @@ updates:
milestone: 4
```
### `open-pull-requests-limit`
#### `open-pull-requests-limit`
By default, {% data variables.product.prodname_dependabot %} opens a maximum of five pull requests for version updates. Once there are five open pull requests, new requests are blocked until you merge or close some of the open requests, after which new pull requests can be opened on subsequent updates. Use `open-pull-requests-limit` to change this limit. This also provides a simple way to temporarily disable version updates for a package manager.
This option has no impact on security updates, which have a separate, internal limit of ten open pull requests.
```yaml
# Changing the number of open pull requests allowed
# Specify the number of open pull requests allowed
version: 2
updates:
@@ -388,7 +419,7 @@ updates:
open-pull-requests-limit: 10
```
### `pull-request-branch-name.separator`
#### `pull-request-branch-name.separator`
{% data variables.product.prodname_dependabot %} generates a branch for each pull request. Each branch name includes `dependabot`, and the package manager and dependency that are updated. By default, these parts are separated by a `/` symbol, for example: `dependabot/npm_and_yarn/next_js/acorn-6.4.1`.
@@ -397,7 +428,7 @@ Use `pull-request-branch-name.separator` to specify a different separator. This
{% data reusables.dependabot.option-affects-security-updates %}
```yaml
# Specifying a different separator for branch names
# Specify a different separator for branch names
version: 2
updates:
@@ -411,7 +442,7 @@ updates:
separator: "-"
```
### `rebase-strategy`
#### `rebase-strategy`
By default, {% data variables.product.prodname_dependabot %} automatically rebases open pull requests when it detects conflicts. Use `rebase-strategy` to disable this behavior.
@@ -423,7 +454,7 @@ Available rebase strategies
{% data reusables.dependabot.option-affects-security-updates %}
```yaml
# Disabling automatic rebasing
# Disable automatic rebasing
version: 2
updates:
@@ -435,7 +466,39 @@ updates:
rebase-strategy: "disabled"
```
### `reviewers`
#### `registries`
To allow {% data variables.product.prodname_dependabot %} to access a private package registry when performing a version update, you must include a `registries` setting within the relevant `updates` configuration. You can allow all of the defined registries to be used by setting `registries` to `"*"`. Alternatively, you can list the registries that the update can use. To do this, use the name of the registry as defined in the top-level `registries` section of the _dependabot.yml_ file.
To allow {% data variables.product.prodname_dependabot %} to use `bundler`, `mix`, and `pip` package managers to update dependencies in private registries, you can choose to allow external code execution. For more information, see [`insecure-external-code-execution`](#insecure-external-code-execution).
{% raw %}
```yaml
# Allow {% data variables.product.prodname_dependabot %} to use one of the two defined private registries
# when updating dependency versions for this ecosystem
version: 2
registries:
maven-github:
type: maven-repository
url: https://maven.pkg.github.com/octocat
token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
npm-npmjs:
type: npm-registry
url: https://registry.npmjs.org
username: octocat
password: ${{secrets.MY_NPM_PASSWORD}}
updates:
- package-ecosystem: "gitsubmodule"
directory: "/"
registries:
- maven-github
schedule:
interval: "monthly"
```
{% endraw %}
#### `reviewers`
Use `reviewers` to specify individual reviewers or teams of reviewers for all pull requests raised for a package manager. You must use the full team name, including the organization, as if you were @mentioning the team.
@@ -457,7 +520,7 @@ updates:
- "my-org/python-team"
```
### `schedule.day`
#### `schedule.day`
When you set a `weekly` update schedule, by default, {% data variables.product.prodname_dependabot %} checks for new versions on Monday at 05:00 UTC. Use `schedule.day` to specify an alternative day to check for updates.
@@ -484,7 +547,7 @@ updates:
day: "sunday"
```
### `schedule.time`
#### `schedule.time`
By default, {% data variables.product.prodname_dependabot %} checks for new versions at 05:00 UTC. Use `schedule.time` to specify an alternative time of day to check for updates (format: `hh:mm`).
@@ -500,7 +563,7 @@ updates:
time: "09:00"
```
### `schedule.timezone`
#### `schedule.timezone`
By default, {% data variables.product.prodname_dependabot %} checks for new versions at 05:00 UTC. Use `schedule.timezone` to specify an alternative time zone. The time zone identifier must be from the Time Zone database maintained by [iana](https://www.iana.org/time-zones). For more information, see [List of tz database time zones](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones).
@@ -518,7 +581,7 @@ updates:
timezone: "Asia/Tokyo"
```
### `target-branch`
#### `target-branch`
By default, {% data variables.product.prodname_dependabot %} checks for manifest files on the default branch and raises pull requests for version updates against this branch. Use `target-branch` to specify a different branch for manifest files and for pull requests. When you use this option, the settings for this package manager will no longer affect any pull requests raised for security updates.
@@ -549,7 +612,7 @@ updates:
- "npm dependencies"
```
### `vendor`
#### `vendor`
Use the `vendor` option to tell {% data variables.product.prodname_dependabot %} to vendor dependencies when updating them. Don't use this option if you're using `gomod` as {% data variables.product.prodname_dependabot %} automatically detects vendoring for this tool.
@@ -574,7 +637,7 @@ updates:
| `gomod` | No path requirement (dependencies are usually located in the _vendor_ directory) | [`go mod vendor` documentation](https://golang.org/ref/mod#go-mod-vendor) |
### `versioning-strategy`
#### `versioning-strategy`
When {% data variables.product.prodname_dependabot %} edits a manifest file to update a version, it uses the following overall strategies:
@@ -596,7 +659,7 @@ Available update strategies
| `increase-if-necessary` | `bundler`, `composer`, `npm` | Increase the version requirement only when required by the new version. |
```yaml
# Customizing the manifest version strategy
# Customize the manifest version strategy
version: 2
updates:
@@ -624,3 +687,222 @@ updates:
# ignore any version updates that affect the manifest
versioning-strategy: lockfile-only
```
### Configuration options for private registries
The top-level `registries` key is optional. It allows you to specify authentication details that {% data variables.product.prodname_dependabot %} can use to access private package registries.
{% note %}
**Note:** Private registries behind firewalls on private networks are not supported.
{% endnote %}
The value of the `registries` key is an associative array, each element of which consists of a key that identifies a particular registry and a value which is an associative array that specifies the settings required to access that registry. The following *dependabot.yml* file, configures a registry identified as `dockerhub` in the `registries` section of the file and then references this in the `updates` section of the file.
{% raw %}
```yaml
# Minimal settings to update dependencies in one private registry
version: 2
registries:
dockerhub: # Define access for a private registry
type: docker-registry
url: registry.hub.docker.com
username: octocat
password: ${{secrets.DOCKERHUB_PASSWORD}}
updates:
- package-ecosystem: "docker"
directory: "/docker-registry/dockerhub"
registries:
- dockerhub # Allow version updates for dependencies in this registry
schedule:
interval: "monthly"
```
{% endraw %}
You use the following options to specify access settings. Registry settings must contain a `type` and a `url`, and typically either a `username` and `password` combination or a `token`.
| Option&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Description |
|:---|:---|
| `type` | Identifies the type of registry. See the full list of types below. |
| `url` | The URL to use to access the dependencies in this registry. The protocol is optional. If not specified, `https://` is assumed. {% data variables.product.prodname_dependabot %} adds or ignores trailing slashes as required. |
| `username` | The username that {% data variables.product.prodname_dependabot %} uses to access the registry. |
| `password` | A reference to a {% data variables.product.prodname_dependabot %} secret containing the password for the specified user. For more information, see "[Managing encrypted secrets for Dependabot](/github/administering-a-repository/managing-encrypted-secrets-for-dependabot)." |
| `token` | A reference to a {% data variables.product.prodname_dependabot %} secret containing an access token for this registry. For more information, see "[Managing encrypted secrets for Dependabot](/github/administering-a-repository/managing-encrypted-secrets-for-dependabot)." |
| `replaces-base` | For registries with `type: python-index`, if the boolean value is `true`, pip resolves dependencies by using the specified URL rather than the base URL of the Python Package Index (by default `https://pypi.org/simple`). |
Each configuration `type` requires you to provide particular settings. Some types allow more than one way to connect. The following sections provide details of the settings you should use for each `type`.
#### `composer-repository`
The `composer-repository` type supports username and password.
{% raw %}
```yaml
registries:
composer:
type: composer-repository
url: https://repo.packagist.com/example-company/
username: octocat
password: ${{secrets.MY_PACKAGIST_PASSWORD}}
```
{% endraw %}
#### `docker-registry`
The `docker-registry` type supports username and password.
{% raw %}
```yaml
registries:
dockerhub:
type: docker-registry
url: https://registry.hub.docker.com
username: octocat
password: ${{secrets.MY_DOCKERHUB_PASSWORD}}
```
{% endraw %}
#### `git`
The `git` type supports username and password.
{% raw %}
```yaml
registries:
github-octocat:
type: git
url: https://github.com
username: x-access-token
password: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
```
{% endraw %}
#### `maven-repository`
The `maven-repository` type supports username and password, or token.
{% raw %}
```yaml
registries:
maven-artifactory:
type: maven-repository
url: https://artifactory.example.com
username: octocat
password: ${{secrets.MY_ARTIFACTORY_PASSWORD}}
```
{% endraw %}
{% raw %}
```yaml
registries:
maven-github:
type: maven-repository
url: https://maven.pkg.github.com/octocat
token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
```
{% endraw %}
#### `npm-registry`
The `npm-registry` type supports username and password, or token.
{% raw %}
```yaml
registries:
npm-npmjs:
type: npm-registry
url: https://registry.npmjs.org
username: octocat
password: ${{secrets.MY_NPM_PASSWORD}}
```
{% endraw %}
{% raw %}
```yaml
registries:
npm-github:
type: npm-registry
url: https://npm.pkg.github.com
token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
```
{% endraw %}
#### `nuget-feed`
The `nuget-feed` type supports username and password, or token.
{% raw %}
```yaml
registries:
nuget-example:
type: nuget-feed
url: https://nuget.example.com/v3/index.json
username: octocat@example.com
password: ${{secrets.MY_NUGET_PASSWORD}}
```
{% endraw %}
{% raw %}
```yaml
registries:
nuget-azure-devops:
type: nuget-feed
url: https://pkgs.dev.azure.com/.../_packaging/My_Feed/nuget/v3/index.json
token: ${{secrets.MY_AZURE_DEVOPS_TOKEN}}
```
{% endraw %}
#### `python-index`
The `python-index` type supports username and password, or token.
{% raw %}
```yaml
registries:
python-example:
type: python-index
url: https://example.com/_packaging/my-feed/pypi/example
username: octocat
password: ${{secrets.MY_BASIC_AUTH_PASSWORD}}
replaces-base: true
```
{% endraw %}
{% raw %}
```yaml
registries:
python-azure:
type: python-index
url: https://pkgs.dev.azure.com/octocat/_packaging/my-feed/pypi/example
token: ${{secrets.MY_AZURE_DEVOPS_TOKEN}}
replaces-base: true
```
{% endraw %}
#### `rubygems-server`
The `rubygems-server` type supports username and password, or token.
{% raw %}
```yaml
registries:
ruby-example:
type: rubygems-server
url: https://rubygems.example.com
username: octocat@example.com
password: ${{secrets.MY_RUBYGEMS_PASSWORD}}
```
{% endraw %}
{% raw %}
```yaml
registries:
ruby-github:
type: rubygems-server
url: https://rubygems.pkg.github.com/octocat/github_api
token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
```
{% endraw %}

7
content/github/administering-a-repository/enabling-and-disabling-version-updates.md
View File

@@ -18,9 +18,12 @@ You enable {% data variables.product.prodname_dependabot_version_updates %} by c
### Enabling {% data variables.product.prodname_dependabot_version_updates %}
{% data reusables.dependabot.create-dependabot-yml %}
1. Use `package-ecosystem` to specify the package managers to monitor.
{% data reusables.dependabot.create-dependabot-yml %} For information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates)."
1. Add a `version`.
1. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details.
1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor.
1. For each package manager, use:
- `package-ecosystem` to specify the package manager.
- `directory` to specify the location of the manifest or other definition files.
- `schedule.interval` to specify how often to check for new versions.
{% data reusables.dependabot.check-in-dependabot-yml %}

1
content/github/administering-a-repository/index.md
View File

@@ -64,6 +64,7 @@ versions:
{% link_in_list /enabling-and-disabling-version-updates %}
{% link_in_list /listing-dependencies-configured-for-version-updates %}
{% link_in_list /managing-pull-requests-for-dependency-updates %}
{% link_in_list /managing-encrypted-secrets-for-dependabot %}
{% link_in_list /customizing-dependency-updates %}
{% link_in_list /configuration-options-for-dependency-updates %}
{% link_in_list /keeping-your-actions-up-to-date-with-dependabot %}

72
content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md Normal file
View File

@@ -0,0 +1,72 @@
---
title: Managing encrypted secrets for Dependabot
intro: You can store sensitive information, like passwords and access tokens, as encrypted secrets and then reference these in the {% data variables.product.prodname_dependabot %} configuration file.
versions:
free-pro-team: '*'
---
### About encrypted secrets for {% data variables.product.prodname_dependabot %}
{% data variables.product.prodname_dependabot %} secrets are encrypted credentials that you create at either the organization level or the repository level.
When you add a secret at the organization level, you can specify which repositories can access the secret. You can use secrets to allow {% data variables.product.prodname_dependabot %} to update dependencies located in private package registries. When you add a secret it's encrypted before it reaches {% data variables.product.prodname_dotcom %} and it remains encrypted until it's used by {% data variables.product.prodname_dependabot %} to access a private package registry.
After you add a {% data variables.product.prodname_dependabot %} secret, you can reference it in the _dependabot.yml_ configuration file like this: {% raw %}`${{secrets.NAME}}`{% endraw %}, where "NAME" is the name you chose for the secret. For example:
{% raw %}
```yaml
password: ${{secrets.MY_ARTIFACTORY_PASSWORD}}
```
{% endraw %}
For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#configuration-options-for-private-registries)."
#### Naming your secrets
The name of a {% data variables.product.prodname_dependabot %} secret:
* Can only contain alphanumeric characters (`[A-Z]`, `[0-9]`) or underscores (`_`). Spaces are not allowed. If you enter lowercase letters these are changed to uppercase.
* Must not start with the `GITHUB_` prefix.
* Must not start with a number.
### Adding a repository secret for {% data variables.product.prodname_dependabot %}
{% data reusables.github-actions.permissions-statement-secrets-repository %}
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.github-actions.sidebar-secret %}
{% data reusables.dependabot.dependabot-secrets-button %}
1. Click **New repository secret**.
1. Type a name for your secret in the **Name** input box.
1. Enter the value for your secret.
1. Click **Add secret**.
The name of the secret is listed on the Dependabot secrets page. You can click **Update** to change the secret value. You can click **Remove** to delete the secret.
![Update or remove a repository secret](/assets/images/help/dependabot/update-remove-repo-secret.png)
### Adding an organization secret for {% data variables.product.prodname_dependabot %}
When creating a secret in an organization, you can use a policy to limit which repositories can access that secret. For example, you can grant access to all repositories, or limit access to only private repositories or a specified list of repositories.
{% data reusables.github-actions.permissions-statement-secrets-organization %}
{% data reusables.organizations.navigate-to-org %}
{% data reusables.organizations.org_settings %}
{% data reusables.github-actions.sidebar-secret %}
{% data reusables.dependabot.dependabot-secrets-button %}
1. Click **New organization secret**.
1. Type a name for your secret in the **Name** input box.
1. Enter the **Value** for your secret.
1. From the **Repository access** dropdown list, choose an access policy.
1. If you chose **Selected repositories**:
* Click {% octicon "gear" aria-label="The Gear icon" %}.
* Choose the repositories that can access this secret.
![Select repositories for this secret](/assets/images/help/dependabot/secret-repository-access.png)
* Click **Update selection**.
1. Click **Add secret**.
The name of the secret is listed on the Dependabot secrets page. You can click **Update** to change the secret value or its access policy. You can click **Remove** to delete the secret.
![Update or remove an organization secret](/assets/images/help/dependabot/update-remove-repo-secret.png)

15
content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md
View File

@@ -76,9 +76,20 @@ There are separate limits for security and version update pull requests, so that
The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)."
#### {% data variables.product.prodname_dependabot %} can't resolve your dependency files
#### {% data variables.product.prodname_dependabot %} can't resolve or access your dependencies
If {% data variables.product.prodname_dependabot %} attempts to check whether dependency references need to be updated in a repository, but can't access one or more of the referenced files, the operation will fail with the error message "{% data variables.product.prodname_dependabot %} can't resolve your LANGUAGE dependency files." The API error type is `git_dependencies_not_reachable`.
If {% data variables.product.prodname_dependabot %} attempts to check whether dependency references need to be updated in a repository, but can't access one or more of the referenced files, the operation will fail with the error message "{% data variables.product.prodname_dependabot %} can't resolve your LANGUAGE dependency files." The API error type is `git_dependencies_not_reachable`.
Similarly, if {% data variables.product.prodname_dependabot %} can't access a private package registry in which a dependency is located, one of the following errors is generated:
* "Dependabot can't reach a dependency in a private package registry"<br>
(API error type: `private_source_not_reachable`)
* "Dependabot can't authenticate to a private package registry"<br>
(API error type:`private_source_authentication_failure`)
* "Dependabot timed out while waiting for a private package registry"<br>
(API error type:`private_source_timed_out`)
* "Dependabot couldn't validate the certificate for a private package registry"<br>
(API error type:`private_source_certificate_failure`)
To allow {% data variables.product.prodname_dependabot %} to update the dependency references successfully, make sure that all of the referenced dependencies are hosted at accessible locations.

10
content/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization.md
View File

@@ -94,13 +94,17 @@ You can enable or disable features for all repositories. {% if currentVersion ==
{% if currentVersion == "free-pro-team@latest" %}
### Allowing Dependabot to access private repositories
### Allowing {% data variables.product.prodname_dependabot %} to access private dependencies
{% data reusables.dependabot.beta-note %}
{% data variables.product.prodname_dependabot %} can check for outdated dependency references in a project and automatically generate a pull request to update them. To do this, {% data variables.product.prodname_dependabot %} must have access to all of the targeted dependency files. Typically, version updates will fail if one or more dependencies are inaccessible.
{% data variables.product.prodname_dependabot %} can check for outdated dependency references in a project and automatically generate a pull request to update them. To do this, {% data variables.product.prodname_dependabot %} must have access to all of the targeted dependency files. Typically, version updates will fail if one or more dependencies are inaccessible. For more information, see "[About {% data variables.product.prodname_dependabot %} version updates](/github/administering-a-repository/about-dependabot-version-updates)."
By default, {% data variables.product.prodname_dependabot %} can't update dependencies that are located in private repositories. However, if a dependency is in a private {% data variables.product.prodname_dotcom %} repository within the same organization as the project that uses that dependency, you can allow {% data variables.product.prodname_dependabot %} to update the version successfully by giving it access to the host repository. For more information, including details of limitations to private dependency support, see "[About Dependabot version updates](/github/administering-a-repository/about-dependabot-version-updates)."
By default, {% data variables.product.prodname_dependabot %} can't update dependencies that are located in private repositories or private package registries. However, if a dependency is in a private {% data variables.product.prodname_dotcom %} repository within the same organization as the project that uses that dependency, you can allow {% data variables.product.prodname_dependabot %} to update the version successfully by giving it access to the host repository.
If your code depends on packages in a private registry, you can allow {% data variables.product.prodname_dependabot %} to update the versions of these dependencies by configuring this at the repository level. You do this by adding authentication details to the _dependabot.yml_ file for the repository. For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#configuration-options-for-private-registries)."
To allow {% data variables.product.prodname_dependabot %} to access a private {% data variables.product.prodname_dotcom %} repository:
1. Go to the security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."
1. Under "{% data variables.product.prodname_dependabot %} private repository access", click **Add private repositories** or **Add internal and private repositories**.

2
data/reusables/dependabot/dependabot-secrets-button.md Normal file
View File

@@ -0,0 +1,2 @@
1. In the sidebar, click **{% data variables.product.prodname_dependabot %}**.
![{% data variables.product.prodname_dependabot %} secrets sidebar option](/assets/images/help/dependabot/dependabot-secrets.png)

4
data/reusables/dependabot/private-dependencies-note.md
View File

@@ -1,3 +1 @@
When running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, {% data variables.product.prodname_dependabot %} must be able to access the location at which those dependencies are hosted. Organization owners can grant {% data variables.product.prodname_dependabot %} access to private repositories containing dependencies for a project within the same organization. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-repositories)."
Currently, {% data variables.product.prodname_dependabot %} version updates doesn't support manifest or lock files that contain any dependencies hosted in private registries, or in private {% data variables.product.prodname_dotcom %} repositories that belong to a different organization than the dependent project.
When running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, {% data variables.product.prodname_dependabot %} must be able to access the location at which those dependencies are hosted. Organization owners can grant {% data variables.product.prodname_dependabot %} access to private repositories containing dependencies for a project within the same organization. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-dependencies)." You can configure access to private registries in a repository's _dependabot.yml_ configuration file. For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#configuration-options-for-private-registries)."

44
data/reusables/dependabot/supported-package-managers.md
View File

@@ -1,30 +1,30 @@
The following table shows, for each package manager:
- The YAML value to use in the *dependabot.yml* file
- The supported versions of the package manager
- Whether dependencies in private {% data variables.product.prodname_dotcom %} repositories are supported
- Whether dependencies in private {% data variables.product.prodname_dotcom %} repositories or registries are supported
- Whether vendored dependencies are supported
Package manager | YAML value | Supported versions | Private repositories | Vendoring
--- | --- | --- |:---:|:---:
Bundler | `bundler` | v1 | | **✓** |
Cargo | `cargo` | v1 | **✓** | |
Composer | `composer` | v1, v2 | **✓** | |
Docker | `docker` | v1 | **✓** | |
Elixir | `mix` | v1 | | |
Elm | `elm` | v0.18, v0.19 | **✓** | |
git submodule | `gitsubmodule` | N/A (no version) | **✓** | |
GitHub Actions | `github-actions` | N/A (no version) | **✓** | |
Go modules | `gomod` | v1 | **✓** | **✓** |
Gradle | `gradle` | N/A (no version)<sup>[1]</sup> | **✓** | |
Maven | `maven` | N/A (no version)<sup>[2]</sup> | **✓** | |
npm | `npm` | v6, v7 | **✓** | |
NuGet | `nuget` | <= 4.8<sup>[3]</sup> | **✓** | |
pip | `pip` | v20 | | |
pipenv | `pip` | <= 2018.11.26 | | |
pip-compile | `pip` | 5.5.0 | | |
poetry | `pip` | v1 | | |
Terraform | `terraform` | <= 0.11 | **✓** | |
yarn | `npm` | v1 | **✓** | |
Package manager | YAML value | Supported versions | Private repositories | Private registries | Vendoring
---------------|------------------|------------------|:---:|:---:|:---:
Bundler | `bundler` | v1 | | **✓** | **✓** |
Cargo | `cargo` | v1 | **✓** | **✓** | |
Composer | `composer` | v1, v2 | **✓** | **✓** | |
Docker | `docker` | v1 | **✓** | **✓** | |
Hex | `mix` | v1 | | **✓** | |
elm-package | `elm` | v0.18, v0.19 | **✓** | **✓** | |
git submodule | `gitsubmodule` | N/A (no version) | **✓** | **✓** | |
GitHub Actions | `github-actions` | N/A (no version) | **✓** | **✓** | |
Go modules | `gomod` | v1 | **✓** | **✓** | **✓** |
Gradle | `gradle` | N/A (no version)<sup>[1]</sup> | **✓** | **✓** | |
Maven | `maven` | N/A (no version)<sup>[2]</sup> | **✓** | **✓** | |
npm | `npm` | v6, v7 | **✓** | **✓** | |
NuGet | `nuget` | <= 4.8<sup>[3]</sup> | **✓** | **✓** | |
pip | `pip` | v20 | | **✓** | |
pipenv | `pip` | <= 2018.11.26 | | **✓** | |
pip-compile | `pip` | 5.5.0 | | **✓** | |
poetry | `pip` | v1 | | **✓** | |
Terraform | `terraform` | <= 0.11 | **✓** | **✓** | |
yarn | `npm` | v1 | **✓** | **✓** | |
[1] {% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to the following files: `build.gradle` and `build.gradle.kts` (for Kotlin projects).