Cannot use GITHUB_TOKEN to authenticate to private registry

Is there an existing issue for this?

[X] I have searched the existing issues

Package ecosystem

docker

Package manager version

Language version

Manifest location and content before the Dependabot update

dependabot.yml content

version: 2
registries:
  github-containers:
    type: docker-registry
    url: containers.github.my-company.com
    username: USERNAME
    password: ${{ secrets.GITHUB_TOKEN }}
updates:
  - package-ecosystem: "docker"
    directory: "/ui"
    registries:
     - "github-containers"
    schedule:
      interval: "daily"

Updated dependency

What you expected to see, versus what you actually saw

I am trying to configure Dependabot in such a way, that it can update docker images from the GitHub internal container registry following the docs. However, GITHUB_TOKEN cannot be resolved by dependabot, as shown in the logs:

Run github/dependabot-action@ghes-3.12
  env:
    GITHUB_TOKEN: ***
🤖 ~ starting update ~
Fetching job details
Error: Dependabot was unable to retrieve job credentials

Error: fetching credentials: unexpected status code: 422: {"errors":[{"status":422,"title":"Secret Not Found","detail":"GITHUB_TOKEN"}]}

I can see that GITHUB_TOKEN is passed to github/dependabot-action but there does not seem to be a way to use that token. I also tried to use

registries:
  github-containers:
    type: docker-registry
    url: containers.github.my-company.com
    username: USERNAME
    password: ${{ env.GITHUB_TOKEN }}

But this does not work either, as the environment variable seems to be resolved too early. In this case I receive a

private_source_authentication_failure

I did verify that I can authenticate to the package with the GitHub token outside of the dependabot run.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

dependabot / dependabot-core