Open ppennanen opened 1 year ago
This is a great idea!
Unfortunately, implementing that will take a bit of work--at least for the Dependabot service that GitHub runs, so not something we're likely to get to for a while. But it is something I could see us eventually building out.
In the meantime, if you want a workaround, the Dependabot secrets can be rotated via an API. So you could script the rotation on your desired frequency... for example, if Dependabot runs weekly, you can script the token to rotate the day before with a 24 hour expiration, so it expires right after Dependabot runs. There's even a community-maintained GitHub Action for it.
Thank you for the feedback and workaround!
+1 on this issue.
@jeffwidman is there any plans to implement this? As dependabot is transitioning to running on actions workflows, a new possibility would could be to allow for custom extra workflow steps that could enable custom authentication. The github OIDC could then be used in a custom step to gain access to temporary roles, while exporting the tokens to dependabot.
Is there an existing issue for this?
Feature description
It would be great to utilise GitHub OpenID Connect for dependabot, to avoid the need to store static credentials in GitHub secrets.
This is particularly important for the
docker
ecosystem, where it is common that private container images are stored in cloud provider container registries (e.g. ACR, ECR and GCR).