search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.68k stars 1.01k forks source link

Support OIDC auth to cloud providers #6580

Open ppennanen opened 1 year ago

ppennanen commented 1 year ago

Is there an existing issue for this?

Feature description

It would be great to utilise GitHub OpenID Connect for dependabot, to avoid the need to store static credentials in GitHub secrets.

This is particularly important for the docker ecosystem, where it is common that private container images are stored in cloud provider container registries (e.g. ACR, ECR and GCR).

jeffwidman commented 1 year ago

This is a great idea!

Unfortunately, implementing that will take a bit of work--at least for the Dependabot service that GitHub runs, so not something we're likely to get to for a while. But it is something I could see us eventually building out.

In the meantime, if you want a workaround, the Dependabot secrets can be rotated via an API. So you could script the rotation on your desired frequency... for example, if Dependabot runs weekly, you can script the token to rotate the day before with a 24 hour expiration, so it expires right after Dependabot runs. There's even a community-maintained GitHub Action for it.

ppennanen commented 1 year ago

Thank you for the feedback and workaround!

joelbyford commented 8 months ago

+1 on this issue.

larhauga commented 3 weeks ago

@jeffwidman is there any plans to implement this? As dependabot is transitioning to running on actions workflows, a new possibility would could be to allow for custom extra workflow steps that could enable custom authentication. The github OIDC could then be used in a custom step to gain access to temporary roles, while exporting the tokens to dependabot.