Dependabot access to Azure Artifacts via managed identity

[ansereb]

Is there an existing issue for this?

• [X] I have searched the existing issues

Feature description

Hi!

Current documention suggest to define Personal Access Token from Azure DevOps in dependabot.yml in order for Dependabot to be able to work with private Azure registries.

However Micrsoft recommends and provides secretless access to Azure resources with help of managed identities and federated credentials. There is github action for worlflows to gain access to ephemeral token of a managed identitiy.

Is there any way to run this action from dependabot.yml or similar approach for dependabot to gain access to ephemeral token of managed identity? It would be good feature to move away from expiring and user-related PATs.

[mijpeterson]

I really want to heavily +1 this feature request. I've spent some time looking at running a custom version of dependabot through dependabot-script with the hope of being able to feed in an ephemeral access token. But configuration for private artifact feed credentials seemed limited/non-existent.

Is anyone on the dependabot team able to provide insight?