Hazmi35
commented
10 months ago Hello, sorry for the bump.
Any updates regarding this issue?
I have a specific use case where I am using npm packages scoped with @organization (for example: @organization/package) and publishing them to GitHub Packages as a private package. I am then using these packages from another repository within the same organization. While GitHub Actions works perfectly using GITHUB_TOKEN, Dependabot does not have an equivalent token for this.
It is sad that it has been four years since Dependabot was acquired by GitHub, yet I do not feel that Dependabot is a native feature of GitHub. Although Dependabot is now much better than it used to be, I am considering switching back from Renovate to Dependabot. However, the absence of this feature is a bummer.
I am looking forward to seeing this feature added.
ahmadnassri
novascreen
Is there an existing issue for this?
Feature description
Similar issue, but not quite the same: https://github.com/dependabot/dependabot-core/issues/3646
At the moment our only option to use internal (or private) GitHub Packages with Dependabot is a Personal Access Token. This is very problematic and a lot of security departments will restrict the use of those as much as possible for good reason.
Fine-grained PATs don't have access to GitHub Packages yet, but are not a good solution either, because their expiry time is unsatisfying either way because we need to decide between lowering security (longer lifetime) or increasing maintenance burden (more frequent manual renewal of tokens).
As far as I can tell there are at least two ways this could be solved:
GITHUB_TOKEN. This would be preferable for our use case (internal packages)It would be nice to know if there is any chance of getting one of these any time soon. We would like to expand our usage of GitHub Packages, but won't be able to in the current state.