Dependabot can now use OpenID Connect (OIDC) to authenticate with private registries, eliminating the need to store long-lived credentials as repository secrets.
What’s new
With OIDC-based authentication, Dependabot update jobs can dynamically obtain short-lived credentials from your cloud identity provider, just like GitHub Actions workflows using OIDC federation.
Supported registries
- AWS CodeArtifact
- Azure DevOps Artifacts
- JFrog Artifactory
Benefits
- Enhanced security: Eliminates static, long-lived credentials from your repositories. Short-lived, dynamically generated tokens reduce operational overhead and attack surface.
- Simpler management: Enables secure, policy-compliant access to private registries.
- Avoid rate limiting: Dynamic credentials help you avoid hitting rate limits associated with static tokens.
Getting started
To enable OIDC authentication for your private registry, update your dependabot.yml configuration to use the new OIDC authentication type for supported registries. See our documentation on private registry configuration for setup instructions and examples.