Note: Dependabot security and version updates are currently in private beta and subject to change. Please contact your account management team for instructions on enabling Dependabot updates.
About encrypted secrets for Dependabot
Dependabot secrets are encrypted credentials that you create at either the organization level or the repository level. When you add a secret at the organization level, you can specify which repositories can access the secret. You can use secrets to allow Dependabot to update dependencies located in private package registries. When you add a secret it's encrypted before it reaches GitHub and it remains encrypted until it's used by Dependabot to access a private package registry.
After you add a Dependabot secret, you can reference it in the dependabot.yml configuration file like this: ${{secrets.NAME}}
, where "NAME" is the name you chose for the secret. For example:
password: ${{secrets.MY_ARTIFACTORY_PASSWORD}}
For more information, see "Configuration options for the dependabot.yml file."
Naming your secrets
The name of a Dependabot secret:
- Can only contain alphanumeric characters (
[A-Z]
,[0-9]
) or underscores (_
). Spaces are not allowed. If you enter lowercase letters these are changed to uppercase. - Must not start with the
GITHUB_
prefix. - Must not start with a number.
Adding a repository secret for Dependabot
To create secrets for a personal account repository, you must be the repository owner. To create secrets for an organization repository, you must have admin
access.
-
On your GitHub Enterprise Server instance, navigate to the main page of the repository.
-
Under your repository name, click Settings.
-
In the sidebar, click Dependabot.
-
Click New repository secret.
-
Type a name for your secret in the Name input box.
-
Enter the value for your secret.
-
Click Add secret.
The name of the secret is listed on the Dependabot secrets page. You can click Update to change the secret value. You can click Remove to delete the secret.
Adding an organization secret for Dependabot
When creating a secret in an organization, you can use a policy to limit which repositories can access that secret. For example, you can grant access to all repositories, or limit access to only private repositories or a specified list of repositories.
To create secrets at the organization level, you must have admin
access.
-
On your GitHub Enterprise Server instance, navigate to the main page of the organization.
-
Under your organization name, click Settings.
-
In the sidebar, click Dependabot.
-
Click New organization secret.
-
Type a name for your secret in the Name input box.
-
Enter the Value for your secret.
-
From the Repository access dropdown list, choose an access policy.
-
If you chose Selected repositories:
- Click .
- Choose the repositories that can access this secret.
- Click Update selection.
-
Click Add secret.
The name of the secret is listed on the Dependabot secrets page. You can click Update to change the secret value or its access policy. You can click Remove to delete the secret.
Adding Dependabot to your registries IP allow list
If your private registry is configured with an IP allow list, you can find the IP addresses Dependabot uses to access the registry in the meta API endpoint, under the dependabot
key. For more information, see "Meta."