Managing encrypted secrets for Dependabot

You can store sensitive information, like passwords and access tokens, as encrypted secrets and then reference these in the Dependabot de GitHub configuration file.

About encrypted secrets for Dependabot de GitHub

Dependabot de GitHub secrets are encrypted credentials that you create at either the organization level or the repository level. When you add a secret at the organization level, you can specify which repositories can access the secret. You can use secrets to allow Dependabot de GitHub to update dependencies located in private package registries. When you add a secret it's encrypted before it reaches GitHub and it remains encrypted until it's used by Dependabot de GitHub to access a private package registry.

After you add a Dependabot de GitHub secret, you can reference it in the dependabot.yml configuration file like this: ${{secrets.NAME}}, where "NAME" is the name you chose for the secret. For example:

password: ${{secrets.MY_ARTIFACTORY_PASSWORD}}

For more information, see "Configuration options for dependency updates."

Naming your secrets

The name of a Dependabot de GitHub secret:

  • Can only contain alphanumeric characters ([A-Z], [0-9]) or underscores (_). Spaces are not allowed. If you enter lowercase letters these are changed to uppercase.
  • Must not start with the GITHUB_ prefix.
  • Must not start with a number.

Adding a repository secret for Dependabot de GitHub

Para crear secretos para un repositorio de una cuenta de usuario, deberás ser el propietario de éste. Para crear secretos para un repositorio de una organización, deberás tener acceso de administrador.

  1. En GitHub, visita la página principal del repositorio.

  2. Debajo de tu nombre de repositorio, da clic en Configuración. Botón de configuración del repositorio

  3. En la barra lateral izquierda, haz clic en Secrets (Secretos).

  4. In the sidebar, click Dependabot de GitHub. Dependabot de GitHub secrets sidebar option

  5. Click New repository secret.

  6. Type a name for your secret in the Name input box.

  7. Enter the value for your secret.

  8. Click Add secret.

    The name of the secret is listed on the Dependabot secrets page. You can click Update to change the secret value. You can click Remove to delete the secret.

    Update or remove a repository secret

Adding an organization secret for Dependabot de GitHub

When creating a secret in an organization, you can use a policy to limit which repositories can access that secret. For example, you can grant access to all repositories, or limit access to only private repositories or a specified list of repositories.

Para crear secretos a nivel organizacional, deberás tener acceso de administrador.

  1. En GitHub, navega hasta la página principal de la organización.

  2. Debajo de tu nombre de organización, da clic en Configuración. Botón de configuración de organización

  3. En la barra lateral izquierda, haz clic en Secrets (Secretos).

  4. In the sidebar, click Dependabot de GitHub. Dependabot de GitHub secrets sidebar option

  5. Click New organization secret.

  6. Type a name for your secret in the Name input box.

  7. Enter the Value for your secret.

  8. From the Repository access dropdown list, choose an access policy.

  9. If you chose Selected repositories:

    • Click .
    • Choose the repositories that can access this secret. Select repositories for this secret
    • Click Update selection.
  10. Click Add secret.

    The name of the secret is listed on the Dependabot secrets page. You can click Update to change the secret value or its access policy. You can click Remove to delete the secret.

    Update or remove an organization secret

Adding Dependabot de GitHub to your registries IP allow list

If your private registry is configured with an IP allow list, you can find the IP addresses Dependabot de GitHub uses to access the registry in the meta API endpoint, under the dependabot key. For more information, see "Meta."

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.