About configuring Dependabot to only access private registries
Dependabot은(는) 기본적으로 퍼블릭 레지스트리에 액세스할 수 있으며, 프라이빗 레지스트리에 액세스하도록 Dependabot을(를) 구성할 수 있습니다. For more information about private registry support and configuration, see Dependabot에 대한 개인 레지스트리 액세스 구성. 비공개 레지스트리를 구성할 때 참고할 권장 사항과 조언, 사용 가능한 옵션에 대한 심층적인 내용은 "Dependabot의 개인 레지스트리 구성에 대한 지침"을(를) 참조하세요.
개인 레지스트리 및 내부 네트워크 리소스에 대한 Dependabot의 액세스를 보다 효과적으로 제어하려면 Dependabot이(가) GitHub Actions 자체 호스트형 실행기에서 실행되도록 구성할 수 있습니다. 자세한 내용은 "GitHub Actions 실행기의 Dependabot 정보" 및 "Managing Dependabot on self-hosted runners"을(를) 참조하세요.
You can configure Dependabot to access only private registries by removing calls to public registries. This can only be configured for the ecosystems listed in this article.
Bundler
To configure the Bundler ecosystem to only access private registries, you can set replaces-base
as true
in the dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
The Bundler ecosystem additionally requires a Gemfile
file with the private registry URL to be checked into the repository.
# Example Gemfile source "https://private_registry_url"
# Example Gemfile
source "https://private_registry_url"
Docker
To configure the Docker ecosystem to only access private registries, you can use these configuration methods.
Option 1
Define the private registry configuration in a dependabot.yml
file without replaces-base
. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Note
Remove replaces-base: true
from the configuration file.
version: 2 registries: azuretestregistry: # Define access for a private registry type: docker-registry url: firewallregistrydep.azurecr.io username: firewallregistrydep password: ${{ secrets.AZUREHUB_PASSWORD }}
version: 2
registries:
azuretestregistry: # Define access for a private registry
type: docker-registry
url: firewallregistrydep.azurecr.io
username: firewallregistrydep
password: ${{ secrets.AZUREHUB_PASSWORD }}
In the Dockerfile
file, add the image name in the format of IMAGE[:TAG]
, where IMAGE
consists of your username and the name of the repository.
FROM firewallregistrydep.azurecr.io/myreg/ubuntu:22.04
FROM firewallregistrydep.azurecr.io/myreg/ubuntu:22.04
Option 2
Set replaces-base
as true
in the dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성. The registry configured with the replaces-base
can be used as a mirror or a pull through cache. For further details, see Registry as a pull through cache in the Docker documentation.
Gradle
To configure the Gradle ecosystem to only access private registries, you can use these configuration methods.
Define the private registry configuration in a dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Note
Remove replaces-base: true from the configuration file.
Additionally, you also need to specify the private registry URL in the repositories
section of the build.gradle
file.
# Example build.gradle file
repositories {
maven {
url "https://private_registry_url"
}
}
Maven
To configure the Maven ecosystem to only access private registries, you can use these configuration methods.
Option 1
Set replaces-base
as true
in the dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Option 2
Use only the private registry URL in the pom.xml
file.
<project>
...
<repositories>
<repository>
<id>central</id>
<name>your custom repo</name>
<url>https://private_registry_url</url>
</repository>
...
</project>
Node
npm
To configure the npm ecosystem to only access private registries, you can use these configuration methods.
Option 1
Define the private registry configuration in a dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Note
Remove replaces-base: true
from the configuration file.
The npm ecosystem additionally requires a .npmrc
file with the private registry URL to be checked into the repository.
registry=https://private_registry_url
registry=https://private_registry_url
Option 2
If there is no global registry defined in an .npmrc
file, you can set replaces-base
as true
in the dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Note
For scoped dependencies (@my-org/my-dep
), Dependabot requires that the private registry is defined in the project's .npmrc
file. To define private registries for individual scopes, use @myscope:registry=https://private_registry_url
.
Yarn
Yarn Classic and Yarn Berry private registries are both supported by Dependabot, but Dependabot requires a different configuration for each ecosystem to access only private registries.
Yarn Classic
To configure the Yarn Classic ecosystem to only access private registries, you can use these configuration methods.
Option 1
Define the private registry configuration in a dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Note
Delete replaces-base: true
from the configuration file.
To ensure the private registry is listed as the dependency source in the project's yarn.lock
file, run yarn install
on a machine with private registry access. Yarn should update the resolved
field to include the private registry URL.
encoding@^0.1.11: version "0.1.13" resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9" integrity sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A== dependencies: iconv-lite "^0.6.2"
encoding@^0.1.11:
version "0.1.13"
resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9"
integrity sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==
dependencies:
iconv-lite "^0.6.2"
Option 2
If the yarn.lock
file doesn't list the private registry as the dependency source, you can set up Yarn Classic according to the normal package manager instructions:
-
Define the private registry configuration in a
dependabot.yml
file -
Add the registry to a
.yarnrc
file in the project root with the key registry. Alternatively runyarn config set registry <private registry URL>
.YAML registry https://private_registry_url
registry https://private_registry_url
Option 3
If there is no global registry defined in a .yarnrc
file, you can set replaces-base
as true
in the dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Note
For scoped dependencies (@my-org/my-dep
), Dependabot requires that the private registry is defined in the project's .npmrc
file. To define private registries for individual scopes, use @myscope:registry=https://private_registry_url
.
Yarn Berry
To configure the Yarn Berry ecosystem to only access private registries, you can use these configuration methods.
Option 1
Define the private registry configuration in a dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Note
Delete replaces-base: true
from the configuration file.
To ensure the private registry is listed as the dependency source in the project's yarn.lock
file, run yarn install
on a machine with private registry access. Yarn should update the resolved
field to include the private registry URL.
encoding@^0.1.11: version "0.1.13" resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9" integrity sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A== dependencies: iconv-lite "^0.6.2"
encoding@^0.1.11:
version "0.1.13"
resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9"
integrity sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==
dependencies:
iconv-lite "^0.6.2"
Option 2
If the yarn.lock
file doesn't list the private registry as the dependency source, you can set up Yarn Berry according to the normal package manager instructions:
- Define the private registry configuration in a
dependabot.yml
file - Add the registry to a
.yarnrc.yml
file in the project root with the keynpmRegistryServer
. Alternatively runyarn config set npmRegistryServer <private registry URL>
.npmRegistryServer: "https://private_registry_url"
Note
For scoped dependencies (@my-org/my-dep
), Dependabot requires that the private registry is defined in the project's .yarnrc
file. To define private registries for individual scopes, use "@myscope:registry" "https://private_registry_url"
.
NuGet
To allow the NuGet ecosystem to only access private registries, you can configure the dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
The NuGet ecosystem additionally requires a nuget.config
file to be checked into the repository, with either a < clear />
tag in <packageSources>
section or a key nuget.org
as true in the disabledPackageSources
section of the nuget.config
file.
This is an example of a < clear />
tag in the packageSources
section of the nuget.config
.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
< clear />
<add key="example-nuget" value="https://private_registry_url/nuget/example-nuget/index.json" />
</packageSources>
</configuration>
This is an example of adding key nuget.org
as true to the disabledPackageSources
section of the nuget.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="example-nuget" value="https://private_registry_url/nuget/example-nuget/index.json" />
</packageSources>
<disabledPackageSources>
<add key="nuget.org" value="true" />
</disabledPackageSources>
</configuration>
To configure Dependabot to access both private and public feeds, view the following dependabot.yml
example which includes the configured public
feed under registries
:
version: 2 registries: nuget-example: type: nuget-feed url: https://nuget.example.com/v3/index.json username: $ password: $ public: type: nuget-feed url: https://api.nuget.org/v3/index.json updates: - package-ecosystem: nuget directory: "/" registries: "*" schedule: interval: daily
version: 2
registries:
nuget-example:
type: nuget-feed
url: https://nuget.example.com/v3/index.json
username: $
password: $
public:
type: nuget-feed
url: https://api.nuget.org/v3/index.json
updates:
- package-ecosystem: nuget
directory: "/"
registries: "*"
schedule:
interval: daily
Python
Pip, Pip-compile, Pipenv, and Poetry are the four package managers that the Python ecosystem currently supports.
Pip
To configure the Pip ecosystem to only access private registries, you can use these configuration methods.
Option 1
Define the private registry configuration in a dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Note
Delete replaces-base: true
from the configuration file.
Add the private registry URL to the [global]
section of the pip.conf
file and check the file into the repository.
[global] timeout = 60 index-url = https://private_registry_url
[global]
timeout = 60
index-url = https://private_registry_url
Option 2
Set replaces-base
as true
in the dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Pip-compile
To configure the Pip-compile ecosystem to only access private registries, you can use these configuration methods.
Option 1
Set replaces-base
as true
in the dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Option 2
Define the private registry configuration in a dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Note
Delete replaces-base: true
from the configuration file.
Add the private registry URL to the requirements.txt
file and check the file into the repository.
--index-url https://private_registry_url
--index-url https://private_registry_url
Pipenv
To configure Pipenv to only access private registries, remove replaces-base
from the dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Note
Delete replaces-base: true
from the configuration file.
Add the private registry URL to the [[source]]
section of the Pipfile
file and check the file into the repository.
[[source]] url = "https://private_registry_url" verify_ssl = true name = "pypi"
[[source]]
url = "https://private_registry_url"
verify_ssl = true
name = "pypi"
Poetry
To configure Poetry to only access private registries, set replaces-base
as true
in the dependabot.yml
file. For more information, see Dependabot에 대한 개인 레지스트리 액세스 구성.
Add the private registry url to the [[tool.poetry.source]]
section of the pyproject.toml
file and checked it in the repository.
[[tool.poetry.source]] name = "private" url = "https://private_registry_url" default = true
[[tool.poetry.source]]
name = "private"
url = "https://private_registry_url"
default = true