Removing Dependabot access to public registries

Examples of how you can configure Dependabot to only access private registries by removing calls to public registries.

谁可以使用此功能?

具有写入访问权限的用户

本文内容

About configuring Dependabot to only access private registries

默认情况下,Dependabot 可访问公共注册表,你可将 Dependabot 配置为还访问专用注册表。 For more information about private registry support and configuration, see 为 Dependabot 配置对专用注册表的访问权限. 有关可用选项的详细信息,以及配置专用注册表时的建议,请参阅“针对 Dependabot 的专用注册表配置指南”。

要更好地控制 Dependabot 对私人注册表和内部网络资源的访问,可将 Dependabot 配置为在 GitHub Actions 自托管运行器上运行。 有关详细信息,请参阅“关于 GitHub Actions 运行器上的 Dependabot”和“Managing Dependabot on self-hosted runners”。

You can configure Dependabot to access only private registries by removing calls to public registries. This can only be configured for the ecosystems listed in this article.

Bundler

To configure the Bundler ecosystem to only access private registries, you can set replaces-base as true in the dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

The Bundler ecosystem additionally requires a Gemfile file with the private registry URL to be checked into the repository.

YAML
# Example Gemfile

 source "https://private_registry_url"

Docker

To configure the Docker ecosystem to only access private registries, you can use these configuration methods.

Option 1

Define the private registry configuration in a dependabot.yml file without replaces-base. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Note

Remove replaces-base: true from the configuration file.

YAML
version: 2
registries:
  azuretestregistry: # Define access for a private registry
    type: docker-registry
    url: firewallregistrydep.azurecr.io
    username: firewallregistrydep
    password: ${{ secrets.AZUREHUB_PASSWORD }}

In the Dockerfile file, add the image name in the format of IMAGE[:TAG], where IMAGE consists of your username and the name of the repository.

YAML
 FROM firewallregistrydep.azurecr.io/myreg/ubuntu:22.04

Option 2

Set replaces-base as true in the dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限. The registry configured with the replaces-base can be used as a mirror or a pull through cache. For further details, see Registry as a pull through cache in the Docker documentation.

Gradle

To configure the Gradle ecosystem to only access private registries, you can use these configuration methods.

Define the private registry configuration in a dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Note

Remove replaces-base: true from the configuration file.

Additionally, you also need to specify the private registry URL in the repositories section of the build.gradle file.

# Example build.gradle file

repositories {
    maven {
        url "https://private_registry_url"
    }
}

Maven

To configure the Maven ecosystem to only access private registries, you can use these configuration methods.

Option 1

Set replaces-base as true in the dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Option 2

Use only the private registry URL in the pom.xml file.

<project>
...
 <repositories>
  <repository>
    <id>central</id>
    <name>your custom repo</name>
    <url>https://private_registry_url</url>
 </repository>
...
</project>

Node

npm

To configure the npm ecosystem to only access private registries, you can use these configuration methods.

Option 1

Define the private registry configuration in a dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Note

Remove replaces-base: true from the configuration file.

The npm ecosystem additionally requires a .npmrc file with the private registry URL to be checked into the repository.

YAML
 registry=https://private_registry_url

Option 2

If there is no global registry defined in an .npmrc file, you can set replaces-base as true in the dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Note

For scoped dependencies (@my-org/my-dep), Dependabot requires that the private registry is defined in the project's .npmrc file. To define private registries for individual scopes, use @myscope:registry=https://private_registry_url.

Yarn

Yarn Classic and Yarn Berry private registries are both supported by Dependabot, but Dependabot requires a different configuration for each ecosystem to access only private registries.

Yarn Classic

To configure the Yarn Classic ecosystem to only access private registries, you can use these configuration methods.

Option 1

Define the private registry configuration in a dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Note

Delete replaces-base: true from the configuration file.

To ensure the private registry is listed as the dependency source in the project's yarn.lock file, run yarn install on a machine with private registry access. Yarn should update the resolved field to include the private registry URL.

YAML
encoding@^0.1.11:
  version "0.1.13"
  resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9"
  integrity sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==
  dependencies:
    iconv-lite "^0.6.2"

Option 2

If the yarn.lock file doesn't list the private registry as the dependency source, you can set up Yarn Classic according to the normal package manager instructions:

  1. Define the private registry configuration in a dependabot.yml file

  2. Add the registry to a .yarnrc file in the project root with the key registry. Alternatively run yarn config set registry <private registry URL>.

    YAML
    registry https://private_registry_url

Option 3

If there is no global registry defined in a .yarnrc file, you can set replaces-base as true in the dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Note

For scoped dependencies (@my-org/my-dep), Dependabot requires that the private registry is defined in the project's .npmrc file. To define private registries for individual scopes, use @myscope:registry=https://private_registry_url.

Yarn Berry

To configure the Yarn Berry ecosystem to only access private registries, you can use these configuration methods.

Option 1

Define the private registry configuration in a dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Note

Delete replaces-base: true from the configuration file.

To ensure the private registry is listed as the dependency source in the project's yarn.lock file, run yarn install on a machine with private registry access. Yarn should update the resolved field to include the private registry URL.

YAML
encoding@^0.1.11:
  version "0.1.13"
  resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9"
  integrity sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==
  dependencies:
    iconv-lite "^0.6.2"

Option 2

If the yarn.lock file doesn't list the private registry as the dependency source, you can set up Yarn Berry according to the normal package manager instructions:

  1. Define the private registry configuration in a dependabot.yml file
  2. Add the registry to a .yarnrc.yml file in the project root with the key npmRegistryServer. Alternatively run yarn config set npmRegistryServer <private registry URL>. npmRegistryServer: "https://private_registry_url"

Note

For scoped dependencies (@my-org/my-dep), Dependabot requires that the private registry is defined in the project's .yarnrc file. To define private registries for individual scopes, use "@myscope:registry" "https://private_registry_url".

NuGet

To allow the NuGet ecosystem to only access private registries, you can configure the dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

The NuGet ecosystem additionally requires a nuget.config file to be checked into the repository, with either a < clear /> tag in <packageSources> section or a key nuget.org as true in the disabledPackageSources section of the nuget.config file.

This is an example of a < clear /> tag in the packageSources section of the nuget.config.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
 <packageSources>
   < clear />
   <add key="example-nuget" value="https://private_registry_url/nuget/example-nuget/index.json" />
 </packageSources>
</configuration>

This is an example of adding key nuget.org as true to the disabledPackageSources section of the nuget.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="example-nuget" value="https://private_registry_url/nuget/example-nuget/index.json" />
  </packageSources>
  <disabledPackageSources>
    <add key="nuget.org" value="true" />
  </disabledPackageSources>
</configuration>

To configure Dependabot to access both private and public feeds, view the following dependabot.yml example which includes the configured public feed under registries:

YAML
version: 2
registries:
  nuget-example:
    type: nuget-feed
    url: https://nuget.example.com/v3/index.json
    username: $
    password: $
  public:
    type: nuget-feed
    url: https://api.nuget.org/v3/index.json
updates:
  - package-ecosystem: nuget
    directory: "/"
    registries: "*"
    schedule:
      interval: daily

Python

Pip, Pip-compile, Pipenv, and Poetry are the four package managers that the Python ecosystem currently supports.

Pip

To configure the Pip ecosystem to only access private registries, you can use these configuration methods.

Option 1

Define the private registry configuration in a dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Note

Delete replaces-base: true from the configuration file.

Add the private registry URL to the [global] section of the pip.conf file and check the file into the repository.

YAML
[global]
timeout = 60
index-url = https://private_registry_url

Option 2

Set replaces-base as true in the dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Pip-compile

To configure the Pip-compile ecosystem to only access private registries, you can use these configuration methods.

Option 1

Set replaces-base as true in the dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Option 2

Define the private registry configuration in a dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Note

Delete replaces-base: true from the configuration file.

Add the private registry URL to the requirements.txt file and check the file into the repository.

YAML
--index-url https://private_registry_url

Pipenv

To configure Pipenv to only access private registries, remove replaces-base from the dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Note

Delete replaces-base: true from the configuration file.

Add the private registry URL to the [[source]] section of the Pipfile file and check the file into the repository.

YAML
[[source]]
url = "https://private_registry_url"
verify_ssl = true
name = "pypi"

Poetry

To configure Poetry to only access private registries, set replaces-base as true in the dependabot.yml file. For more information, see 为 Dependabot 配置对专用注册表的访问权限.

Add the private registry url to the [[tool.poetry.source]] section of the pyproject.toml file and checked it in the repository.

YAML
[[tool.poetry.source]]
name = "private"
url = "https://private_registry_url"
default = true