I have a repository within a corporate GitHub organization that uses Dependabot to keep its GitHub Actions dependencies up-to-date, including reusable workflows:
- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: 'weekly'
day: 'wednesday'
target-branch: 'main'
rebase-strategy: 'auto'
commit-message:
prefix: 'chore'
include: 'scope'
open-pull-requests-limit: 10
groups:
dotnet:
patterns:
- '*' # Prefer a single PR per solution update.
The problem is that Dependabot fails, because it cannot access repositories within the same organization to check for updates:
Error:
Dependabot failed to update your dependencies The following git
repository was unreachable and caused the update to fail:
register-change-management-event-action.Dependabot can’t update dependency files that reference private git
repositories owned by other accounts. Please consider using a git
registry.
How can I allow Dependabot to access my organization’s repositories? I prefer not to use a PAT, as the repository is shared.
Note: Workflows can access GitHub Packages without issues
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries
This is a organization-level setting, where you explicitly define all the internal/private repositories Dependabot has access to. See the docs: Granting Dependabot access to private repositories
The setting lives under Settings > Code security > Global settings > Grant Dependabot access to private repositories, URL https://github.com/organizations/YOURORG/settings/security_analysis
8