Getting Dependabot to Play Nice with Private GitHub Packages

Posted on 24/09/30 in GitHub, How-To Guides, DevOps, Automation

Tags: dependabot, github-actions, private-packages, maven, java, dependency-management, devops, automation

Alright, here’s a situation you might be familiar with: You’ve got a bunch of private packages in GitHub and you want Dependabot to keep an eye on them, but the dang thing only wants to work with public registries out of the box. Super annoying, right?

In my last post, I walked through publishing a jar to a private repo. That’s great and all, but what’s the point if our other projects can’t automatically get notified when there’s an update?

After a bit of digging (and more than a few failed attempts), I figured out you can actually make this work pretty easily.

Here’s the magic sauce - just drop this into your .github/dependabot.yml file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
version: 2

registries:
  maven-github:
    type: maven-repository
    url: https://maven.pkg.github.com/ORG_NAME/*
    username: ${{secrets.REPO_USER}}
    password: ${{secrets.REPO_KEY}}

updates:
- package-ecosystem: "maven" # See documentation for possible values
  directory: "/" # Location of package manifests
  registries:
  - maven-github
  schedule:
    interval: "daily"

The trick is using that wildcard asterisk in the URL - /ORG_NAME/* - which tells Dependabot to search through all repositories in your organization. I spent way too long trying to figure that out.

Once that’s set up, Dependabot will use its built-in secrets to access your private packages. No need to do anything fancy with token management.

And that’s it! Your Dependabot will now run daily checks against both your private repos and Maven Central. Every morning, you’ll get nice little PRs for any outdated dependencies - even the ones from your private packages.

Honestly, I was expecting this to be way more complicated, but sometimes GitHub actually makes things simple.