I am trying -- and failing -- to get Dependabot Versions to scan a Java repository for stale Maven dependencies, where those dependencies are private packages hosted in GitHub Packages in the same organization.
I've confirmed that the packages exist, and that Maven can fetch the packages on my development machine.
However, I need to use Dependabot Versions to auto-open PRs when a shared dependency is updated. When Dependabot Versions runs to scan my project for updates, it gets 401 responses when it goes to check these packages for updates:
2025/04/15 20:16:13 INFO <job_XXXXXXXXX> Checking all dependencies for version updates...
updater | 2025/04/15 20:16:13 INFO <job_XXXXXXXXX> Checking if com.myorg:my-dependency 9.3.0 needs updating
proxy | 2025/04/15 20:16:13 [012] GET https://maven.pkg.github.com:443/myorg/*/com.myorg/my-dependency/9.3.0/my-dependency-9.3.0.pom
proxy | 2025/04/15 20:16:13 [012] 401 https://maven.pkg.github.com:443/myorg/*/com.myorg/my-dependency/9.3.0/my-dependency-9.3.0.pom
proxy | 2025/04/15 20:16:13 [016] GET https://maven.pkg.github.com:443/myorg/*/com.myorg/my-dependency/maven-metadata.xml
proxy | 2025/04/15 20:16:13 [016] 401 https://maven.pkg.github.com:443/myorg/*/com.myorg/my-dependency/maven-metadata.xml
proxy | 2025/04/15 20:16:14 [018] GET https://maven.pkg.github.com:443/myorg/*/com.myorg/my-dependency
proxy | 2025/04/15 20:16:14 [018] 401 https://maven.pkg.github.com:443/myorg/*/com.myorg/my-dependency
updater | 2025/04/15 20:16:14 INFO <job_XXXXXXXXX> Latest version is
updater | 2025/04/15 20:16:14 INFO <job_XXXXXXXXX> Requirements to unlock update_not_possible
updater | 2025/04/15 20:16:14 INFO <job_XXXXXXXXX> Requirements update strategy
2025/04/15 20:16:14 INFO <job_XXXXXXXXX> No update possible for com.myorg:my-dependency 9.3.0
The artifacts are definitely there -- I've tested it by curling them from the command line, using a valid PAT as a bearer token.
I've had these packages allowlisted for Dependabot, so Dependabot is supposed to be able to access them. At this point, I'm stuck.
Here's my dependabot.yml for the project I'm attempting to scan:
---
version: 2
registries:
github-packages:
type: maven-repository
url: https://maven.pkg.github.com/myorg/*
replaces-base: true
updates:
- package-ecosystem: maven
directory: "/"
registries:
- github-packages
schedule:
interval: "daily"
time: "09:00"
timezone: "Europe/London"
commit-message:
prefix: "chore(parent pom update)"
reviewers:
- "myorg/myteam"
assignees:
- "myorg/myteam"
allow:
- dependency-name: com.myorg:my-dependency
pull-request-branch-name:
separator: "-"
labels:
- "monkey"
Furthermore, GitHub will not allow me to re-run the Dependabot job using debug logging -- it is expressly prohibited.
Has anybody else encountered this before, and know how to troubleshoot it?
It turns out that Dependabot has no special permissions to access private packages hosted within the GitHub organization and that a username and password have to be configured for GitHub Packages when publishing Maven packages that are to be checked with Dependabot.
In the GitHub documentation: Dependabot options reference: type and authentication details, for repositories of type maven-repository may only take username and password . There is no provision for supplying a token, nor is there one implicitly made available.
Hence, my dependabot.yml:
---
version: 2
registries:
github-packages:
type: maven-repository
url: https://maven.pkg.github.com/myorg/*
replaces-base: true
was changed to:
---
version: 2
registries:
github-packages:
type: maven-repository
url: https://maven.pkg.github.com/sainsburys-tech/*
replaces-base: true
username: myorg-user
password: ${{ secrets.READ_PACKAGES_TOKEN }}
Dependabot was then able to see published Maven packages in GH Packages, and a PR was automatically opened as expected.
Our principal engineer, who helped me troubleshoot this, elaborated further:
GitHub Packages authentication is the unloved bastard child of GitHub's ecosystem. Fine-grained tokens went GA with it completely missing, and Dependabot languishes without first-class support for GitHub Packages!
Furthermore, the behaviour differs between Maven, npm and whatever other packaging ecosystem you are publishing private packages for, and each has to be configured on a case-by-case basis.