Dependabot now supports OIDC authentication

Source: GitHub Changelog

What’s new

Dependabot can now use OpenID Connect (OIDC) to authenticate with private registries, eliminating the need to store long‑lived credentials as repository secrets.

With OIDC‑based authentication, Dependabot update jobs can dynamically obtain short‑lived credentials from your cloud identity provider, just like GitHub Actions workflows using OIDC federation.

Supported registries

• AWS CodeArtifact
• Azure DevOps Artifacts
• JFrog Artifactory

Benefits

• Enhanced security: Eliminates static, long‑lived credentials from your repositories. Short‑lived, dynamically generated tokens reduce operational overhead and attack surface.
• Simpler management: Enables secure, policy‑compliant access to private registries.
• Avoid rate limiting: Dynamic credentials help you avoid hitting rate limits associated with static tokens.

Getting started

To enable OIDC authentication for your private registry, update your dependabot.yml configuration to use the new OIDC authentication type for supported registries. See our documentation on private registry configuration for setup instructions and examples.

# dependabot.yml
version: 2
updates:
  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: weekly
    registries:
      my-registry:
        type: oci
        url: https://my.private.registry
        # Additional OIDC configuration as described in the docs

Learn more

• Configuring access to private registries for Dependabot
• About OpenID Connect