dependabot private organization hex example?

Has anyone used the github actions hosted dependabot beta for private hex repositories? We would love dependabot to notify application owners in our org when another team updates their libraries.

Unfortunately, am getting 403s every time dependabot attempts to check our private hex.

From the logs, Dependabot is showing the following:

  proxy | 2020/07/13 16:25:22 403 https://repo.hex.pm:443/repos/us/packages/ourpackage

The relevant portions of our .github/dependabot.yml are:

version: 2
updates:
  # Keep mix dependencies up to date
  - package-ecosystem: "mix"
    directory: "/"
    schedule:
      interval: "weekly"
    assignees:
      - "OURORG/ourteam"
    labels:
      - "dependabot-update"
    rebase-strategy: "disabled"
1 Like

I’m running into the same issue. I can see that there is support for private hex repos, but since Dependabot moved to Github, its unclear what I need to do to grant it access.

Did you end up figuring this issue out @bjornrud ?

Private hex repos used to work before Dependabot moved to GitHub. Now it appears they have added private access for a variety of package managers, but not Elixir :frowning_face:

I poked Bruce Williams on twitter, maybe he knows who can help!

1 Like

Excellent. I hopped onto the Twitter thread!

An update from @bruce

I chatted with the PM (:wave: @asciimike), and I understand that the team is making progress on addressing the current limitations for Elixir (and some other ecosystems/pkg managers like bundler and pip).

The effort is tracked here (https://bit.ly/3pEANuQ), and I’m hopeful we’ll see some level of private repo support restored soon.

Tweet: https://twitter.com/wbruce/status/1364004498667040769?s=20
Roadmap: Dependabot version updates: support for private registries (Cloud Beta) · Issue #67 · github/roadmap · GitHub

TL;DR: Private registries are currently not available for dependabot with elixir, but are scheduled on the roadmap

2 Likes