Hi,
we’re running a private Hex repository which uses HTTP Basic authentication to verify users. The repository is a plain S3 bucket behind a CloudFront function which takes care of authentication. It works great, both via Mix as well as raw cURL calls.
Now I’m trying to get Dependabot working. I used the dependabot.yml example at Configuring Dependabot — Oban Pro v1.4.14 as an example and merely adjusted the repo name, URL, auth-key and public-key-fingerprint:
version: 2
registries:
betterdoc-private-repo:
type: hex-repository
repo: betterdoc
url: https://hexrepo.betterdoc.org
auth-key: ${{ secrets.HEX_REPO_AUTH_KEY }}
public-key-fingerprint: "SHA256:w9Qm2VfDiSbcN8dCUFPZqOP0HZfMqmnXAdUDBkkUkxk"
updates:
- package-ecosystem: "mix"
directory: "/"
insecure-external-code-execution: "allow"
registries:
- betterdoc-private-repo
schedule:
interval: "daily"
Alas, Dependabot fails to authenticate when trying to fetch packages from the private repository. In the HTTP logs of the Hex repository I can see that all requests come with an empty authorization header (when instead it should be something like authorization: Basic ....). The GitHub secret for the auth-key value is setup correctly though.
I started digging through GitHub - dependabot/dependabot-core: 🤖 Dependabot's core logic for creating update PRs. to see if there’s something odd, but noticed nothing obviously problematic.
Maybe anyone here succeeded in setting up a private Hex repository and using it with Dependabot and has some thoughts on what I could try? Any ideas would be much appreciated. 
