OIDC Authentication Now Available

Dependabot can now use OpenID Connect (OIDC) to authenticate with private registries, eliminating the security risks associated with storing long-lived credentials as repository secrets. This authentication method mirrors GitHub Actions' existing OIDC federation approach, allowing Dependabot update jobs to dynamically obtain short-lived credentials from your cloud identity provider.

Supported Registries

The following private registries now support OIDC-based authentication:

• AWS CodeArtifact
• Azure DevOps Artifacts
• JFrog Artifactory

Key Benefits

Enhanced Security: Removes static, long-lived credentials from repositories. Short-lived, dynamically generated tokens significantly reduce the operational overhead and attack surface.

Simplified Management: Enables secure, policy-compliant access to private registries without manual credential rotation.

Rate Limiting Relief: Dynamic credentials help teams avoid hitting rate limits that are often associated with static tokens.

Getting Started

To enable OIDC authentication, update your dependabot.yml configuration to use the new OIDC authentication type for your supported registry. Refer to the GitHub documentation on configuring access to private registries for Dependabot for detailed setup instructions and configuration examples.