Dependabot with Internal Registries and Multiple Reviewers
Managing Dependencies with Private Registries
Dependabot is a powerful tool for keeping your dependencies up to date, but configuring it to work with internal registries requires some setup. This becomes especially important when you’re working with private packages across different ecosystems like Composer, npm, and GitHub Actions.
The Challenge
When your project depends on private packages hosted in internal registries or private GitHub repositories, Dependabot needs proper authentication to access them. Additionally, Dependabot’s limitation of supporting only one reviewer in the configuration can be restrictive for teams requiring multiple approvals.
Configuring Dependabot with Internal Registries
Here’s a complete configuration that handles Composer, GitHub Actions, and npm with private registries:
version: 2
registries:
private-composer:
type: git
url: https://github.com
username: x-access-token
password: ${{secrets.GH_TOKEN}}
private-github-actions:
type: git
url: https://github.com
username: x-access-token
password: ${{secrets.GH_TOKEN}}
npm-github:
type: npm-registry
url: https://npm.pkg.github.com
token: ${{secrets.GH_TOKEN}}
updates:
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "monthly"
registries:
- private-composer
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
registries:
- private-github-actions
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "monthly"
registries:
- npm-github
Registry Configuration Explained
Each registry type requires specific configuration:
For Git-based registries (Composer, GitHub Actions):
- type: git
- username: x-access-token (GitHub’s standard token username)
- password: Reference to your GitHub token secret
For npm registries:
- type: npm-registry
- url: Your npm registry URL
- token: Direct token reference
Setting Up GitHub Token
Create a Personal Access Token (PAT) or use GitHub App authentication:
- Go to GitHub Settings > Developer settings > Personal access tokens
- Generate a token with these scopes:
- repo (for private repositories)
- read:packages (for reading packages)
- write:packages (if Dependabot needs to access private packages)
- Add the token as a Dependabot secret
Adding Secrets to Dependabot
For individual repositories:
- Go to Repository Settings > Secrets and variables > Dependabot
- Click “New repository secret”
- Name: GH_TOKEN
- Add your token value
For organization/team-wide access:
- Go to Organization Settings > Secrets and variables > Dependabot
- Click “New organization secret”
- Name: GH_TOKEN
- Add your token value
- Select repository access:
- All repositories (if all need private registry access)
- Selected repositories (choose specific repos)
This allows you to manage a single token across multiple repositories, making it easier to rotate credentials and maintain consistent access to internal registries.
The Multiple Reviewers Problem
Dependabot’s configuration only supports a single reviewer in the reviewers field:
# This only allows ONE reviewer
updates:
- package-ecosystem: "npm"
reviewers:
- "username" # Only one allowed
Solution: Use CODEOWNERS
Instead of using Dependabot’s limited reviewers field, leverage GitHub’s CODEOWNERS file for automatic review assignments. Create a file at .github/CODEOWNERS:
# Dependabot PRs - require multiple reviewers
/.github/dependabot.yml @team-leads @security-team
# Package files - assign to relevant teams
package.json @frontend-team @tech-leads
composer.json @backend-team @tech-leads
.github/workflows/ @devops-team @tech-leads
# Catch-all for dependency updates
* @tech-leads
CODEOWNERS Benefits
Using CODEOWNERS provides several advantages:
- Multiple reviewers automatically assigned
- Team-based assignments
- Pattern matching for different file types
- Works with branch protection rules
- Consistent across all PRs, not just Dependabot
Branch Protection Integration
Combine CODEOWNERS with branch protection rules:
# Repository Settings > Branches > Branch protection rules
- Require pull request reviews before merging
- Require review from Code Owners
- Require approvals: 2
This ensures Dependabot PRs get proper review coverage without relying on Dependabot’s single-reviewer limitation.
Complete Example with Best Practices
version: 2
registries:
private-composer:
type: git
url: https://github.com
username: x-access-token
password: ${{secrets.GH_TOKEN}}
private-github-actions:
type: git
url: https://github.com
username: x-access-token
password: ${{secrets.GH_TOKEN}}
npm-github:
type: npm-registry
url: https://npm.pkg.github.com
token: ${{secrets.GH_TOKEN}}
updates:
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "monthly"
day: "monday"
time: "09:00"
registries:
- private-composer
open-pull-requests-limit: 5
labels:
- "dependencies"
- "composer"
commit-message:
prefix: "chore(deps)"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
day: "monday"
time: "09:00"
registries:
- private-github-actions
open-pull-requests-limit: 5
labels:
- "dependencies"
- "github-actions"
commit-message:
prefix: "chore(ci)"
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "monthly"
day: "monday"
time: "09:00"
registries:
- npm-github
open-pull-requests-limit: 5
labels:
- "dependencies"
- "npm"
commit-message:
prefix: "chore(deps)"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-patch"]
Key Configuration Options
- schedule: Control when Dependabot runs (monthly recommended to avoid noise)
- open-pull-requests-limit: Prevent too many simultaneous PRs
- labels: Organize and filter dependency PRs
- commit-message: Consistent commit prefixes for changelog generation
- ignore: Skip patch updates if you prefer manual control
Security Considerations
- Use fine-grained PATs with minimal required scopes
- Rotate tokens regularly
- Use GitHub Apps for better security and audit trails
- Monitor Dependabot alerts in Security tab
- Enable automatic security updates separately from version updates
Keep pushing forward and savor every step of your coding journey.