dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Support OIDC auth to cloud providers

Open ppennanen opened this issue 3 years ago • 6 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Feature description

It would be great to utilise GitHub OpenID Connect for dependabot, to avoid the need to store static credentials in GitHub secrets.

This is particularly important for the docker ecosystem, where it is common that private container images are stored in cloud provider container registries (e.g. ACR, ECR and GCR).

ppennanen avatar Feb 03 '23 13:02 ppennanen

This is a great idea!

Unfortunately, implementing that will take a bit of work--at least for the Dependabot service that GitHub runs, so not something we're likely to get to for a while. But it is something I could see us eventually building out.

In the meantime, if you want a workaround, the Dependabot secrets can be rotated via an API. So you could script the rotation on your desired frequency... for example, if Dependabot runs weekly, you can script the token to rotate the day before with a 24 hour expiration, so it expires right after Dependabot runs. There's even a community-maintained GitHub Action for it.

jeffwidman avatar Feb 08 '23 07:02 jeffwidman

Thank you for the feedback and workaround!

ppennanen avatar Feb 08 '23 09:02 ppennanen

+1 on this issue.

joelbyford avatar Feb 06 '24 14:02 joelbyford

@jeffwidman is there any plans to implement this? As dependabot is transitioning to running on actions workflows, a new possibility would could be to allow for custom extra workflow steps that could enable custom authentication. The github OIDC could then be used in a custom step to gain access to temporary roles, while exporting the tokens to dependabot.

larhauga avatar Oct 01 '24 11:10 larhauga

+1 on this as it forces us to lower our security posture for our setup by using static credentials or alternatively implement more complex solutions to go around it.

jluque0101 avatar Apr 04 '25 08:04 jluque0101

Also +1 on this - We use OIDC for our normal Github Actions at my company, but then having to embed auth credentials in dependabot secrets to allow dependabot to run properly makes the gains from having OIDC in the workflows a little moot. It would be amazing to be able to have this all the way through.

OuranosSkia avatar Jun 16 '25 17:06 OuranosSkia

+1 for this. I think it's really worth it, if you want to encourage dependabot usage in enterprise environment, where OIDC usage is kind of a must.

dchien234 avatar Aug 02 '25 17:08 dchien234