Support internal GitHub Packages without PAT

[novascreen]

Is there an existing issue for this?

• [X] I have searched the existing issues

Feature description

Similar issue, but not quite the same: https://github.com/dependabot/dependabot-core/issues/3646

At the moment our only option to use internal (or private) GitHub Packages with Dependabot is a Personal Access Token. This is very problematic and a lot of security departments will restrict the use of those as much as possible for good reason.

Fine-grained PATs don't have access to GitHub Packages yet, but are not a good solution either, because their expiry time is unsatisfying either way because we need to decide between lowering security (longer lifetime) or increasing maintenance burden (more frequent manual renewal of tokens).

As far as I can tell there are at least two ways this could be solved:

1. Provide Dependabot with the equivalent of the GHA workflow GITHUB_TOKEN. This would be preferable for our use case (internal packages)
2. Add support for GitHub Packages to GitHub Apps so we can generate short lived tokens and make them available to Dependabot. Not great, but it would work and could support private packages as well.

It would be nice to know if there is any chance of getting one of these any time soon. We would like to expand our usage of GitHub Packages, but won't be able to in the current state.