github
Update docs about permissions required for managing dependabot-related secrets
Why:
Historically, it was already possible to manage secrets via the REST API with Write permissions, even though the GitHub web interface did not provide a UI for it at the time. Recently, the web UI has also been updated to allow secret management directly. (As of October 16, 2025, it appears that the current UI has an issue where, if there are no Dependabot secrets yet, the link to the page for adding them is not displayed. However, it is still possible to access and manage Dependabot secrets by directly entering the page’s URL)
According to the following documentation, users with Write permission can now manage repository secrets:
This update to the documentation appears to have been made in the following pull request:
Based on these facts, the current explanation stating that Owner or Admin permissions are required is no longer accurate. I’d like to propose updating the description to reflect the actual behavior — namely, that Write permissions are sufficient to manage Dependabot-related secrets.
I verified this behavior in an organization repository where I have Write permission. I haven’t tested it in a personal repository, so there’s a chance my understanding might not be entirely accurate in that case. Reviewers are likely more familiar with the details here, so I’d appreciate it if you could double-check whether write permission is also sufficient for personal repositories.
What's being changed (if available, include any code snippets, screenshots, or gifs):
I’ve updated the description, which previously stated that Owner or Admin permissions were required to create secrets, to now indicate that Write permission is sufficient.
Check off the following:
- [ ] A subject matter expert (SME) has reviewed the technical accuracy of the content in this PR. In most cases, the author can be the SME. Open source contributions may require an SME review from GitHub staff.
- [ ] The changes in this PR meet the docs fundamentals that are required for all content.
- [ ] All CI checks are passing and the changes look good in the review environment.
Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
![welcome[bot] avatar](https://avatars.githubusercontent.com/in/4141?v=4 "Published by a pub.dev verified publisher"){kind=small}
How to review these changes 👓
Thank you for your contribution. To review these changes, choose one of the following options:
A Hubber will need to deploy your changes internally to review.
Table of review links
Note: Please update the URL for your staging server or codespace.
The table shows the files in the content directory that were changed in this pull request. This helps you review your changes on a staging server. Changes to the data directory are not included in this table.
| Source | Review | Production | What Changed |
|---|---|---|---|
code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md |
fpt ghec ghes@ 3.18 3.17 3.16 3.15 3.14 |
fpt ghec ghes@ 3.18 3.17 3.16 3.15 3.14 |
from reusable |
Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server
🤖 This comment is automatically generated.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@r7kamura Thanks for opening a PR! I'm reasonably sure this change is correct, but I'll check with the Dependabot team to make sure!
Edit: Sorry, I didn't mean Dependabot. It's getting late here. I don't remember which team we were working with on this, but it's definitely on my project board somewhere.
A stale label has been added to this pull request because it has been open 30 days with no activity. If you think this pull request should remain open, please add a new comment.