GitHub Community
How to configure Dependabot for a private monorepo using multiple private package registries (GPR/npm) and CodeQL analysis? #177564
Replies: 3 comments
This comment was marked as off-topic.
This comment was marked as off-topic.
-
|
I second this |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
Question
Body
Hi Security team,
I'm trying to lock down our security posture for a large, complex monorepo, and I'm facing a very difficult configuration problem.
Our Setup:
The Problem:
dependabot.ymlto authenticate against both GPR (usingGITHUB_TOKEN) and the external private npm registry (using a secret) simultaneously? The documentation seems to show one or the other, not both in the same config for a single monorepo.autobuildstep because it can't resolve the private packages.This combination of Dependabot + CodeQL + Monorepo + Multiple Private Registries is proving extremely difficult. What is the best-practice
dependabot.ymlandcodeql-analysis.ymlconfiguration for this specific, complex scenario?Thanks!
Beta Was this translation helpful? Give feedback.
All reactions