Dependabot, private docker repo and token authentication

[max-allan]

Select Topic Area

Question

Body

Here:
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot#notes-1

It says Dependabot can work with any OCI repo using username/password or token. However the yaml lint for the dependabot.yaml requires username/password and complains token is an extra field.

What manner of token auth IS supported? The link to token auth takes you to a deprecated features page..
The registry spec now says auth is excluded from the spec.
https://github.com/openshift/docker-distribution/blob/a249725264376ca603a454a5d2466dc41394692d/docs/spec/api.md?plain=1#L50

Is there a method to supply a bearer token?

[levgiorg]

Dependabot currently only supports authentication via HTTP Basic Auth for OCI registries. In other words, if you want to use a token for authentication, you must supply it as the password (with an appropriate username) rather than as a bearer token. The YAML schema for dependabot.yml requires a username and password, so providing a “token” field isn’t accepted. The documentation reference to token auth is outdated, and with the current registry spec (which excludes dedicated auth fields) Dependabot does not support bearer token authentication directly.