Dependabot-core: Dependabot Java (Gradle) with packages stored on GitHub Package Registry.

I think I have the same issue here: https://github.com/oliverfernandez/marfeel-core/issues/1

Dependabot says I should provide authentication details, but I'm not using private repositories in my project

In my case, I'm using GitHub Package Registry for Javascript dependencies

I found my problem!

I asume that since GitHub Package Registry is still in beta, is not public available. So in order Dependabot can see packages from GitHub Package Registry, I had to add a Config variable to my Dependabot app

In my case, I had to create a new Config variable of type Javascript registry, and put there npm.pkg.github.com as Registry

@artzag is it possible that you need to do something similar, but in your case create a Config variable of type Maven repository?

@oliverfernandez I was just in the middle of writing this commit that will improve the error message in this case. Glad you were able to figure it out without that!

@artzag I'll take a look into your case now.

Ideally we wouldn't require you to enter a config variable for GPR, but that will be a slightly bigger change on our side.

@artzag can you tag Dependabot in an issue / PR where this is a problem?

Hi,

@oliverfernandez - thanks for hints! I was experimenting with config variable as well and I don't think there is a permissions/ visibility issue.

It looks like GitHub Package Registry is using some other way to index uploaded Java (maven/ gradle)-artifact versions. I mean - other than by using maven-metadata.xml file. Or at least - it doesn't expose it where Dependabot is expecting it. Thus - Java (maven/ gradle) dependencies stored in GitHub Package Registry are not visible to Dependabot.

@artzag if there isn't an issue or PR you can tag @dependabot in then an email to [email protected] with the full name of the repo would work, too. :octocat:

@greysteil - sorry - I didn't get your previous comment ;) Done!