Dependabot gains automatic access to GitHub Packages registries
Dependabot can now access private GitHub Packages registries without requiring personal access tokens (PATs). This enhances security by leveraging the repository's existing Actions access grants, simplifying dependency management for supported ecosystems. To enable this, repository owners must grant Dependabot read access to the relevant packages via the package settings.
- →Dependabot automatically accesses private GitHub Packages registries
- →Leverage repository Actions access for package grants
- →Enable Dependabot GitHub Packages access
Features (1) ›
- Dependabot automatically accesses private GitHub Packages registries
Dependabot can now read from private GitHub Packages registries without a personal access token. It reuses existing grants from repository Actions access, simplifying the process for supported ecosystems.
Enhancements (1) ›
- Leverage repository Actions access for package grants
For any package granting read access to your repository via "Manage Actions access" settings, Dependabot will now automatically use that grant. This applies to all GitHub Packages ecosystems supported by Dependabot.
Maintenance (1) ›
- Enable Dependabot GitHub Packages access
To enable this feature, navigate to the package settings, select "Manage Actions access", and add the repository running Dependabot with read access. Existing PAT-based registry entries for these packages can be removed.
https://github.blog/changelog/2026-06-23-automatic-dependabot-access-to-github-hosted-registries