Automatic Dependabot access to GitHub-hosted registries - GitHub Changelog

Dependabot can now read from private GitHub Packages registries without a personal access token. If a package has granted your repository access through “Manage Actions access” in the package settings,…

martedì 23 giugno 2026 New tab

160 words~1 min read

What’s new

Dependabot’s GITHUB_TOKEN can now request packages: read, and Dependabot jobs send that token when pulling from *.pkg.github.com and ghcr.io. Any package that has granted your repository access through “Manage Actions access” will accept it, the same as a regular GitHub Actions workflow.

This is available for every GitHub Packages ecosystem that Dependabot supports.

How to enable it

Automatic Dependabot access to GitHub-hosted registries - GitHub Changelog

Automatic Dependabot access to GitHub-hosted registries - GitHub Changelog

Other newsrooms on this story

Related reading

Dependabot version updates now support the Deno ecosystem - GitHub Changelog

Agentic workflows no longer need a personal access token - GitHub Changelog

Dependabot version updates now support the sbt ecosystem - GitHub Changelog

Expanded OIDC support for Dependabot and code scanning - GitHub Changelog

npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain…

GitHub.dev flaw lets attackers steal OAuth tokens in one click

Other newsrooms on this story

Related reading

Dependabot version updates now support the Deno ecosystem - GitHub Changelog

Agentic workflows no longer need a personal access token - GitHub Changelog

Dependabot version updates now support the sbt ecosystem - GitHub Changelog

Expanded OIDC support for Dependabot and code scanning - GitHub Changelog

npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain…

GitHub.dev flaw lets attackers steal OAuth tokens in one click