Private repositories not used for version checks -> missing updates for internal libs/plugins

[rd-tobias-woerenkaemper]

Is there an existing issue for this?

• I have searched the existing issues

... and only found somewhat similar issues like #10267, which again points to #5288 and #6507.

tl;dr

Dependabot no longer uses configured private repositories for dependency version resolution.

Timeline

First failure recognition: 2024/07/19 ~18:00 UTC
Last success: 2024/07/18 ~18:00 UTC

Noticed that the first failing run is attended with dependabot appearing as a 'usual' GitHub Actions Dependabot updates run named gradle in /. - Update #123456789 #1.

Package ecosystem

gradle

Package manager version

8.8

Language version

Java 21

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "gradle"
    directory: "/"
    ...
    registries: "*"
registries:
  artifactory-libs:
    type: maven-repository
    url: https://artifactory.my.company/libs
    username: ${{secrets.USER}}
    password: ${{secrets.PASSWORD}}
  artifactory-plugins:
    type: maven-repository
    url: https://artifactory.my.company/plugins
    username: ${{secrets.USER}}
    password: ${{secrets.PASSWORD}}

Expected Behavior

Find and update dependencies based on the configured private repositories.

Actual Behavior

Only https://repo.maven.apache.org:443/maven2 gets checked, which of course returns 404 for private artifacts.

[rd-tobias-woerenkaemper]

Workaround: disable Settings -> Security -> Code security and analysis -> Dependabot on Actions runners introduced (as opt-in) with https://github.blog/changelog/2024-07-10-dependabot-migration-to-github-actions-for-enterprise-cloud-and-free-pro-and-teams-accounts-with-actions-enabled/ which got enabled in our repos between 2024/07/18 and 2024/07/19 without us noticing and causing the problems we observed.

[vreyespue]

Update: enabling both options Dependabot on Actions runners and Dependabot on self-hosted runners seems to resolve the issue as well.