[March 15] Dependabot version updates support for private registries (#17985)

* Update the UI for allowing private repos

* Private reg support WiP

* More WiP for private reg support

* Apply review comment about internal repos

* Add Dependabot secrets article

plus details of allowing remote code execution

* Add link to private registries info

* Fix conflict on PR

* Add 'private_source_*' errors to troubleshooting

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update data/reusables/dependabot/private-dependencies-note.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update data/reusables/dependabot/supported-package-managers.md

Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

* Update content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md

Co-authored-by: Jason Rudolph <jason@jasonrudolph.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>

* Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md

Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>

* Move registries section below updates

as requested by reviewer.

* Correct heading level of 'allow' subheading

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>
Co-authored-by: Jason Rudolph <jason@jasonrudolph.com>

Author: 4 people

assets/images/help/dependabot/dependabot-secrets.png

@@ -40,7 +40,9 @@ You can configure version updates for repositories that contain a dependency man
 
 {% note %}
 
-{% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. See the details in the table below.
+{% data reusables.dependabot.private-dependencies-note %} 
+
+{% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. See the details in the table below.
 
 {% endnote %}
 

assets/images/help/dependabot/secret-repository-access.png

@@ -18,9 +18,12 @@ You enable {% data variables.product.prodname_dependabot_version_updates %} by c
 
 ### Enabling {% data variables.product.prodname_dependabot_version_updates %}
 
-{% data reusables.dependabot.create-dependabot-yml %}
-1. Use `package-ecosystem` to specify the package managers to monitor.
+{% data reusables.dependabot.create-dependabot-yml %} For information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates)."
+1. Add a `version`. 
+1. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details. 
+1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor.
 1. For each package manager, use:
+    - `package-ecosystem` to specify the package manager.
     - `directory` to specify the location of the manifest or other definition files.
     - `schedule.interval` to specify how often to check for new versions.
 {% data reusables.dependabot.check-in-dependabot-yml %}

assets/images/help/dependabot/update-remove-org-secret.png

@@ -64,6 +64,7 @@ versions:
     {% link_in_list /enabling-and-disabling-version-updates %}
     {% link_in_list /listing-dependencies-configured-for-version-updates %}
     {% link_in_list /managing-pull-requests-for-dependency-updates %}
+    {% link_in_list /managing-encrypted-secrets-for-dependabot %}
     {% link_in_list /customizing-dependency-updates %}
     {% link_in_list /configuration-options-for-dependency-updates %}
     {% link_in_list /keeping-your-actions-up-to-date-with-dependabot %}

assets/images/help/dependabot/update-remove-repo-secret.png

@@ -0,0 +1,72 @@
+---
+title: Managing encrypted secrets for Dependabot
+intro: You can store sensitive information, like passwords and access tokens, as encrypted secrets and then reference these in the {% data variables.product.prodname_dependabot %} configuration file.
+versions:
+  free-pro-team: '*'
+---
+
+### About encrypted secrets for {% data variables.product.prodname_dependabot %}
+
+{% data variables.product.prodname_dependabot %} secrets are encrypted credentials that you create at either the organization level or the repository level.
+When you add a secret at the organization level, you can specify which repositories can access the secret. You can use secrets to allow {% data variables.product.prodname_dependabot %} to update dependencies located in private package registries. When you add a secret it's encrypted before it reaches {% data variables.product.prodname_dotcom %} and it remains encrypted until it's used by {% data variables.product.prodname_dependabot %} to access a private package registry.
+
+After you add a {% data variables.product.prodname_dependabot %} secret, you can reference it in the _dependabot.yml_ configuration file like this: {% raw %}`${{secrets.NAME}}`{% endraw %}, where "NAME" is the name you chose for the secret. For example: 
+
+{% raw %}
+```yaml
+password: ${{secrets.MY_ARTIFACTORY_PASSWORD}}
+```
+{% endraw %}
+
+For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#configuration-options-for-private-registries)."
+
+#### Naming your secrets
+
+The name of a {% data variables.product.prodname_dependabot %} secret:
+* Can only contain alphanumeric characters (`[A-Z]`, `[0-9]`) or underscores (`_`). Spaces are not allowed. If you enter lowercase letters these are changed to uppercase.
+* Must not start with the `GITHUB_` prefix.
+* Must not start with a number.
+
+### Adding a repository secret for {% data variables.product.prodname_dependabot %}
+
+{% data reusables.github-actions.permissions-statement-secrets-repository %}
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.github-actions.sidebar-secret %}
+{% data reusables.dependabot.dependabot-secrets-button %}
+1. Click **New repository secret**.
+1. Type a name for your secret in the **Name** input box.
+1. Enter the value for your secret.
+1. Click **Add secret**.
+
+   The name of the secret is listed on the Dependabot secrets page. You can click **Update** to change the secret value. You can click **Remove** to delete the secret.
+
+   ![Update or remove a repository secret](/assets/images/help/dependabot/update-remove-repo-secret.png)
+
+### Adding an organization secret for {% data variables.product.prodname_dependabot %}
+
+When creating a secret in an organization, you can use a policy to limit which repositories can access that secret. For example, you can grant access to all repositories, or limit access to only private repositories or a specified list of repositories.
+
+{% data reusables.github-actions.permissions-statement-secrets-organization %}
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.org_settings %}
+{% data reusables.github-actions.sidebar-secret %}
+{% data reusables.dependabot.dependabot-secrets-button %}
+1. Click **New organization secret**.
+1. Type a name for your secret in the **Name** input box.
+1. Enter the **Value** for your secret.
+1. From the **Repository access** dropdown list, choose an access policy.
+1. If you chose **Selected repositories**:
+
+   * Click {% octicon "gear" aria-label="The Gear icon" %}.
+   * Choose the repositories that can access this secret. 
+     ![Select repositories for this secret](/assets/images/help/dependabot/secret-repository-access.png)
+   * Click **Update selection**.
+
+1. Click **Add secret**.
+
+   The name of the secret is listed on the Dependabot secrets page. You can click **Update** to change the secret value or its access policy. You can click **Remove** to delete the secret.
+
+   ![Update or remove an organization secret](/assets/images/help/dependabot/update-remove-repo-secret.png)

content/github/administering-a-repository/about-dependabot-version-updates.md

@@ -76,9 +76,20 @@ There are separate limits for security and version update pull requests, so that
 
 The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)."
 
-#### {% data variables.product.prodname_dependabot %} can't resolve your dependency files
+#### {% data variables.product.prodname_dependabot %} can't resolve or access your dependencies
 
-If {% data variables.product.prodname_dependabot %} attempts to check whether dependency references need to be updated in a repository, but can't access one or more of the referenced files, the operation will fail with the error message "{% data variables.product.prodname_dependabot %} can't resolve your LANGUAGE dependency files." The API error type is `git_dependencies_not_reachable`.  
+If {% data variables.product.prodname_dependabot %} attempts to check whether dependency references need to be updated in a repository, but can't access one or more of the referenced files, the operation will fail with the error message "{% data variables.product.prodname_dependabot %} can't resolve your LANGUAGE dependency files." The API error type is `git_dependencies_not_reachable`.
+
+Similarly, if {% data variables.product.prodname_dependabot %} can't access a private package registry in which a dependency is located, one of the following errors is generated:
+
+*	"Dependabot can't reach a dependency in a private package registry"<br>
+   (API error type: `private_source_not_reachable`)
+*	"Dependabot can't authenticate to a private package registry"<br>
+   (API error type:`private_source_authentication_failure`)
+*	"Dependabot timed out while waiting for a private package registry"<br>
+   (API error type:`private_source_timed_out`)
+*	"Dependabot couldn't validate the certificate for a private package registry"<br>
+   (API error type:`private_source_certificate_failure`)
 
 To allow {% data variables.product.prodname_dependabot %} to update the dependency references successfully, make sure that all of the referenced dependencies are hosted at accessible locations.