Open ID connect for Dependabot docs (#59494)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

content/actions/concepts/security/openid-connect.md

@@ -115,6 +115,20 @@ For more information, see [AUTOTITLE](/actions/reference/openid-connect-referenc
 
 {% data variables.product.prodname_actions %} workflows can use OIDC tokens instead of secrets to authenticate with cloud providers. Many popular cloud providers offer official login actions that simplify the process of using OIDC in your workflows. For more information about updating your workflows with specific cloud providers, see [AUTOTITLE](/actions/how-tos/security-for-github-actions/security-hardening-your-deployments).
 
+## OIDC support for {% data variables.product.prodname_dependabot %}
+
+{% data variables.product.prodname_dependabot %} can use OIDC to authenticate with private registries, eliminating the need to store long-lived credentials as repository secrets. With OIDC-based authentication, {% data variables.product.prodname_dependabot %} update jobs can dynamically obtain short-lived credentials from your cloud identity provider.
+
+{% data variables.product.prodname_dependabot %} supports OIDC authentication for any registry type that uses `username` and `password` authentication, when the registry is hosted on AWS CodeArtifact, Azure DevOps Artifacts, or JFrog Artifactory.
+
+The benefits of OIDC authentication for {% data variables.product.prodname_dependabot %} are:
+
+* **Enhanced security:** Eliminates static, long-lived credentials from your repositories.
+* **Simpler management:** Enables secure, policy-compliant access to private registries.
+* **Avoid rate limiting:** Dynamic credentials help you avoid hitting rate limits associated with static tokens.
+
+For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#using-oidc-for-authentication).
+
 ## Next steps
 
 For more information about configuring OIDC, see [AUTOTITLE](/actions/how-tos/security-for-github-actions/security-hardening-your-deployments).

content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot.md

@@ -124,6 +124,22 @@ If your private registry is configured with an IP allow list, you can find the I
 
 {% endif %}
 
+## Using OIDC for authentication
+
+{% data variables.product.prodname_dependabot %} can use OpenID Connect (OIDC) to authenticate with private registries, eliminating the need to store long-lived credentials as repository secrets.
+
+With OIDC-based authentication, {% data variables.product.prodname_dependabot %} update jobs can dynamically obtain short-lived credentials from your cloud identity provider, just like {% data variables.product.prodname_actions %} workflows using OIDC federation.
+
+{% data variables.product.prodname_dependabot %} supports OIDC authentication for any registry type that uses `username` and `password` authentication, when the registry is hosted on one of the following cloud providers:
+
+* AWS CodeArtifact
+* Azure DevOps Artifacts
+* JFrog Artifactory
+
+To configure OIDC authentication, you need to specify `tenant-id` and `client-id` instead of `username` and `password` in your registry configuration.
+
+For more information about how OIDC works, see [AUTOTITLE](/actions/concepts/security/openid-connect).
+
 ## Allowing external code execution
 
 When you give {% data variables.product.prodname_dependabot %} access to one or more registries, external code execution is automatically disabled to protect your code from compromised packages. However, some version updates may fail.
@@ -363,6 +379,22 @@ registries:
 
 {% endraw %}
 
+You can also use OIDC authentication to access JFrog Artifactory. {% data reusables.dependabot.dependabot-oidc-credentials %}
+
+{% raw %}
+
+```yaml copy
+registries:
+  maven-artifactory-oidc:
+    type: maven-repository
+    url: https://acme.jfrog.io/artifactory/my-maven-registry
+    tenant-id: ${{secrets.ARTIFACTORY_TENANT_ID}}
+    client-id: ${{secrets.ARTIFACTORY_CLIENT_ID}}
+    replaces-base: true
+```
+
+{% endraw %}
+
 ### `npm-registry`
 
 The `npm-registry` type supports username and password, or token. {% data reusables.dependabot.password-definition %}
@@ -433,6 +465,23 @@ registries:
 
 {% endraw %}
 
+You can also use OIDC authentication to access Azure DevOps Artifacts. {% data reusables.dependabot.dependabot-oidc-credentials %}
+
+{% raw %}
+
+```yaml copy
+registries:
+  nuget-azure-devops-oidc:
+    type: nuget-feed
+    url: https://pkgs.dev.azure.com/MyOrganization/MyProject/_packaging/MyArtifactFeedName/nuget/v3/index.json
+    tenant-id: ${{secrets.AZURE_TENANT_ID}}
+    client-id: ${{secrets.AZURE_CLIENT_ID}}
+```
+
+{% endraw %}
+
+The `AZURE_TENANT_ID` and `AZURE_CLIENT_ID` values can be obtained from the overview page of your Entra ID app registration.
+
 ### `pub-repository`
 
 The `pub-repository` type supports a URL and a token.
@@ -490,6 +539,22 @@ registries:
 
 {% endraw %}
 
+You can also use OIDC authentication to access Azure DevOps Artifacts. {% data reusables.dependabot.dependabot-oidc-credentials %}
+
+{% raw %}
+
+```yaml copy
+registries:
+  python-azure-oidc:
+    type: python-index
+    url: https://pkgs.dev.azure.com/octocat/_packaging/my-feed/pypi/example
+    tenant-id: ${{secrets.AZURE_TENANT_ID}}
+    client-id: ${{secrets.AZURE_CLIENT_ID}}
+    replaces-base: true
+```
+
+{% endraw %}
+
 ### `rubygems-server`
 
 The `rubygems-server` type supports username and password, or token. {% data reusables.dependabot.password-definition %}

content/code-security/reference/supply-chain-security/dependabot-options-reference.md

@@ -932,24 +932,26 @@ The parameters used to provide authentication details for access to a private re
 | Registry `type` | Required authentication parameters |
 |--|--|
 | `cargo-registry` | `token` |
-| `composer-repository` | `username` and `password` |
-| `docker-registry` | `username` and `password` |
-| `git` | `username` and `password` |
+| `composer-repository` | `username` and `password`<br>or OIDC with `tenant-id` and `client-id` |
+| `docker-registry` | `username` and `password`<br>or OIDC with `tenant-id` and `client-id` |
+| `git` | `username` and `password`<br>or OIDC with `tenant-id` and `client-id` |
 | `hex-organization` | `organization` and `key` |
 | `hex-repository` | `repo` and `auth-key` optionally with the corresponding `public-key-fingerprint` |
-| `maven-repository` | `username` and `password` |
-| `npm-registry` | `username` and `password`<br>or `token` |
-| `nuget-feed` | `username` and `password`<br>or `token` |
+| `maven-repository` | `username` and `password`<br>or OIDC with `tenant-id` and `client-id` |
+| `npm-registry` | `username` and `password`<br>or `token`<br>or OIDC with `tenant-id` and `client-id` |
+| `nuget-feed` | `username` and `password`<br>or `token`<br>or OIDC with `tenant-id` and `client-id` |
 | `pub-registry` | `token` |
-| `python-index` | `username` and `password`<br>or `token` |
-| `rubygems-server` | `username` and `password`<br>or `token` |
+| `python-index` | `username` and `password`<br>or `token`<br>or OIDC with `tenant-id` and `client-id` |
+| `rubygems-server` | `username` and `password`<br>or `token`<br>or OIDC with `tenant-id` and `client-id` |
 | `terraform-registry` | `token` |
 
 All sensitive data used for authentication should be stored securely and referenced from that secure location, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot).
 
 > [!TIP]
 > {% data reusables.dependabot.password-definition %}
 
+For more information about  OIDC support for {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/actions/concepts/security/openid-connect#oidc-support-for-dependabot) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#using-oidc-for-authentication).
+
 ### `url` and `replaces-base`
 
 The `url` parameter defines where to access a registry. When the optional `replaces-base` parameter is enabled (`true`), {% data variables.product.prodname_dependabot %} resolves dependencies using the value of `url` rather than the base URL of that specific ecosystem.

data/reusables/dependabot/dependabot-oidc-credentials.md

@@ -0,0 +1 @@
+With OIDC, {% data variables.product.prodname_dependabot %} dynamically obtains short-lived credentials instead of using static credentials.