Fetching Helm Charts from a private repository

[lottosechser]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

As Dependabot introduced support for updating Helm Charts we added a Chart which gets picked up by the Dependabot runner, but the source of the Chart, which is located in another private repository, cannot be fetched. It seems that the issue is that Dependabot is only using authenticated requests for registries, but not 'classic' repositories.

dependabot.yml (truncated)

version: 2
updates:
- package-ecosystem: "helm"
  directory: "/helm/test-chart"
  schedule:
    interval: "daily"
  commit-message:
    prefix: "[NO-JIRA]"
  registries:
    - helm_charts

registries:
  helm_charts:
    type: helm-registry
    url: https://raw.githubusercontent.com/[*]/helm-charts/gh-pages
    username: ${{secrets.USERNAME}}
    password: ${{secrets.PASSWORD}}

The error we get is the same as if you try to fetch the index.yaml by hand without the use of a Github PAT or Basic Auth:

updater | 2025/05/26 12:33:39 ERROR <job_1021933982> Error adding/updating Helm repository: Error: looks like "https://raw.githubusercontent.com/[*]/helm-charts/gh-pages" is not a valid chart repository or cannot be reached: failed to fetch https://raw.githubusercontent.com/[*]/helm-charts/gh-pages/index.yaml : 404 Not Found

When adding the respective code for helm repo add with username and password (after the registry login fails with a 400 Bad Request error) it works in the local docker-dev-shell. The working concept is available under https://github.com/lottosechser/dependabot-core/tree/add-auth-repo but lacks of additional tests.

Could you please add support for private helm repositories or are you open to accept a PR for this feature?