feat!: Add OIDC authentication support to PrivateRegistries

[mkushakov]

BREAKING CHANGE: PrivateRegistriesService is updated to API version 2026-03-10 with struct and response changes.

Update the PrivateRegistriesService to align with the GitHub Private Registries
API version 2026-03-10.

Changes:

• Add PrivateRegistryAuthType type with constants for token, username_password,
  oidc_azure, oidc_aws, and oidc_jfrog
• Add OIDC-related fields to CreateOrganizationPrivateRegistry and
  UpdateOrganizationPrivateRegistry: AuthType, TenantID, ClientID,
  AwsRegion, AccountID, RoleName, Domain, DomainOwner,
  JfrogOidcProviderName, Audience, IdentityMappingName
• Add ReplacesBase field to both Create and Update request structs
• Add SelectedRepositoryIDs field to PrivateRegistry response struct
• Change EncryptedValue and KeyID in CreateOrganizationPrivateRegistry
  to *string with omitempty (should be omitted for OIDC auth types)
• Change UpdateOrganizationPrivateRegistry() to return (*Response, error)
  since the API now returns 204 No Content

API docs: https://docs.github.com/rest/private-registries/organization-configurations?apiVersion=2026-03-10

Fixes: #4158.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.83%. Comparing base (cd716ed) to head (b15fc0c).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4159      +/-   ##
==========================================
- Coverage   93.83%   93.83%   -0.01%     
==========================================
  Files         209      209              
  Lines       19685    19681       -4     
==========================================
- Hits        18472    18468       -4     
  Misses       1015     1015              
  Partials      198      198              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mkushakov]

@gmlewis thanks for initial review, but this PR is breaking change compared to master branch, not to latest release, since github/private_registries.go was introduced recently and was not yet released #4147
this is why it will be better to merge it before release, to avoid breaking changes

[gmlewis]

Thank you, @mkushakov!
This is the first GitHub v3 API version breaking change using their new "calendar-versioning" mechanism. As a result, we need to make some more changes in this PR.

According to our README.md:

### Calendar Versioning ###

As of 2022-11-28, GitHub has announced (broken link)
that they are starting to version their v3 API based on "calendar-versioning".

In practice, our goal is to make per-method version overrides (at
least in the core library) rare and temporary.

Our understanding of the GitHub docs is that they will be revving the
entire API to each new date-based version, even if only a few methods
have breaking changes. Other methods will accept the new version with
their existing functionality. So when a new date-based version of the
GitHub API is released, we (the repo maintainers) plan to:

* update each method that had breaking changes, overriding their
  per-method API version header. This may happen in one or multiple
  commits and PRs, and is all done in the main branch.

* once all of the methods with breaking changes have been updated,
  have a final commit that bumps the default API version, and remove
  all of the per-method overrides. That would now get a major version
  bump when the next go-github release is made.

So we need to override the per-method API version header in this PR according to the blog post, and I'm discovering that the blog post link is now broken.
The new link is:
https://github.blog/developer-skills/github/to-infinity-and-beyond-enabling-the-future-of-githubs-rest-api-with-api-versioning/

According to the blog post, the following header needs to be added to the updated endpoint:

X-GitHub-Api-Version: 2026-03-10

So this endpoint needs to add:

req.Header.Set(headerAPIVersion, "2026-03-10")

[Not-Dhananjay-Mishra]

It has few more missing fields according to response schema -
url, replaces_base, tenant_id, client_id, aws_region, account_id, role_name, domain, domain_owner, jfrog_oidc_provider_name, audience, identity_mapping_name

{
  "title": "Organization private registry",
  "description": "Private registry configuration for an organization",
  "type": "object",
  "properties": {
    "name": {
      "description": "The name of the private registry configuration.",
      "type": "string"
    },
    "registry_type": {
      "description": "The registry type.",
      "enum": [
        "maven_repository",
        "nuget_feed",
        "goproxy_server",
        "npm_registry",
        "rubygems_server",
        "cargo_registry",
        "composer_repository",
        "docker_registry",
        "git_source",
        "helm_registry",
        "hex_organization",
        "hex_repository",
        "pub_repository",
        "python_index",
        "terraform_registry"
      ],
      "type": "string"
    },
    "auth_type": {
      "description": "The authentication type for the private registry.",
      "enum": [
        "token",
        "username_password",
        "oidc_azure",
        "oidc_aws",
        "oidc_jfrog"
      ],
      "type": "string"
    },
    "url": {
      "description": "The URL of the private registry.",
      "type": "string",
      "format": "uri"
    },
    "username": {
      "description": "The username to use when authenticating with the private registry.",
      "type": "string"
    },
    "replaces_base": {
      "description": "Whether this private registry replaces the base registry (e.g., npmjs.org for npm, rubygems.org for rubygems). When `true`, Dependabot will only use this registry and will not fall back to the public registry. When `false` (default), Dependabot will use this registry for scoped packages but may fall back to the public registry for other packages.",
      "type": "boolean",
      "default": false
    },
    "visibility": {
      "description": "Which type of organization repositories have access to the private registry. `selected` means only the repositories specified by `selected_repository_ids` can access the private registry.",
      "enum": [
        "all",
        "private",
        "selected"
      ],
      "type": "string"
    },
    "selected_repository_ids": {
      "type": "array",
      "description": "An array of repository IDs that can access the organization private registry when `visibility` is set to `selected`.",
      "items": {
        "type": "integer"
      }
    },
    "tenant_id": {
      "description": "The tenant ID of the Azure AD application.",
      "type": "string"
    },
    "client_id": {
      "description": "The client ID of the Azure AD application.",
      "type": "string"
    },
    "aws_region": {
      "description": "The AWS region.",
      "type": "string"
    },
    "account_id": {
      "description": "The AWS account ID.",
      "type": "string"
    },
    "role_name": {
      "description": "The AWS IAM role name.",
      "type": "string"
    },
    "domain": {
      "description": "The CodeArtifact domain.",
      "type": "string"
    },
    "domain_owner": {
      "description": "The CodeArtifact domain owner.",
      "type": "string"
    },
    "jfrog_oidc_provider_name": {
      "description": "The JFrog OIDC provider name.",
      "type": "string"
    },
    "audience": {
      "description": "The OIDC audience.",
      "type": "string"
    },
    "identity_mapping_name": {
      "description": "The JFrog identity mapping name.",
      "type": "string"
    },
    "created_at": {
      "type": "string",
      "format": "date-time"
    },
    "updated_at": {
      "type": "string",
      "format": "date-time"
    }
  },
  "required": [
    "name",
    "registry_type",
    "visibility",
    "created_at",
    "updated_at"
  ]
}

[Not-Dhananjay-Mishra]

Should we change it's type from *string to *PrivateRegistryType

[Not-Dhananjay-Mishra]

Should we change it's type from string to PrivateRegistryType

[Not-Dhananjay-Mishra]

Use example.com instead of random URLs

[Not-Dhananjay-Mishra]

same here

[Not-Dhananjay-Mishra]

same here