GitHub expands OIDC for `Dependabot` and code scanning private registries

Org-level private registry auth now covers two more artifact providers. Useful if your supply-chain checks already pull private packages; otherwise low urgency.

[ KEY POINTS ]

Cloudsmith and Google Artifact Registry join org-level OIDC auth support for private registries, reducing long-lived secret handling.
Coverage applies to Dependabot and code scanning, so dependency updates and security analysis can access private packages with the same auth model.
Best fit is repos already using private artifacts. For public-package-only projects, this is a cleanup item, not a roadmap changer.

Originalgithub.blog/changelog/2026-05-19-expanded-oidc-support-for-dependabot-and-code-scanningRead original →

// related

#0001
#0001Infra & SaaS RevenueCat Blog4 hours ago
`Google Play Billing Library` `9.0`, billing and console updates from I/O 2026
80radar
Google Play Billing LibraryAndroid billing library — Google Play in-app purchase integration
Billing, analytics, protection, and Play Console all moved at once. Android subscription code should be reviewed now, not after a build rejection.
- Play Billing Library 9.0.0 is a major version, so billing code deserves a compatibility pass before the next Android release.
- The update bundle includes AI, Play Console, analytics, and protection changes. Store operations are expanding beyond payment integration.
- RevenueCat coverage matters because it usually translates Google Play billing changes into SDK and migration impact.
- Apps with Android subscriptions should watch RevenueCat and Google timelines together. Late migration turns into release risk.
Source: www.revenuecat.com/blog/engineering/play-billing-v9/Read original →
FIG-0011:1
80radar
FIG-0011:1
#0002
#0002Infra & SaaS GeekNews4 hours ago
CISA Contractor Leaked `AWS GovCloud` Keys on GitHub
40radar
A public repo exposed high-privilege cloud and internal credentials. Treat secret scanning as a production control, not a checkbox.
- The public Private-CISA repo exposed high-privilege AWS GovCloud credentials, plaintext passwords, tokens, and logs.
- Default protections that block secret publishing appear to have been disabled; one bad repo setting can bypass the whole safety net.
- Immediate takeaway: enforce secret scanning, pre-commit checks, and key rotation even on private or internal repos.
Source: news.hada.io/topic?id=29689Read original →
FIG-0021:1
40radar
FIG-0021:1
#0003
#0003Infra & SaaS GeekNews5 hours ago
`FileBrowser Quantum`: Free Open-Source Self-Hosted Web File Manager
50radar
FileBrowser QuantumSelf-hosted file manager — stronger auth and directory ACLs
A self-hosted file UI adds serious auth and access-control layers beyond basic browsing. Useful when a small product needs internal asset/admin file handling without paying for another SaaS.
- Supports OIDC, LDAP, JWT, password plus 2FA, and proxy auth, so it can fit both simple admin panels and heavier internal setups.
- Directory-level permissions can be set by user or group. That is the real upgrade over a plain shared file browser.
- Runs on SQLite, keeping deployment lightweight. Good fit for a single VPS or sidecar service in an existing stack.
Source: news.hada.io/topic?id=29680Read original →
FIG-0031:1
50radar
FIG-0031:1

GitHub expands OIDC for `Dependabot` and code scanning private registries

// related

`Google Play Billing Library` `9.0`, billing and console updates from I/O 2026

CISA Contractor Leaked `AWS GovCloud` Keys on GitHub

`FileBrowser Quantum`: Free Open-Source Self-Hosted Web File Manager