From 05b1fe42b5b874150ead210559bd66f289178cba Mon Sep 17 00:00:00 2001
From: Vie Xian Ong <viexianong@microsoft.com>
Date: Mon, 5 Jan 2026 15:03:11 -0800
Subject: [PATCH 1/4] add jitaccess endpoint

---
 cmd/dependabot/internal/cmd/update.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/cmd/dependabot/internal/cmd/update.go b/cmd/dependabot/internal/cmd/update.go
index 947938fe..fc592b27 100644
--- a/cmd/dependabot/internal/cmd/update.go
+++ b/cmd/dependabot/internal/cmd/update.go
@@ -329,6 +329,7 @@ func processInput(input *model.Input, flags *UpdateFlags) {
 	// doesn't already exist. This way the user doesn't run out of calls from being anonymous.
 	hasLocalToken := os.Getenv("LOCAL_GITHUB_ACCESS_TOKEN") != ""
 	hasLocalAzureToken := os.Getenv("LOCAL_AZURE_ACCESS_TOKEN") != ""
+	hasGitHubJitAccessEndpoint := os.Getenv("GITHUB_JITACCESS_TOKEN_ENDPOINT") != ""
 
 	var isGitSourceInCreds bool
 	for _, cred := range input.Credentials {
@@ -359,6 +360,17 @@ func processInput(input *model.Input, flags *UpdateFlags) {
 			"username": "x-access-token",
 			"password": "$LOCAL_GITHUB_ACCESS_TOKEN",
 		})
+
+		if hasGitHubJitAccessEndpoint {
+			log.Println("Adding jit_access type for GitHub credentials")
+			input.Credentials = append(input.Credentials, model.Credential{
+				"type":            "jit_access",
+				"credential-type": "git_source",
+				"username":        "x-access-token",
+				"endpoint":        "$GITHUB_JIT_ACCESS_TOKEN_ENDPOINT",
+			})
+		}
+
 		if len(input.Job.CredentialsMetadata) > 0 {
 			// Add the metadata since the next section will be skipped.
 			input.Job.CredentialsMetadata = append(input.Job.CredentialsMetadata, map[string]any{

From 0a6000ae37639475a3758f5b73e08010e325d43a Mon Sep 17 00:00:00 2001
From: Vie Xian Ong <viexianong@microsoft.com>
Date: Mon, 5 Jan 2026 15:41:48 -0800
Subject: [PATCH 2/4] add test

---
 cmd/dependabot/internal/cmd/update.go      |  2 +-
 cmd/dependabot/internal/cmd/update_test.go | 43 ++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/cmd/dependabot/internal/cmd/update.go b/cmd/dependabot/internal/cmd/update.go
index fc592b27..928d3785 100644
--- a/cmd/dependabot/internal/cmd/update.go
+++ b/cmd/dependabot/internal/cmd/update.go
@@ -367,7 +367,7 @@ func processInput(input *model.Input, flags *UpdateFlags) {
 				"type":            "jit_access",
 				"credential-type": "git_source",
 				"username":        "x-access-token",
-				"endpoint":        "$GITHUB_JIT_ACCESS_TOKEN_ENDPOINT",
+				"endpoint":        "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
 			})
 		}
 
diff --git a/cmd/dependabot/internal/cmd/update_test.go b/cmd/dependabot/internal/cmd/update_test.go
index c5c2812d..b730f8d2 100644
--- a/cmd/dependabot/internal/cmd/update_test.go
+++ b/cmd/dependabot/internal/cmd/update_test.go
@@ -203,6 +203,49 @@ func Test_processInput(t *testing.T) {
 
 		assertStringArraysEqual(t, expectedGitCredentalsMetadataHosts, actualCredentialsMetadataHosts)
 	})
+
+	t.Run("Add Jit Access credentials when endpoint is present", func(t *testing.T) {
+		var input model.Input
+		os.Setenv("LOCAL_GITHUB_ACCESS_TOKEN", "token")
+		host := "github.example.com"
+		input.Job.Source.Hostname = &host
+		os.Setenv("GITHUB_JITACCESS_TOKEN_ENDPOINT", "host/jit_access")
+
+		processInput(&input, nil)
+
+		if len(input.Credentials) != 2 {
+			t.Fatal("expected two credential types to be added")
+		}
+		if !reflect.DeepEqual(input.Credentials[0], model.Credential{
+			"type":     "git_source",
+			"host":     host,
+			"username": "x-access-token",
+			"password": "$LOCAL_GITHUB_ACCESS_TOKEN",
+		}) {
+			t.Error("expected git_source credentials to be added")
+		}
+		if !reflect.DeepEqual(input.Credentials[1], model.Credential{
+			"type":            "jit_access",
+			"credential-type": "git_source",
+			"username":        "x-access-token",
+			"endpoint":        "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
+		}) {
+			t.Error("expected jit_access credentials to be added")
+		}
+		if !reflect.DeepEqual(input.Job.CredentialsMetadata[0], model.Credential{
+			"type": "git_source",
+			"host": host,
+		}) {
+			t.Error("expected git_source credentials metadata to be added")
+		}
+		if !reflect.DeepEqual(input.Job.CredentialsMetadata[1], model.Credential{
+			"type":            "jit_access",
+			"credential-type": "git_source",
+			"endpoint":        "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
+		}) {
+			t.Error("expected jit_accesscredentials metadata to be added")
+		}
+	})
 }
 
 func assertStringArraysEqual(t *testing.T, expected, actual []string) {

From 499ab2052d96490746399142342af674893eb832 Mon Sep 17 00:00:00 2001
From: Vie Xian Ong <viexianong@microsoft.com>
Date: Mon, 5 Jan 2026 15:57:31 -0800
Subject: [PATCH 3/4] textfix: unset env var for cleanup

---
 cmd/dependabot/internal/cmd/update_test.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cmd/dependabot/internal/cmd/update_test.go b/cmd/dependabot/internal/cmd/update_test.go
index b730f8d2..eeccfbe0 100644
--- a/cmd/dependabot/internal/cmd/update_test.go
+++ b/cmd/dependabot/internal/cmd/update_test.go
@@ -17,6 +17,7 @@ func Test_processInput(t *testing.T) {
 	t.Cleanup(func() {
 		os.Unsetenv("LOCAL_GITHUB_ACCESS_TOKEN")
 		os.Unsetenv("LOCAL_AZURE_ACCESS_TOKEN")
+		os.Unsetenv("GITHUB_JITACCESS_TOKEN_ENDPOINT")
 	})
 	t.Run("initializes some fields", func(t *testing.T) {
 		os.Setenv("LOCAL_GITHUB_ACCESS_TOKEN", "")

From e38d65035bea8a1a9a1f74ae7d84a1acf1f3e110 Mon Sep 17 00:00:00 2001
From: Vie Xian Ong <viexianong@microsoft.com>
Date: Tue, 6 Jan 2026 15:56:06 -0800
Subject: [PATCH 4/4] add host and remove username

---
 cmd/dependabot/internal/cmd/update.go      | 2 +-
 cmd/dependabot/internal/cmd/update_test.go | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/cmd/dependabot/internal/cmd/update.go b/cmd/dependabot/internal/cmd/update.go
index 928d3785..4f5e856b 100644
--- a/cmd/dependabot/internal/cmd/update.go
+++ b/cmd/dependabot/internal/cmd/update.go
@@ -365,8 +365,8 @@ func processInput(input *model.Input, flags *UpdateFlags) {
 			log.Println("Adding jit_access type for GitHub credentials")
 			input.Credentials = append(input.Credentials, model.Credential{
 				"type":            "jit_access",
+				"host":            host,
 				"credential-type": "git_source",
-				"username":        "x-access-token",
 				"endpoint":        "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
 			})
 		}
diff --git a/cmd/dependabot/internal/cmd/update_test.go b/cmd/dependabot/internal/cmd/update_test.go
index eeccfbe0..5a8c25fe 100644
--- a/cmd/dependabot/internal/cmd/update_test.go
+++ b/cmd/dependabot/internal/cmd/update_test.go
@@ -227,8 +227,8 @@ func Test_processInput(t *testing.T) {
 		}
 		if !reflect.DeepEqual(input.Credentials[1], model.Credential{
 			"type":            "jit_access",
+			"host":            host,
 			"credential-type": "git_source",
-			"username":        "x-access-token",
 			"endpoint":        "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
 		}) {
 			t.Error("expected jit_access credentials to be added")
@@ -242,9 +242,10 @@ func Test_processInput(t *testing.T) {
 		if !reflect.DeepEqual(input.Job.CredentialsMetadata[1], model.Credential{
 			"type":            "jit_access",
 			"credential-type": "git_source",
+			"host":            host,
 			"endpoint":        "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
 		}) {
-			t.Error("expected jit_accesscredentials metadata to be added")
+			t.Error("expected jit_access credentials metadata to be added")
 		}
 	})
 }