dependabot-script icon indicating copy to clipboard operation
dependabot-script copied to clipboard
verified publisher icon dependabot

Not able to authenticate with private feeds in azure devops

Open sharadbharadia opened this issue 3 years ago • 2 comments

We are using dependabot for updating dependencies automatically. However, looks like it does not work with private feeds if the same is being used with azure devops pipeline.

Here is my .\azuredevops\dependabot.yaml file

registries:
  maven-azure-devops:
    type: maven-repository
    url: https://pkgs.dev.azure.com/<ORG_NAME>/_packaging/<FEED_NAME>/maven/v1
    username: <MY_USERNAME>
    password: <MY_PAT>
updates:
  - package-ecosystem: "maven"
    directory: "/src"
    registries:
     - maven-azure-devops
    schedule:
      interval: "daily"
    target-branch: "<TARGET_BRANCH_NAME>"
    open-pull-requests-limit: 1
    ignore:
      - dependency-name: "com.google.guava:guava"
        version: ["17.x"]

Below is the task in azure-pipelines.yaml

trigger: none
 
stages:
- stage: dependabot
  displayName: "Dependabot Scanning"
  jobs:
  - job: dependabot
    displayName: "Dependabot Scan"
    steps:
    - checkout: self
    - task: dependabot@1
      inputs:
        useConfigFile: true
        azureDevOpsAccessToken: '$(System.AccessToken)'
        targetRepositoryName: '<TARGET_REPO_NAME>'
        dockerImageRepository: 'tingle/dependabot-azure-devops'
        dockerImageTag: '0.8'

Pipeline logs

2022-07-26T11:40:32.3982895Z /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-maven-0.198.0/lib/dependabot/maven/update_checker/version_finder.rb:67:in `versions': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): https://pkgs.dev.azure.com/<ORG_NAME>/_packaging/<FEED_NAME>/maven/v1 (Dependabot::PrivateSourceAuthenticationFailure)
2022-07-26T11:40:32.4247920Z 	from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-maven-0.198.0/lib/dependabot/maven/update_checker/version_finder.rb:32:in `latest_version_details'
2022-07-26T11:40:32.4248871Z 	from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-maven-0.198.0/lib/dependabot/maven/update_checker.rb:107:in `latest_version_details'
2022-07-26T11:40:32.4249727Z 	from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-maven-0.198.0/lib/dependabot/maven/update_checker.rb:15:in `latest_version'
2022-07-26T11:40:32.4254442Z 	from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-common-0.198.0/lib/dependabot/update_checkers/base.rb:231:in `numeric_version_up_to_date?'
2022-07-26T11:40:32.4255551Z 	from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-maven-0.198.0/lib/dependabot/maven/update_checker.rb:91:in `numeric_version_up_to_date?'
2022-07-26T11:40:32.4256564Z 	from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-common-0.198.0/lib/dependabot/update_checkers/base.rb:189:in `version_up_to_date?'
2022-07-26T11:40:32.4257529Z 	from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-common-0.198.0/lib/dependabot/update_checkers/base.rb:33:in `up_to_date?'
2022-07-26T11:40:32.4258272Z 	from ./update-script.rb:308:in `block in <main>'
2022-07-26T11:40:32.4258845Z 	from ./update-script.rb:286:in `each'
2022-07-26T11:40:32.4259411Z 	from ./update-script.rb:286:in `<main>'

Would appreciate any help here.

sharadbharadia avatar Jul 26 '22 11:07 sharadbharadia

IIUC, you're running Dependabot as a pipeline within Azure DevOps, rather than the normal GitHub Dependabot, so I transferred this to the dependabot-script repo.

Unfortunately, support for other environments isn't something that the main Dependabot team is able to help with currently... we're happy to merge PR's to the dependabot-script repo as a shared braintrust for the community to leverage, but we don't have currently have the time to help with further debugging.

Partially that's because we are a small team and currently buried with Dependabot-core issues, and partially because we're focusing some dev efforts on architecture improvements that we hope will make it easier for folks to run dependabot itself in various environments, rather than having a single script that tries to handle all edge cases for all environments.

I've never personally tried to run Dependabot in Azure DevOps, so afraid I can't be much help, perhaps someone else from the community may chime in. I did notice that https://github.com/tinglesoftware/dependabot-azure-devops#credentials-for-private-registries-and-feeds mentions DEPENDABOT_EXTRA_CREDENTIALS, perhaps that may put you on the right track?

jeffwidman avatar Jul 26 '22 22:07 jeffwidman

Thanks @jeffwidman. We are already using DEPENDABOT_EXTRA_CREDENTIALS for authenticating with private azure feed.

We switched to use .azuredevops\dependabot.yml file for storing all our configuration because of below warning which we get during our pipeline run

##[warning]
        Using explicit inputs instead of a configuration file will be deprecated in the next minor release.

        Migrate to using a config file at .azuredevops/dependabot.yml or .github/dependabot.yml.

        See https://github.com/tinglesoftware/dependabot-azure-devops/tree/main/src/extension#usage for more information.

With this we expected that we can move all our configuration to this file, but looks like this does not work with pipelines running in azure devops.

sharadbharadia avatar Jul 27 '22 03:07 sharadbharadia

You'd need to check with the folks at https://github.com/tinglesoftware/dependabot-azure-devops for more info on that warning. It's not something we control.

jeffwidman avatar Sep 01 '22 03:09 jeffwidman