Composer: Updates require access to private repositories? #3628
Comments
|
Thanks for the kind words and clear description of the problem! I think that you'll need to allow Dependabot access to that private git repository that is referenced in the logs you shared. Could you try following these docs and see if that resolves the issue for you? Dependabot-preview automatically had access to a few more things than the native version does, and I think this should resolve it. To answer your questions:
Yes I think ultimately there should be a way to do this without requiring a full download, but at the moment we've not been able to tackle it.
You can do this via the UI in the docs mentioned, I agree it's a bit cumbersome for that many repo's :( but it's a bit better than going through the "grant access" notices.
Currently there isn't, but it's come up before. We may look into this, but I can't offer a timeline of when this would be available/ @asciimike I think we may want to mention this in the migration docs, wdyt? |
|
The migration docs have a callout for private repos, which links to the private repo setup instructions. Happy to clarify them if they're not clear enough. As for the API, totally agree that it's a pain to get a large number over, and we're thinking of some solutions to make it better, as @jurre has said. |
|
If I could grant access to all private repos with a single switch, that would probably be fine for now. Possible to expect before August? |
|
I missed that part of the migration docs before, but it’s completely clear. |
|
@mpdude unsure about it: I think we're looking at providing either a button to migrate all or an API at some point, as it seems to be blocking a lot of larger customers. |
|
I did the manual migration of 96 repos today and noticed something that might be self-evident for you if you know the internals at GitHub, but it was a bit surprising to me: Granting the private repo access to Dependabot is not only necessary so it can perform its internal package update resolutions (which, as I wrote initially, should not even need repo access for Composer packages). It will also enable workflows triggered by Dependabot to install (i.e. |
|
So, if I have this correct from reading this issue: it's required to grant Dependabot access to private repositories which are hosted through Satis? This is unfeasible for a few reasons but the main one is that you don't always own the private repos. For example, in the case of Laravel Nova the repository/composer package is offered through Satis and you get an API token which you can use as a password for Satis in order to download it. I'd expect it to be able to authenticate with the username/password flow of the Is there really no way to allow Dependabot to access a Satis registry other than explicitly adding it to the repo in question? |
|
My initial observation was incomplete and in fact, Dependabot from time to time also accesses the detailed package data in the Satis repository. It seems to try, however, to also download the packages themselves to get additional data. @driesvints In your case, when the Laravel Nova composer registry is accessible with HTTP Basic Auth, I think Dependabot should be able to read the package metadata from there. But do you know how access to the packages themselves is secured? What URLs are provided by the package repository? How are these downloads authenticated? |
|
I'm trying again on a repo with Laravel Nova. Here's the config file I'm using: https://github.com/fullstackbelgium/fullstackbelgium.be/blob/1918171c6762053f3e462b03248a0d6278b43f8f/.github/dependabot.yml I've also tried various variations for the When I run Dependabot PR creation I see the following: I can also see that Dependabot sucessfully retrieved the version listing from Satis (hashes redacted):
I've asked this to my colleague who works on Nova. Hoping to get back to you soon. Thanks for helping out @mpdude! In the meantime I can see that the manifest returns the following for a version: "v3.9.4": {
"name": "laravel/nova",
"version": "v3.9.4",
"version_normalized": "3.9.4.0",
"source": {
"type": "git",
"url": "git@github.com:laravel/nova.git",
"reference": "<redacted>"
},
"dist": {
"type": "zip",
"url": "https://nova.laravel.com/dist/laravel/nova/laravel-nova-<redacted>-zip-348430.zip",
"reference": "<redacted>",
"shasum": "<redacted>"
},I see a 403 page when I visit that url. |
Accessing the page would also require HTTP Basic Auth, but that should be handled by Composer and I guess Dependabot will use it as well when fetching the artifact. |
|
@crynobone any idea then what I'm doing wrong? |
It seem dependabot get the correct dist file but then failed to download it (403 authentication error) and then fallback to GitHub repository where it doesn't have access to. |
|
/cc @asciimike You asked me recently to take that private composer repo issue to the issue tracker here. We found this similar issue and did some digging. There's more info above ^ |
|
Is this still an active issue? As best I can tell from reading through this, the original issue was about migrating from Dependabot-preview to native Dependabot. That has long since been resolved. But now there's a follow-on comments about a different issue, which is private auth struggles with PHP. And I'm unclear if that's still an active problem or now resolved? This is part of why open source maintainers are always saying please file a new issue rather than trying to tag on comments for a semi-related issue... it's just really hard to keep track of things as a maintainer. |
|
I cannot tell for sure – I do not longer use Dependabot for regular updates, but for security-related things only. So I do no longer expect it to notice, update or see changes to my internal packages 🤷🏻 |
|
I have to say I've given up on using Dependabot for regular package updates as well :-/ |
|
Thanks for letting me know. I'm going to close but if you hit this in the future please open an issue and we can work together to figure it out. |
Basic info:
Package ecosystem
Composer/PHP
Package manager version
Locally: 2.0.10
Language version
PHP 7.2.24-0ubuntu0.18.04.7
Manifest location and content prior to update
`/composer.{json,lock}
Updated dependency
Native package manager behavior
Images of the diff or a link to the PR, issue or logs
Due to the usage of a private registry, at this point I am unable to provide those 😥. If really necessary I can see if/how I could provide (partially) redacted ones.
Previous behavior in Dependabot Preview:
I am using a private Composer registry (run with Satis) protected with HTTP Auth. Dependabot Preview was configured to do lockfile updates only and could do so without problems.
FWIW, "Dependabot Preview" was an "Installed GitHub App" at
https://github.com/organizations/my-org/settings/installations, and was configured to have access to all of my org's (private) repositories.Current behavior in GitHub-native Dependabot:
I migrated by means of the automatically provided migration PR (awesome work 💪🏻 , by the way!).
However, updates fail with an error message like
Here are the lines from the update log that mention the package in question:
I can see that access to the private registry was basically configured correctly, as I can see that the user account dedicated for "native" Dependabot successfully fetches the
packages.jsonat the top level URL of the private registry. However, it never makes attempts to fetch any other URLs. That seems odd, since the contents ofpackages.jsonlook like{ "packages": [], "includes": { "include/all$ddb6c5de69f9dbe693aac27bcab7eba3a38b2597.json": { "sha1": "ddb6c5de69f9dbe693aac27bcab7eba3a38b2597" } } }... and so I'd consider additional requests necessary.
Update: It seems there are requests to the other URLs, but only occasionally. Maybe there is some caching in place?
Issue/questions:
My issues/questions are, in order:
composer update --no-installto run only dependency updates without installing any packages at all; which seems to support my hypothesis that the dependency resolution step needs the package metadata only.The text was updated successfully, but these errors were encountered: