Fixing Azure DevOps NuGet Dependabot config examples

[joshjohanning]

Why:

The documentation as is doesn't work with using token: ${{secrets.MY_AZURE_DEVOPS_TOKEN}}

You receive a 401 error in the Dependabot logs, as shown below:

{:source=>"https://pkgs.dev.azure.com/jjohanning0798/PartsUnlimited/_packaging/nuget-example/nuget/v3/index.json"}
updater | INFO <job_312553835> Checking if Microsoft.Extensions.Logging.Abstractions 2.0.0 needs updating
  proxy | 2022/03/09 22:42:52 [046] GET https://pkgs.dev.azure.com:443/jjohanning0798/PartsUnlimited/_packaging/nuget-example/nuget/v3/index.json
  proxy | 2022/03/09 22:42:52 [046] * authenticating nuget feed request (host: pkgs.dev.azure.com, bearer auth)
  proxy | 2022/03/09 22:42:52 [046] 401 https://pkgs.dev.azure.com:443/jjohanning0798/PartsUnlimited/_packaging/nuget-example/nuget/v3/index.json
updater | INFO <job_312553835> Handled error whilst updating Microsoft.Extensions.Logging.Abstractions: private_source_authentication_failure 

Others have had this issue, mentioned here: dependabot/dependabot-core#3555

One of the solutions as to add a : somewhere in the token to force it to use basic auth, like this:

registries:
  nuget-azure-artifacts:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/jjohanning0798/PartsUnlimited/_packaging/nuget-example/nuget/v3/index.json
    token: '${{ secrets.AZURE_DEVOPS_PAT }}:'

But instead, username and password is a cleaner and more consistent solution since that what the other examples right above it are using:

registries:
  nuget-azure-artifacts:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/jjohanning0798/PartsUnlimited/_packaging/nuget-example/nuget/v3/index.json
    username: octocat@example.com
    password: ${{ secrets.AZURE_DEVOPS_PAT }}

For tracking purposes, I mistakenly created this as a PR in my repo in March, but I have verified that this is still an issue today. joshjohanning#53

What's being changed:

On the Dependabot version updates configuration page, changing the Azure DevOps examples to use username and password instead of token.

There are two instances of an Azure DevOps Artifact feed being used, and in both cases, it uses the token property to authenticate. However, that doesn't work. In lieu of the token property being fixed to not have to manually include a : somewhere in the token property for it to use basic auth to be able to connect, we should just use username and password using the personal access token, like shown in the screenshots below.

Changing this:

To:

We are still saying that it can use a username and password OR token, though. If we still wanted to show an example of using a token, I suggest we do that for the regular nuget feed url ( https://nuget.example.com/v3/index.json ) and not the Azure DevOps artifact feed url since that doesn't work.

Check off the following:

• I have reviewed my changes in staging (look for the "Automatically generated comment" and click the links in the "Preview" column to view your latest changes).
• For content changes, I have completed the self-review checklist.

Writer impact (This section is for GitHub staff members only):

• This pull request impacts the contribution experience
  • I have added the 'writer impact' label
  • I have added a description and/or a video demo of the changes below (e.g. a "before and after video")

[github-actions]

Automatically generated comment ℹ️

This comment is automatically generated and will be overwritten every time changes are committed to this branch.

The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data directory will not show up in this table.

---

Content directory changes

You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.

Source	Preview	Production	What Changed
code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md	fpt ghec ghes@ 3.6 3.5 3.4 3.3	fpt ghec ghes@ 3.6 3.5 3.4 3.3

---

fpt: Free, Pro, Team
ghec: GitHub Enterprise Cloud
ghes: GitHub Enterprise Server
ghae: GitHub AE

[joshjohanning]

If we still wanted to show a username and password example and a token example, I would envision something like this (flipping the two examples around) :

    ### `nuget-feed`
    
    The `nuget-feed` type supports username and password, or token.
    
    {% raw %}
    ```yaml
    registries:
      nuget-azure-devops:
        type: nuget-feed
        url: https://pkgs.dev.azure.com/.../_packaging/My_Feed/nuget/v3/index.json
        username: octocat@example.com
        password: ${{secrets.MY_AZURE_DEVOPS_PAT}}
    ```
    {% endraw %}
    
    {% raw %}
    ```yaml
    registries:
      nuget-example:
        type: nuget-feed
        url: https://nuget.example.com/v3/index.json
        password: ${{secrets.MY_NUGET_TOKEN}}
    ```
    {% endraw %}

    ### `python-index`
    
    The `python-index` type supports username and password, or token.
    
    {% raw %}
    ```yaml
    registries:
      python-azure:
        type: python-index
        url: https://pkgs.dev.azure.com/octocat/_packaging/my-feed/pypi/example
        username: octocat@example.com
        password: ${{secrets.MY_AZURE_DEVOPS_PAT}}
        replaces-base: true
    ```
    {% endraw %}

    {% raw %}
    ```yaml
    registries:
      python-example:
        type: python-index
        url: https://example.com/_packaging/my-feed/pypi/example
        token: ${{secrets.MY_PYPI_TOKEN}}
        replaces-base: true
    ```
    {% endraw %}

[cmwilson21]

👋 @joshjohanning Thanks for opening a PR! I'll get it triaged! ⚡

[jeffwidman]

We may want to see how hard it is to simply get the underlying issue fixed, IMO that'd be better from a security perspective than switching away from tokens:

• Private Azure Artifacts - Dependabot::PrivateSourceAuthenticationFailure dependabot/dependabot-core#3555

Not sure how hard that is though, I'll take a look...

[joshjohanning]

I agree that the best solution is probably to have that bug fixed...

But I'm not sure if it makes any difference from a security perspective, at least in the Azure DevOps example, since Azure DevOps is going to be a Personal Access Token regardless of whether we're able to use token or username and password - it's a PAT that's going to be used for authentication either way.

FWIW, msft docs reference using a username and password to auth to Azure Artifacts, for example, which uses a PAT for the password (and coincidentally, the username field can be anything).

But right now us showing Azure DevOps examples that don't work is not ideal.

[felicitymay]

Thanks for the update

[github-actions]

Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours. If you're looking for your next contribution, check out our help wanted issues ⚡

[jeffwidman]

Sorry for the slow response @joshjohanning, I looked into this more and what you say makes complete sense.

Especially:

But I'm not sure if it makes any difference from a security perspective, at least in the Azure DevOps example, since Azure DevOps is going to be a Personal Access Token regardless of whether we're able to use token or username and password - it's a PAT that's going to be used for authentication either way.

I didn't realize they accepted the PAT either way.

Thanks again for this!

[joshjohanning]

Woot woot! Thanks @jeffwidman