Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PAT Authentication in config file #318

Closed
ChrisDoddGit opened this issue Jul 28, 2022 · 4 comments
Closed

PAT Authentication in config file #318

ChrisDoddGit opened this issue Jul 28, 2022 · 4 comments
Labels
question Further information is requested

Comments

@ChrisDoddGit
Copy link

ChrisDoddGit commented Jul 28, 2022
edited
Loading

I have been using Azure Dependabot with my registry for a few months it has been working well. However, it is now warning that input parameters outside of the config file will be depreciated in the next minor release.

I modified my pipeline to use the config file and it currently looks like this:

schedules:
  - cron: "0 4 * * SAT"
    displayName: 'Weekly Run'
    always: true
    branches:
      include:
        - 'main'

trigger: none

variables:
  DEPENDABOT_EXTRA_CREDENTIALS: '[{"type":"npm_registry","token":"$(DEPENDABOT_PAT)","registry":"SOME_URL"}]' 
pool:
  vmImage: 'ubuntu-latest'

stages:
  - stage: CheckDependencies
    displayName: 'Check Dependencies'
    jobs:
      - job: Dependabot
        displayName: 'Run Dependabot'
        pool:
          vmImage: 'ubuntu-latest'
        steps:
          - task: dependabot@1
            displayName: 'Run Dependabot - npm'
            inputs:
              useConfigFile: true

While my config file looks like this:

version: 2
registries:
  npm-reg:
    type: npm-registry
    url: some_url
    token: ${{secrets.AZURE_ACCESS_TOKEN}}
updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-reg
    schedule:
      interval: "weekly"
      day: "Friday"
      time: "20:00"
      timezone: "America/Los_Angeles"
    open-pull-requests-limit: 15
    setAutoComplete: false
    azureDevOpsAccessToken: ${{secrets.AZURE_ACCESS_TOKEN}}
    gitHubAccessToken: ${{secrets.GITHUB_TOKEN}}
    targetBranch: 'develop'
    openPullRequestsLimit: 15

With environment variables $(DEPENDABOT_PAT) / $(GITHUB_TOKEN) stored in the azure pipeline

Unfortunately, when I migrate the inputs to the config file. I am receiving the following permissions error:
Dependabot::Clients::Azure::Forbidden (Dependabot::Clients::Azure::Forbidden)

This is likely because the extra credentials are not 'read in' to the config file.

I have tried all relevant suggestions here: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry

And was unsuccessful, I still can't get these credentials to be accepted by the config file. This is not great as this needs to be fixed before the next minor release!

Any suggestions appreciated.
@mburumaxwell
Copy link
Contributor

@ChrisDoddGit ,

The tokens are not configured in the configuration file but instead do it in the task

Other things not supported in the configuration file:

  1. registries; instead use DEPENDABOT_EXTRA_CREDENTIALS environment variable.
  2. schedule; instead configure your pipeline schedule accordingly.

Your pipeline yaml:

schedules:
  - cron: "0 4 * * SAT"
    displayName: 'Weekly Run'
    always: true
    branches:
      include:
        - 'main'

trigger: none

variables:
  DEPENDABOT_EXTRA_CREDENTIALS: '[{"type":"npm_registry","token":"$(DEPENDABOT_PAT)","registry":"SOME_URL"}]' 
pool:
  vmImage: 'ubuntu-latest'

stages:
  - stage: CheckDependencies
    displayName: 'Check Dependencies'
    jobs:
      - job: Dependabot
        displayName: 'Run Dependabot'
        pool:
          vmImage: 'ubuntu-latest'
        steps:
          - task: dependabot@1
            displayName: 'Run Dependabot - npm'
            inputs:
              useConfigFile: true
              setAutoComplete: false
              azureDevOpsAccessToken: $(<NAME-OF-AZURE-DEVOPS-ACCESS-TOKEN-ENV-VARIABLE>)
              gitHubAccessToken: $(<NAME-OF-GITHUB-ACCESS-TOKEN-ENV-VARIABLE>)

Your configuration file:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    open-pull-requests-limit: 15
    target-branch: 'develop'

Note that targetBranch should be targetBranch in the configuration file.

This should now work. I will proceed to close the issue; reopen if persists.

@mburumaxwell mburumaxwell added the question Further information is requested label Sep 19, 2022
@ChrisDoddGit
Copy link
Author

ChrisDoddGit commented Jan 13, 2023
edited
Loading

Hello @mburumaxwell

With the latest version of dependabot. It is now giving me the following warning:

##[warning]Using 'DEPENDABOT_EXTRA_CREDENTIALS' is not recommended when using a config file. Specify the same values in the registries section of .github/dependabot.yml file.

Isn't this the opposite of the previous warning which this issue was recently opened for?
warning that input parameters outside of the config file will be depreciated in the next minor release.

Could you please provide an updated response as I would like this pipeline to run without warning.

Thank you.

@mburumaxwell
Copy link
Contributor

mburumaxwell commented Jan 14, 2023
edited
Loading

You should instead use the registries node in the configuration file.
The support was added in the last couple of months.

@mburumaxwell
Copy link
Contributor

See #367

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mburumaxwell @ChrisDoddGit