Reputation: 118
Azure devops NPM Authentication in dependabot.yml
I currently have the following pipeline working:
schedules:
- cron: "0 20 * * FRI"
displayName: 'Weekly Run'
always: true
branches:
include:
- 'develop'
trigger: none
variables:
DEPENDABOT_EXTRA_CREDENTIALS: '[{"type":"npm_registry","token":"$(DEPENDABOT_PAT)","registry":"SOME_URL"}]' # put the credentials for private registries and feeds
pool:
vmImage: 'ubuntu-latest'
stages:
- stage: CheckDependencies
displayName: 'Check Dependencies'
jobs:
- job: Dependabot
displayName: 'Run Dependabot'
pool:
vmImage: 'ubuntu-latest'
steps:
- task: dependabot@1
displayName: 'Run Dependabot - npm'
inputs:
useConfigFile: false
packageManager: 'npm'
setAutoComplete: false
azureDevOpsAccessToken: $(DEPENDABOT_PAT) # env variable
gitHubAccessToken: $(GITHUB_TOKEN) # env variable
targetBranch: 'develop'
openPullRequestsLimit: 15
However, it has started given the following warning: "Using explicit inputs instead of a configuration file will be deprecated in the next minor release. Migrate to using a config file at .azuredevops/dependabot.yml or .github/dependabot.yml."
I have added the config file per the docs: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries
with my config file looking like this:
version: 2
registries:
npm-reg:
type: npm-registry
url: https://pkgs.dev.azure.com/BC-SDPR-Research/_packaging/Research/npm/registry/
token: ${{secrets.AZURE_ACCESS_TOKEN}}
updates:
- package-ecosystem: "npm"
directory: "/"
registries:
- npm-reg
schedule:
interval: "weekly"
day: "Friday"
time: "20:00"
timezone: "America/Los_Angeles"
open-pull-requests-limit: 15
setAutoComplete: false
azureDevOpsAccessToken: ${{secrets.AZURE_ACCESS_TOKEN}}
gitHubAccessToken: ${{secrets.GITHUB_TOKEN}}
targetBranch: 'develop'
openPullRequestsLimit: 15
I have tried everything, and I am still getting the error: Dependabot::Clients::Azure::Forbidden (Dependabot::Clients::Azure::Forbidden)
This is likely generated due to authentication with my npm registry.
Any help would be greatly appreciated.
Thanks
Upvotes: 3
Views: 1592
Answers (4)
Reputation: 2880
As per the documentation the key must match between dependabot.yml and nuget.config otherwise the package source will be duplicated, package source mappings will be ignored, and auth errors will occur during dependency discovery.
If your nuget.config looks like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<clear />
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
<add key="my-organisation1-nuget" value="https://dev.azure.com/my-organization/_packaging/my-nuget-feed/nuget/v3/index.json" />
</packageSources>
<packageSourceMapping>
<packageSource key="nuget.org">
<package pattern="*" />
</packageSource>
<packageSource key="my-organisation-nuget">
<package pattern="Organisation.*" />
</packageSource>
</packageSourceMapping>
</configuration>
Then your dependabot.yml registry should look like this:
version: 2
registries:
my-org:
type: nuget-feed
key: my-organisation1-nuget
url: https://dev.azure.com/my-organization/_packaging/my-nuget-feed/nuget/v3/index.json
token: PAT:${{ MY_DEPENDABOT_ADO_PAT }}
Upvotes: 0
Reputation: 623
I see you are using a token instead of a password. In this case you have to use this recommendation for Azure DevOps:
token: PAT:${{AZURE_ACCESS_TOKEN}}
So, don't use secret prefix and generate your PAT with Packaging Read permission. Who generate the PAT must be a Contributor.
Of course the PAT value should be put in a secret variable called (following your example) AZURE_ACCESS_TOKEN, in the pipeline calling the dependabot task.
Upvotes: 0
Reputation: 118
The Azure Dependabot Docs and authentication method have been updated:
version: 2
registries:
communities:
type: npm-registry
token: PAT:${{DEPENDABOT_PAT}}
url: pkgs.dev.azure.com/BC-SDPR-Research/_packaging/Research/npm/registry/
Works great, per docs: https://github.com/tinglesoftware/dependabot-azure-devops
Upvotes: 0
Reputation: 795
Based on this post and on this Github issue comment, we can't use the token property but instead the username&password properties, with the PAT token used as a password
registries:
npm-reg:
type: npm-registry
url: https://pkgs.dev.azure.com/<org>/<id>/_packaging/<feed-name>/npm/registry/
username: <username> # I am not 100% sure that this value HAS to match the PAT...
password: ${{secrets.DEVOPS_PAT}} # this is the non-base64 encoded PAT
Upvotes: 0
Related Questions
- How can I authenticate a npm registry with azure devops build pipeline?
- vsts-npm-auth can't get authentication token on VSTS build
- 'Unable to Authenticate' when trying to connect to Azure DevOps Artifacts feed through npm; I get an E401 error
- Authenticating with Azure Repos git module sources in an Azure Pipelines build
- ERROR: The requested resource requires user authentication: in AzureCLI task build pipeline
- Azure DevOps pipeline - authentication failure when trying to connect to private npm registry
- Azure DevOps Npm Authenticate Task Endpoint
- Azure pipeline, npmAuthenticate task in custom docker container
- How to authenticate azure devops pipeline , so that pipeline can restore yarn packages successfully
- Getting Azure Devops NPM feed Authentication Token from CLI