-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot is giving a 401 error trying to generate a security update PR from a private scope #5885
Comments
@jurre I'm not sure if you had enabled the newer version of dependabot in this repo that might be causing this issue: |
@scottdickerson yeah it is indeed enabled for that repo, it looks like there's two things you'll need to do to get Dependabot to run smoothly on this repo:
For context, Dependabot does not have direct access to these credentials, instead they are injected by a job-specific proxy that these requests are routed through. We'll publish some documentation about the yarn environment variables, because it's not immediately clear that this is required, but hopefully this should get you going for now. Footnotes |
@jurre I THINK I set the configuration as you're suggesting but now it's failing earlier for me trying to fetch the public registry packages:
That package should be in the main registry not in the github.com npm registry
And here is my dependabot.yml
It seems like I need to somehow tell dependabot to use the |
one interesting thing in the logs, is it seems smart enough to check the public and private registries for the dependency with security vulnerabilities
|
I also had to remove the
|
Thanks @scottdickerson, I or @pavera will take a look at this next week! I can't see the Actions logs fwiw, but surprising that just providing a default value would break anything!? Would you be able to share the package.json and yarn.lock files for this project? |
@scottdickerson any other way we could try and reproduce the issue maybe? Curious also; why do you have the |
@scottdickerson I've deployed at least a partial fix for this, would you be able to give it another try and let me know the results? |
absolutely thank you @pavera |
It appears to still be failing for us @pavera when dependabot checks for upgrades: https://github.com/Contrast-Security-Inc/skeletor/network/updates/489341448
|
OK, I think I see the issue here. The
Apologies for the earlier guidance, this explains why it was breaking locally/in CI because the :-bypass needs to be inside the variable expansion brackets. You were getting If you can give it another shot with the above |
it worked, thank you for the help! @pavera |
Is there an existing issue for this?
Package ecosystem
yarn
Package manager version
v3
Language version
No response
Manifest location and content before the Dependabot update
/package.json
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
Dependabot is not able to generate a security fix PR because it gets a 401 unauthorized trying to pull dependent packages from our organization scoped private registry.
I see an obvious error about an environment variable missing in the logs below.
This is correct to access and install from my private repo I do need a GH_API_ACCESS_TOKEN environment variable to be set. I'm using it in both my
.yarnrc.yml
fileand my
.npmrc
file:I do actually have a secret set for dependabot here
But somehow I need to pass this to dependabot as an environment variable from my secrets.
#4660
Native package manager behavior
yarn install
works correctly for us.Images of the diff or a link to the PR, issue, or logs
https://github.com/Contrast-Security-Inc/skeletor/security/dependabot/19/update-logs/275319909
I see a really good error here
https://github.com/Contrast-Security-Inc/skeletor/network/updates/483358113
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: