Support for NuGet feed credentials with only username/password in repository_finder and metadata_finder

[rhyskoedijk]

What are you trying to accomplish?

Fix #10357.

When running the updater outside of the GitHub environment, the following should work without throwing 401 errors:

LOCAL_CONFIG_VARIABLES='[{"type":"nuget_feed","password":"*****","url":"https://pkgs.dev.azure.com/rhyskoedijk/Dependabot/_packaging/Private-NuGet/nuget/v3/index.json"},{"type":"nuget_feed","username":"*****","password":"*****","url":"https://nuget.telerik.com/v3/index.json"}]'
bin/dry-run.rb nuget rhyskoedijk/dependabot-tests --dir="/NetFx-PrivateFeeds" --dep="Telerik.Reporting"

version: 2
registries:
  private-devops:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/rhyskoedijk/Dependabot/_packaging/Private-NuGet/nuget/v3/index.json
    password: ${{secrets.PRIVATE_AZURE_DEVOPS_FEED_PAT}}
  telerik:
    type: nuget-feed
    url: https://nuget.telerik.com/v3/index.json
    username: ${{secrets.TELERIK_USERNAME}}
    password: ${{secrets.TELERIK_PASSWORD}}
updates:
  - package-ecosystem: "nuget"
    directory: "/NetFx-PrivateFeeds"
    registries: "*"

Documentation on configuration options for private registries and #8927 (comment) suggest nuget-feed registries using username/password should work, but they don't; See #10357 for detailed logs.

I understand that there might be some magic sauce happening within the GitHub environment and maybe I'm missing something obvious here. Other package mangers currently consider username/password in registry auth, but not NuGet. e.g.

• Docker registry auth with username/password
• Maven registry auth with username/password

Anything you want to highlight for special attention from reviewers?

Is there is a better way to pass username/password auth to the updater? If yes, can it be used when running dependabot-core outside of the GitHub environment?

I'm not very experienced with RSpec, so any advice on the unit tests would be appreciated.

How will you know you've accomplished your goal?

The above configuration doesn't throw 401 errors during updates.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[rhyskoedijk]

After doing some more research, it turns out that this code is deprecated and shouldn't really exist anymore.
Authentication is now handled by the proxy wrapper.

The existing "token" code in repository_finder and metadata_finder should probably be deleted given the initiative to remove auth from dependabot-core, it just creates confusion.