Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot::PrivateSourceAuthenticationFailure with ADO, Azure Artifacts, and an NPM registry #1047

Closed
josephsap opened this issue Mar 20, 2024 · 3 comments
Closed

Dependabot::PrivateSourceAuthenticationFailure with ADO, Azure Artifacts, and an NPM registry #1047

josephsap opened this issue Mar 20, 2024 · 3 comments

Comments

@josephsap
Copy link

My team is unable to get Dependabot to authenticate into our private Azure Artifacts NPM registry. No matter what token configuration we try, it's always the same error:

🌍 --> GET https://{orgname}.pkgs.visualstudio.com/_packaging/{project}/npm/registry/private-package-name

🌍 <-- 401 https://{orgname}.pkgs.visualstudio.com/_packaging/{project}/npm/registry/private-package-name

/home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.247.0/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:335:in `check_npm_response': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): {orgname}.pkgs.visualstudio.com/_packaging/{project}/npm/registry (Dependabot::PrivateSourceAuthenticationFailure)

from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.247.0/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:294:in `fetch_npm_details'

Setup: I have a repo in AzureDevops, a private NPM registry on Azure Artifacts, and I'm using the Tingle Software extension. The project is a Lerna and Yarn 1.2 workspaces repo.

.npmrc file:

@orgName:registry=https://{orgName}.pkgs.visualstudio.com/_packaging/{project}/npm/registry/
@orgName:always-auth=true

My .azuredevops/dependabot.yml file:

version: 2

updates:
  - package-ecosystem: 'npm'
    directory: "/src/packages/react-components"
    target-branch: 'master'
    registries:
      - npm-azure-artifacts-1

registries:
  npm-azure-artifacts-1:
    type: npm-registry
    url: 'https://{companyName}.pkgs.visualstudio.com/_packaging/{name}/npm/registry/'
    token: ':${{System.AccessToken}}'

dependabot.yml:

trigger: none
schedules:
  - cron: "0 2 * * 1" # Weekly on Monday at 2am UTC
    always: true # run even when there are no code changes
    branches:
      include:
        - master
    batch: true
    displayName: Weekly dependency update from Dependabot

pool:
  vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)

steps:
- task: dependabot@1
  displayName: 'Run Dependabot'

We have tried many, many variations on the token, and using a username and password. We are always using a variation of System.AccessToken.

For example,
'$(System.AccessToken):'
'PAT:${{SYSTEM_ACCESSTOKEN}}'
'PAT:${{AZURE_ARTIFACTS_TOKEN}}:' (this is an env variable).

Here is the full error message

2024-03-20T19:19:26.3664520Z ##[section]Starting: dependabot 2024-03-20T19:19:26.3669594Z ============================================================================== 2024-03-20T19:19:26.3669712Z Task : Dependabot 2024-03-20T19:19:26.3669770Z Description : Automatically update dependencies and vulnerabilities in your code 2024-03-20T19:19:26.3669873Z Version : 1.27.685 2024-03-20T19:19:26.3669931Z Author : Tingle Software 2024-03-20T19:19:26.3670012Z Help : For help please visit https://github.com/tinglesoftware/dependabot-azure-devops 2024-03-20T19:19:26.3670120Z ============================================================================== 2024-03-20T19:19:26.6968293Z [command]/usr/bin/docker run --rm -i -e DEPENDABOT_PACKAGE_MANAGER=npm -e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=5 -e DEPENDABOT_DIRECTORY=/src/packages/react-components -e DEPENDABOT_TARGET_BRANCH=master -e DEPENDABOT_EXTRA_CREDENTIALS=[{"type":"npm_registry","token":"PAT:***:","replaces-base":true,"registry":".pkgs.visualstudio.com/_packaging//npm/registry/"}] -e DEPENDABOT_FAIL_ON_EXCEPTION=true -e AZURE_ORGANIZATION= -e AZURE_PROJECT=MicroFrontEnd -e AZURE_REPOSITORY=CCADesignSystem -e AZURE_ACCESS_TOKEN=*** -e AZURE_MERGE_STRATEGY=squash -e AZURE_SET_AUTO_COMPLETE=true ghcr.io/tinglesoftware/dependabot-updater-npm:1.27 update_script 2024-03-20T19:19:26.7937106Z Unable to find image 'ghcr.io/tinglesoftware/dependabot-updater-npm:1.27' locally 2024-03-20T19:19:27.6302975Z 1.27: Pulling from tinglesoftware/dependabot-updater-npm 2024-03-20T19:19:27.6321712Z 23828d760c7b: Pulling fs layer 2024-03-20T19:19:27.6321892Z d1c5cfa890cd: Pulling fs layer 2024-03-20T19:19:27.6327069Z a09dddd49125: Pulling fs layer 2024-03-20T19:19:27.6327219Z 37b44edb1c85: Pulling fs layer 2024-03-20T19:19:27.6327353Z 95462a8d1da7: Pulling fs layer 2024-03-20T19:19:27.6327497Z 9bf533931b9d: Pulling fs layer 2024-03-20T19:19:27.6327629Z 27ec7bfff3e1: Pulling fs layer 2024-03-20T19:19:27.6327760Z 02cf8796f76e: Pulling fs layer 2024-03-20T19:19:27.6327905Z 28655d366788: Pulling fs layer 2024-03-20T19:19:27.6328036Z cf117403dca0: Pulling fs layer 2024-03-20T19:19:27.6328182Z 0dc69763cdbf: Pulling fs layer 2024-03-20T19:19:27.6328467Z 88c5a2b15f9c: Pulling fs layer 2024-03-20T19:19:27.6328597Z 73ab47c8cfa6: Pulling fs layer 2024-03-20T19:19:27.6328748Z 36ca6d2a22ab: Pulling fs layer 2024-03-20T19:19:27.6328880Z 13d596ef6095: Pulling fs layer 2024-03-20T19:19:27.6332251Z 3ed7e808be48: Waiting 2024-03-20T19:19:27.6332427Z cf117403dca0: Waiting 2024-03-20T19:19:27.6332545Z 0dc69763cdbf: Waiting 2024-03-20T19:19:27.6332677Z 0efca3dcd135: Waiting 2024-03-20T19:19:27.6332796Z 88c5a2b15f9c: Waiting 2024-03-20T19:19:27.6332928Z 8dc4970c593d: Waiting 2024-03-20T19:19:27.6333046Z 55c28265cc93: Waiting 2024-03-20T19:19:27.6333164Z 73ab47c8cfa6: Waiting 2024-03-20T19:19:27.6333296Z 3a4565c94021: Waiting 2024-03-20T19:19:27.6333419Z 739c658da682: Waiting 2024-03-20T19:19:27.6333553Z 36ca6d2a22ab: Waiting 2024-03-20T19:19:27.6333673Z 13d596ef6095: Waiting 2024-03-20T19:19:27.6333791Z f789bd22cbee: Waiting 2024-03-20T19:19:27.6333923Z cfa26ddccca3: Waiting 2024-03-20T19:19:27.6334042Z 96b098e6d503: Waiting 2024-03-20T19:19:27.6334175Z e1d9faee41b8: Waiting 2024-03-20T19:19:27.6334293Z 70a93054ce71: Waiting 2024-03-20T19:19:27.6334411Z f96292e1e601: Waiting 2024-03-20T19:19:27.8415078Z ad687e774fbe: Verifying Checksum 2024-03-20T19:19:27.8415672Z ad687e774fbe: Download complete 2024-03-20T19:19:28.0582200Z 23828d760c7b: Verifying Checksum 2024-03-20T19:19:30.3718706Z fb07ae21fa8e: Verifying Checksum 2024-03-20T19:19:30.3724227Z fb07ae21fa8e: Download complete 2024-03-20T19:19:30.4015629Z 8f8c18ceb1d3: Verifying Checksum 2024-03-20T19:19:30.4021141Z 8f8c18ceb1d3: Download complete 2024-03-20T19:19:32.6913360Z 13d596ef6095: Download complete 2024-03-20T19:19:32.8147687Z 73ab47c8cfa6: Verifying Checksum 2024-03-20T19:19:32.8148342Z 73ab47c8cfa6: Download complete 2024-03-20T19:19:37.9265143Z d1c5cfa890cd: Pull complete 2024-03-20T19:19:37.9550396Z ad687e774fbe: Pull complete 2024-03-20T19:19:37.9700741Z 4f4fb700ef54: Pull complete 2024-03-20T19:19:37.9897017Z 8e13d525a0b8: Pull complete 2024-03-20T19:19:39.0035527Z 07854995951c: Pull complete 2024-03-20T19:19:58.2200247Z 13d596ef6095: Pull complete 2024-03-20T19:19:58.2249396Z Digest: sha256:c33122c7d0fd7229526a1833e8e7eb82577f6290167a7970ed8d5b90cd832821 2024-03-20T19:19:58.2265042Z Status: Downloaded newer image for ghcr.io/tinglesoftware/dependabot-updater-npm:1.27 2024-03-20T19:20:01.4613991Z Using 'https://dev.azure.com:443/' as API endpoint 2024-03-20T19:20:01.4614308Z Pull Requests shall be linked to milestone (work item) 0 2024-03-20T19:20:01.4614736Z Working in /MicroFrontEnd/_git/DesignSystem, 'master' branch under '/src/packages/react-components' directory 2024-03-20T19:20:01.4621644Z Cloning repository into /home/dependabot/dependabot-updater/tmp//MicroFrontEnd/_git/DesignSystem 2024-03-20T19:20:04.2570114Z Found 2 dependency file(s) at commit 83e7b7a0711ef33d85ca474910b39834559ad0d7 2024-03-20T19:20:04.2570805Z - /src/packages/react-components/package.json 2024-03-20T19:20:04.2572819Z - /src/packages/react-components/.npmrc 2024-03-20T19:20:04.2573270Z Parsing dependencies information 2024-03-20T19:20:04.2675918Z Found 42 dependencies 2024-03-20T19:20:04.2676726Z - @/koi-helpers () 2024-03-20T19:20:04.2733435Z - @/koi-icons () 2024-03-20T19:20:04.2736173Z - @/tokens () 2024-03-20T19:20:04.2754236Z - react-transition-group () 2024-03-20T19:20:04.2755022Z 🌍 --> GET https://dev.azure.com//_apis/connectionData 2024-03-20T19:20:04.4028639Z 🌍 <-- 200 https://dev.azure.com//_apis/connectionData 2024-03-20T19:20:04.4040260Z 🌍 --> GET https://dev.azure.com//MicroFrontEnd/_apis/git/repositories/CCADesignSystem/pullrequests?api-version=6.0&searchCriteria.status=active&searchCriteria.creatorId=fd08fd9d-8a6d-4780-97e0-cb4864551bbe&searchCriteria.targetRefName=refs/heads/master 2024-03-20T19:20:04.6497732Z 🌍 <-- 200 https://dev.azure.com//MicroFrontEnd/_apis/git/repositories/CCADesignSystem/pullrequests?api-version=6.0&searchCriteria.status=active&searchCriteria.creatorId=fd08fd9d-8a6d-4780-97e0-cb4864551bbe&searchCriteria.targetRefName=refs/heads/master 2024-03-20T19:20:04.6498446Z Checking if @/koi-helpers needs updating 2024-03-20T19:20:04.6525282Z 🌍 --> GET https://.pkgs.visualstudio.com/_packaging//npm/registry/@%2Fkoi-helpers 2024-03-20T19:20:04.7667205Z 🌍 <-- 401 https://.pkgs.visualstudio.com/_packaging//npm/registry/@%2Fkoi-helpers 2024-03-20T19:20:04.7676838Z /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.247.0/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:335:in `check_npm_response': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): .pkgs.visualstudio.com/_packaging//npm/registry (Dependabot::PrivateSourceAuthenticationFailure) 2024-03-20T19:20:04.7677899Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.247.0/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:294:in `fetch_npm_details' 2024-03-20T19:20:04.7678640Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.247.0/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:288:in `npm_details' 2024-03-20T19:20:04.7679309Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.247.0/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:115:in `valid_npm_details?' 2024-03-20T19:20:04.7680651Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.247.0/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:41:in `latest_version_from_registry' 2024-03-20T19:20:04.7681305Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.247.0/lib/dependabot/npm_and_yarn/update_checker.rb:303:in `latest_released_version' 2024-03-20T19:20:04.7682219Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.247.0/lib/dependabot/npm_and_yarn/update_checker.rb:311:in `latest_version_details' 2024-03-20T19:20:04.7682884Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.247.0/lib/dependabot/npm_and_yarn/update_checker.rb:42:in `latest_version' 2024-03-20T19:20:04.7683475Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-common-0.247.0/lib/dependabot/update_checkers/base.rb:378:in `can_compare_requirements?' 2024-03-20T19:20:04.7684049Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/call_validation.rb:270:in `bind_call' 2024-03-20T19:20:04.7684677Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/call_validation.rb:270:in `validate_call' 2024-03-20T19:20:04.7685245Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/_methods.rb:277:in `block in _on_method_added' 2024-03-20T19:20:04.7685886Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-common-0.247.0/lib/dependabot/update_checkers/base.rb:358:in `requirements_up_to_date?' 2024-03-20T19:20:04.7686586Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/call_validation.rb:270:in `bind_call' 2024-03-20T19:20:04.7687250Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/call_validation.rb:270:in `validate_call' 2024-03-20T19:20:04.7687836Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/_methods.rb:277:in `block in _on_method_added' 2024-03-20T19:20:04.7688452Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-common-0.247.0/lib/dependabot/update_checkers/base.rb:84:in `up_to_date?' 2024-03-20T19:20:04.7688999Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/call_validation.rb:270:in `bind_call' 2024-03-20T19:20:04.7689628Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/call_validation.rb:270:in `validate_call' 2024-03-20T19:20:04.7690200Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/_methods.rb:277:in `block in _on_method_added' 2024-03-20T19:20:04.7690844Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.247.0/lib/dependabot/npm_and_yarn/update_checker.rb:30:in `up_to_date?' 2024-03-20T19:20:04.7691145Z from bin/update_script.rb:582:in `block in ' 2024-03-20T19:20:04.7691483Z from bin/update_script.rb:545:in `each' 2024-03-20T19:20:04.7691670Z from bin/update_script.rb:545:in `' 2024-03-20T19:20:05.0269430Z ##[error]The process '/usr/bin/docker' failed with exit code 1 2024-03-20T19:20:05.0304474Z ##[section]Finishing: dependabot
@ChrisDoddGit
Copy link

similarly, seems not matter what we try authentication fails

@SeMuell
Copy link

SeMuell commented Apr 5, 2024

I don't know if it is related to #921. But maybe it works downgrading the version to 1.24 of dependabot.

@mburumaxwell
Copy link
Contributor

mburumaxwell commented Jun 8, 2024
edited
Loading

NuGet issues should now be fixed except maybe for this one tracked by dependabot/dependabot-core#8927

Unfortunately, there is no easy way to help with authentication problems because security is a bit complex, especially with Azure DevOps.
However, there are lots of other issues about authentication and authorization that offer information. Maybe spend some time reading through them?
https://github.com/search?q=repo%3Atinglesoftware%2Fdependabot-azure-devops+authentication++&type=issues&state=closed

@mburumaxwell mburumaxwell closed this as not planned Won't fix, can't repro, duplicate, stale Jun 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mburumaxwell @josephsap @SeMuell @ChrisDoddGit