[🚧] Dependabot 0.14 problem with credentials for private nuget feed in azure devops pipeline

Hi guys, Sorry for late reply, a lot of other work came up. I have just tested this and it works perfectly fine on my end. I also thought I’d share my setup with anyone that wants a nice a clean setup for this.

Azure DevOps YAML Pipelines: Pipeline name must follow this pattern: Dependabot - name.of.your.repo

It’s easy to setup, you create a template for pipeline and populate your repos with configs. Then just manage them form devops pipeline page via the name of your repo, and a one variables that you setup in the UI.

• Dependabot.GitHubAccessToken (just a github access token so that you can pull the docker image from github public repo without problems. Best to put it in a variable group and add to the pipeline definition below)

trigger: none # Disable CI trigger
schedules:     # Use weekly schedule instead
  - cron: '0 7 * * 1' # on Mondays at 7am UTC
    always: true # run even when there are no code changes
    branches:
      include:
        - 'main'
    batch: true
    displayName: 'on Mondays'

variables:
  - name: Repository
    value: ${{ replace(variables['Build.DefinitionName'],'Dependabot - ', '') }}

stages:
  - stage: CheckDependencies
    displayName: 'Check Dependencies'
    jobs:
      - job: Dependabot
        displayName: 'Dependabot'
        pool:
          # Only works with MacOS and Linux
          vmImage: 'ubuntu-latest' 
        steps:
          # This step authenticates your agent user/context to use this repo/REST API
          - checkout: git://your_project_name/${{ variables.Repository }}

          # Creates $(VSS_NUGET_ACCESSTOKEN) for Private feeds
          - task: NuGetAuthenticate@1
            displayName: 'NuGet Private Feed Authentication'

          - task: dependabot@1
            displayName: 'Run Dependabot'
            inputs:
              setAutoComplete: true
              mergeStrategy: '1'
              gitHubAccessToken: '$(Dependabot.GitHubAccessToken)'
              azureDevOpsAccessToken: '$(System.AccessToken)'
              targetRepositoryName: '${{ variables.Repository }}'

And the /.github/dependabot.yml

• it doesn’t need the schedule block in here.

version: 2
updates:
- package-ecosystem: "nuget" # See documentation for possible values
  directory: "/" # Location of package manifests
  milestone: 6809 # work item identifier 
  open-pull-requests-limit: 1
  reviewers:
  - "email@example.com"
registries:
  private-nuget:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/your_org/your_project/_packaging/feed_name/nuget/v3/index.json
    token: '${{VSS_NUGET_ACCESSTOKEN}}'

@jakubtrebacz-dev thanks for reporting back. However, a number of things in your sample may end up misleading others. Just to clarify:

1. As of today reviewers are specified as user identifiers and not emails
2. mergeStrategy input no longer supports integer inputs. Instead it should strings, e.g. squash
3. NuGetAuthenticate task is not required to get private feeds to work.
4. Your sample appears to show a pipeline template but not how it is referenced by the final pipeline. Templates don’t allow triggers and pipelines don’t allow the ${{...}} notations. Unless this has changed.

The rest of it seems okay.

Hi @mburumaxwell

1. I have tried both emails and aliases in DevOps portal, I’m not sure what you mean by identifiers - if you mean the AAD ID then I’d rather use a repo policy to manage this like in the past. I don’t see why email would be inappropriate, it’s unique and easiest way to identify people in DevOps portal.
2. Fair point, thanks
3. With max security setup in DevOps I still need this task to generate a token (I’m 100% sure it didn’t work without it last time I checked). I guess it might work if you leave the security controls on default, or disable them. I think it’s the same as the -checkout task, if you don’t checkout the repo the agent can’t access that repo even through the API to read the dependabot.yaml file.
4. It’s a “template” as is I put this in a repo with templates as an actual pipeline. From my point of view it is a template if it’s reusable, only thing you need to do is just make sure the pipeline name follows the example “Dependabot - your.repo.name” and you add the github token as variable. It is not an actual YAML pipeline template you right. For this sort of use case I decided that this is easier to manage when you got 20 code repos and still growing.

Thanks 👍🏻