Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

dependabot unable to Azure Container Registry

See original GitHub issue

Context We have a list of modules which are using base image stored in Azure Container Registry. We are using dependabot azure-devops extension for our module repos to keep dependencies and base image up to date.

Issue Dedendency updating works fine except for base-image case, where we get an error 401.

Pipeline run stacktrace Here DEPENDABOT_EXTRA_CREDENTIALS is missing ACR username and password, which supposedly should come from environment variables.

/usr/bin/docker run --rm -i -e GITHUB_ACCESS_TOKEN=*** \
-e DEPENDABOT_PACKAGE_MANAGER=docker \
-e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=10 \
-e DEPENDABOT_DIRECTORY=/ 
-e DEPENDABOT_MILESTONE=115080 \
-e DEPENDABOT_EXTRA_CREDENTIALS=[{"type":"docker_registry","url":null,"registry":"<redacted>.azurecr.io","username":"${{ ACR_USERNAME }}","password":"${{ ACR_PASSWORD }}"}]*
-e DEPENDABOT_FAIL_ON_EXCEPTION=true \
-e AZURE_ORGANIZATION=<redacted> 
-e AZURE_PROJECT=<redacted> 
-e AZURE_REPOSITORY=<redacted> \
-e AZURE_ACCESS_TOKEN=*** \
-e AZURE_MERGE_STRATEGY=squash \
-e ACR_USERNAME="AzureDevopsDependabot" \
-e ACR_PASSWORD="***" \
-e AZURE_HOSTNAME=dev.azure.com \
-e DEPENDABOT_FAIL_ON_EXCEPTION=false \
tingle/dependabot-azure-devops:0.14

.....
/home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:251:in `rescue in tags_from_registry': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): acrdevdvlgenobawe01iothubacr.azurecr.io (Dependabot::PrivateSourceAuthenticationFailure)
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:236:in `tags_from_registry'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:175:in `comparable_tags_from_registry'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:148:in `fetch_latest_version'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:269:in `doreq'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:26:in `doget'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:80:in `tags'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:241:in `tags_from_registry'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:175:in `comparable_tags_from_registry'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:148:in `fetch_latest_version'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:110:in `version_tag_up_to_date?'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:97:in `version_up_to_date?'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-common-0.215.0/lib/dependabot/update_checkers/base.rb:33:in `up_to_date?'
	from ./update-script.rb:539:in `block in <main>'
	from ./update-script.rb:503:in `each'
	from ./update-script.rb:503:in `<main>'
/home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:249:in `exception_with_response': 401 Unauthorized (RestClient::Unauthorized)
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:129:in `return!'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:836:in `process_result'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:743:in `block in transmit'
	from /usr/local/lib/ruby/3.1.0/net/http.rb:966:in `start'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:727:in `transmit'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:163:in `execute'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:63:in `execute'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:367:in `authenticate_bearer'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:330:in `do_bearer_req'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:293:in `rescue in doreq'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:269:in `doreq'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:26:in `doget'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:80:in `tags'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:241:in `tags_from_registry'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:175:in `comparable_tags_from_registry'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:148:in `fetch_latest_version'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:110:in `version_tag_up_to_date?'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:97:in `version_up_to_date?'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-common-0.215.0/lib/dependabot/update_checkers/base.rb:33:in `up_to_date?'
	from ./update-script.rb:539:in `block in <main>'
	from ./update-script.rb:503:in `each'
	from ./update-script.rb:503:in `<main>'
/home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:249:in `exception_with_response': 401 Unauthorized (RestClient::Unauthorized)
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:129:in `return!'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:836:in `process_result'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:743:in `block in transmit'
	from /usr/local/lib/ruby/3.1.0/net/http.rb:966:in `start'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:727:in `transmit'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:163:in `execute'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:63:in `execute'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:275:in `doreq'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:26:in `doget'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:80:in `tags'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:241:in `tags_from_registry'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:175:in `comparable_tags_from_registry'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:148:in `fetch_latest_version'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:110:in `version_tag_up_to_date?'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:97:in `version_up_to_date?'
	from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-common-0.215.0/lib/dependabot/update_checkers/base.rb:33:in `up_to_date?'
	from ./update-script.rb:539:in `block in <main>'
	from ./update-script.rb:503:in `each'
	from ./update-script.rb:503:in `<main>'

Configuration we have this config at github/dependabot.yml per each repo

version: 2
updates:

- package-ecosystem: "pip"
  directory: "/"
  open-pull-requests-limit: 10
  milestone: 115080

- package-ecosystem: "docker"
  directory: "/"
  open-pull-requests-limit: 10
  milestone: 115080

registries:
  ob-acr:
    type: docker-registry
    url: <redacted>.azurecr.io
    username: ${{ ACR_USERNAME }}
    password: ${{ ACR_PASSWORD }}

azure pipelines job template definition, here we provided acr username & password as extra environment variable:

parameters:
  - name: repos
    type: object
    default: []
  - name: acrUsername
    type: string
  - name: acrPassword
    type: string

steps:
- ${{ each repo in parameters.repos }}:

  - task: dependabot@1
    displayName: ${{ repo }}
    inputs:
      useConfigFile: true
      extraEnvironmentVariables: 'ACR_USERNAME="${{ parameters.acrUsername }}";ACR_PASSWORD="${{ parameters.acrPassword }}";AZURE_HOSTNAME=dev.azure.com;DEPENDABOT_FAIL_ON_EXCEPTION=false'
      versioningStrategy: 'auto'
      targetRepositoryName: ${{ repo }}
      gitHubAccessToken: $(GIT_PAT)
      abandonUnwantedPullRequests: false
    continueOnError: true

Issue Analytics

State:
Created 7 months ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

mburumaxwellcommented, Feb 7, 2023

I’m glad it worked. No there is really no intension to do token replacement in the username unless there is a reason compelling enough to do so. The hosted dependabot also doesn’t.

1reaction

mburumaxwellcommented, Feb 7, 2023

@bedzinsk template variables are not supported for replacement in the configuration file. In your case, the ACR_USERNAME and ACR_PASSWORD should be declared in the job/stage/pipeline definition or pipeline UI. Further, passing this in the extraEnvironmentVariables input will not work because the replacement works in the task and not in docker. extraEnvironmentVariables is passed to docker run ...

Notes:

AZURE_HOSTNAME value is set by default to dev.azure.com so there is no need to pass it. If the pipeline sees a different value, it shall be passed.
versioningStrategy input is no longer used instead you should specify the versioning-strategy option in the .github/dependabot.yml configuration file.

Changes to get it work:

Retain your configuration file but it should be at .github/dependabot.yml and not github/dependabot.yml.
Add ACR_USERNAME and ACR_PASSWORD in the pipeline UI.

Change your pipeline template to:

parameters:
  - name: repos
    type: object
    default: []

steps:
- ${{ each repo in parameters.repos }}:

  - task: dependabot@1
    displayName: ${{ repo }}
    inputs:
      useConfigFile: true
      extraEnvironmentVariables: 'DEPENDABOT_FAIL_ON_EXCEPTION=false'
      targetRepositoryName: ${{ repo }}
      gitHubAccessToken: $(GIT_PAT)
      abandonUnwantedPullRequests: false
    continueOnError: true

Top Results From Across the Web

Support for ACR (private azure docker registry)? #3689

I am using the dependabot-scripts repository and modified the generic-update-script.rb like this puts "Adding ACR credentials" credentials << { "type" ...

Configuration options for the dependabot.yml file

Dependabot supports both public and private Docker registries. For a list of the supported registries, see " docker-registry " in "Configuration options for ......

Azure devops NPM Authentication in dependabot.yml

This is likely generated due to authentication with my npm registry. Any help would be greatly appreciated. Thanks.

Using Dependabot with Azure DevOps - sanderh.dev

Automated dependency scanning using Dependabot and Azure DevOps. ... Then we launch a Docker container, based on the dependabot-core image ...

Dependabot ❤️s private dependencies

Dependabot can now update dependencies from private registries and private GitHub repositories.