dependabot unable to Azure Container Registry
See original GitHub issueContext We have a list of modules which are using base image stored in Azure Container Registry. We are using dependabot azure-devops extension for our module repos to keep dependencies and base image up to date.
Issue Dedendency updating works fine except for base-image case, where we get an error 401.
Pipeline run stacktrace Here DEPENDABOT_EXTRA_CREDENTIALS is missing ACR username and password, which supposedly should come from environment variables.
/usr/bin/docker run --rm -i -e GITHUB_ACCESS_TOKEN=*** \
-e DEPENDABOT_PACKAGE_MANAGER=docker \
-e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=10 \
-e DEPENDABOT_DIRECTORY=/
-e DEPENDABOT_MILESTONE=115080 \
-e DEPENDABOT_EXTRA_CREDENTIALS=[{"type":"docker_registry","url":null,"registry":"<redacted>.azurecr.io","username":"${{ ACR_USERNAME }}","password":"${{ ACR_PASSWORD }}"}]*
-e DEPENDABOT_FAIL_ON_EXCEPTION=true \
-e AZURE_ORGANIZATION=<redacted>
-e AZURE_PROJECT=<redacted>
-e AZURE_REPOSITORY=<redacted> \
-e AZURE_ACCESS_TOKEN=*** \
-e AZURE_MERGE_STRATEGY=squash \
-e ACR_USERNAME="AzureDevopsDependabot" \
-e ACR_PASSWORD="***" \
-e AZURE_HOSTNAME=dev.azure.com \
-e DEPENDABOT_FAIL_ON_EXCEPTION=false \
tingle/dependabot-azure-devops:0.14
.....
/home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:251:in `rescue in tags_from_registry': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): acrdevdvlgenobawe01iothubacr.azurecr.io (Dependabot::PrivateSourceAuthenticationFailure)
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:236:in `tags_from_registry'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:175:in `comparable_tags_from_registry'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:148:in `fetch_latest_version'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:269:in `doreq'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:26:in `doget'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:80:in `tags'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:241:in `tags_from_registry'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:175:in `comparable_tags_from_registry'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:148:in `fetch_latest_version'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:110:in `version_tag_up_to_date?'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:97:in `version_up_to_date?'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-common-0.215.0/lib/dependabot/update_checkers/base.rb:33:in `up_to_date?'
from ./update-script.rb:539:in `block in <main>'
from ./update-script.rb:503:in `each'
from ./update-script.rb:503:in `<main>'
/home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:249:in `exception_with_response': 401 Unauthorized (RestClient::Unauthorized)
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:129:in `return!'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:836:in `process_result'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:743:in `block in transmit'
from /usr/local/lib/ruby/3.1.0/net/http.rb:966:in `start'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:727:in `transmit'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:163:in `execute'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:63:in `execute'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:367:in `authenticate_bearer'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:330:in `do_bearer_req'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:293:in `rescue in doreq'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:269:in `doreq'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:26:in `doget'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:80:in `tags'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:241:in `tags_from_registry'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:175:in `comparable_tags_from_registry'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:148:in `fetch_latest_version'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:110:in `version_tag_up_to_date?'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:97:in `version_up_to_date?'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-common-0.215.0/lib/dependabot/update_checkers/base.rb:33:in `up_to_date?'
from ./update-script.rb:539:in `block in <main>'
from ./update-script.rb:503:in `each'
from ./update-script.rb:503:in `<main>'
/home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:249:in `exception_with_response': 401 Unauthorized (RestClient::Unauthorized)
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:129:in `return!'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:836:in `process_result'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:743:in `block in transmit'
from /usr/local/lib/ruby/3.1.0/net/http.rb:966:in `start'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:727:in `transmit'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:163:in `execute'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/rest-client-2.1.0/lib/restclient/request.rb:63:in `execute'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:275:in `doreq'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:26:in `doget'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/docker_registry2-1.12.0/lib/registry/registry.rb:80:in `tags'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:241:in `tags_from_registry'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:175:in `comparable_tags_from_registry'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:148:in `fetch_latest_version'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:110:in `version_tag_up_to_date?'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-docker-0.215.0/lib/dependabot/docker/update_checker.rb:97:in `version_up_to_date?'
from /home/dependabot/dependabot-script/vendor/ruby/3.1.0/gems/dependabot-common-0.215.0/lib/dependabot/update_checkers/base.rb:33:in `up_to_date?'
from ./update-script.rb:539:in `block in <main>'
from ./update-script.rb:503:in `each'
from ./update-script.rb:503:in `<main>'
Configuration
we have this config at github/dependabot.yml
per each repo
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
open-pull-requests-limit: 10
milestone: 115080
- package-ecosystem: "docker"
directory: "/"
open-pull-requests-limit: 10
milestone: 115080
registries:
ob-acr:
type: docker-registry
url: <redacted>.azurecr.io
username: ${{ ACR_USERNAME }}
password: ${{ ACR_PASSWORD }}
azure pipelines job template definition, here we provided acr username & password as extra environment variable:
parameters:
- name: repos
type: object
default: []
- name: acrUsername
type: string
- name: acrPassword
type: string
steps:
- ${{ each repo in parameters.repos }}:
- task: dependabot@1
displayName: ${{ repo }}
inputs:
useConfigFile: true
extraEnvironmentVariables: 'ACR_USERNAME="${{ parameters.acrUsername }}";ACR_PASSWORD="${{ parameters.acrPassword }}";AZURE_HOSTNAME=dev.azure.com;DEPENDABOT_FAIL_ON_EXCEPTION=false'
versioningStrategy: 'auto'
targetRepositoryName: ${{ repo }}
gitHubAccessToken: $(GIT_PAT)
abandonUnwantedPullRequests: false
continueOnError: true
Issue Analytics
- State:
- Created 7 months ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Support for ACR (private azure docker registry)? #3689
I am using the dependabot-scripts repository and modified the generic-update-script.rb like this puts "Adding ACR credentials" credentials << { "type" ...
Read more >Configuration options for the dependabot.yml file
Dependabot supports both public and private Docker registries. For a list of the supported registries, see " docker-registry " in "Configuration options for ......
Read more >Azure devops NPM Authentication in dependabot.yml
This is likely generated due to authentication with my npm registry. Any help would be greatly appreciated. Thanks.
Read more >Using Dependabot with Azure DevOps - sanderh.dev
Automated dependency scanning using Dependabot and Azure DevOps. ... Then we launch a Docker container, based on the dependabot-core image ...
Read more >Dependabot ❤️s private dependencies
Dependabot can now update dependencies from private registries and private GitHub repositories.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I’m glad it worked. No there is really no intension to do token replacement in the username unless there is a reason compelling enough to do so. The hosted dependabot also doesn’t.
@bedzinsk template variables are not supported for replacement in the configuration file. In your case, the
ACR_USERNAME
andACR_PASSWORD
should be declared in the job/stage/pipeline definition or pipeline UI. Further, passing this in theextraEnvironmentVariables
input will not work because the replacement works in the task and not in docker.extraEnvironmentVariables
is passed todocker run ...
Notes:
AZURE_HOSTNAME
value is set by default todev.azure.com
so there is no need to pass it. If the pipeline sees a different value, it shall be passed.versioningStrategy
input is no longer used instead you should specify theversioning-strategy
option in the.github/dependabot.yml
configuration file.Changes to get it work:
.github/dependabot.yml
and notgithub/dependabot.yml
.ACR_USERNAME
andACR_PASSWORD
in the pipeline UI.