Support dependabot while using private repositories as dependencies#2
Merged
llucax merged 4 commits intofrequenz-floss:v0.x.xfrom Feb 22, 2024
Merged
Support dependabot while using private repositories as dependencies#2llucax merged 4 commits intofrequenz-floss:v0.x.xfrom
llucax merged 4 commits intofrequenz-floss:v0.x.xfrom
Conversation
This is particularly important to allow dependabot to work with private dependencies. A PR created by dependabot won't have access to the secrets, so the inputs will be there but empty, causing to create an credentials file with no username or password, which ends up in an auth error. To use private repos as dependencies, they must be configured in the organization. For more details see: * dependabot/dependabot-core#3253 (comment) * https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-dependencies Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
Since we need to support the case where they are empty, we can as well make them optional, and default empty username and password, so repos not using private repos as dependencies can use this action with less clutter. Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
Add sections about inputs, dependabot and private repositories as dependencies, and changelog. Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
Marenz
approved these changes
Feb 21, 2024
Contributor
|
Sadly I misunderstood the issue and this is not really fixing it. The org-level config only allows dependabot to search for dependency updates, but once the PR is created and the CI needs to run, then the PR created by dependabot still doesn't have access to the private repo (the workflow provided token is still not good and the job still doesn't have access to secrets). To fix this for good, we'll need a more complicated solution. See: dependabot/dependabot-core#3253 (comment) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We don't setup credentials if they are empty to allow dependabot to work with private dependencies. A PR created by dependabot won't have access to the secrets, so the inputs will be there but empty, causing to create an credentials file with no username or password, which ends up in an auth error.
Because of this, now credentials are optional, which also allows using the action with public repositories more conveniently.
To use private repos as dependencies, they must be configured in the organization.
If you use dependabot and have private repositories as dependencies, the credentials configured here will have no effect on PRs created by dependabot, as they don't have access to secrets for security reasons.
To fix this, you need to configure your GitHub organization to allow dependabot access to the private repositories you use as dependencies for other projects.