dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard

Published 20 hours ago • verified publisher icon dependabot

Private repositories not used for version checks -> missing updates for internal libs/plugins

Open rd-tobias-woerenkaemper opened this issue 7 months ago • 2 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

... and only found somewhat similar issues like #10267, which again points to #5288 and #6507.

tl;dr

Dependabot no longer uses configured private repositories for dependency version resolution.

Timeline

First failure recognition: 2024/07/19 ~18:00 UTC Last success: 2024/07/18 ~18:00 UTC

Noticed that the first failing run is attended with dependabot appearing as a 'usual' GitHub Actions Dependabot updates run named gradle in /. - Update #123456789 #1.

Package ecosystem

gradle

Package manager version

8.8

Language version

Java 21

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "gradle"
    directory: "/"
    ...
    registries: "*"
registries:
  artifactory-libs:
    type: maven-repository
    url: https://artifactory.my.company/libs
    username: ${{secrets.USER}}
    password: ${{secrets.PASSWORD}}
  artifactory-plugins:
    type: maven-repository
    url: https://artifactory.my.company/plugins
    username: ${{secrets.USER}}
    password: ${{secrets.PASSWORD}}

Expected Behavior

Find and update dependencies based on the configured private repositories.

Actual Behavior

Only https://repo.maven.apache.org:443/maven2 gets checked, which of course returns 404 for private artifacts.

rd-tobias-woerenkaemper avatar Jul 23 '24 10:07 rd-tobias-woerenkaemper