dependabot-script icon indicating copy to clipboard operation
dependabot-script copied to clipboard
verified publisher icon dependabot

Use SSH access to allow updating private repository dependencies

Open asummers opened this issue 6 years ago • 8 comments

Apologies if this should go into Dependabot Core, let me know if I should reopen there.

Using Dependabot for Hex via Dependabot Script in GitHub Enterprise is mostly working okay. At this point, it is able to pull down mix.exs files, update them with Hex package updates, GitHub package updates, and make all the appropriate PRs. Wonderful! But what I can't seem to get working is dependencies of the form:

{:my_repo, git: "git@my_enterprise_url/my_repo.git", tag: "0.1"}

Is there something special I have to do for dependencies of this form?

asummers avatar Jul 18 '19 12:07 asummers

Honestly, I'm not sure. Can you create a repo on github.com that reproduces?

greysteil avatar Jul 18 '19 13:07 greysteil

Not sure the best way to do that since the GHE repo will only be accessible within our firewall. I can make a generic mix new project, but you'll have to do work on your end to fork a repo internally and point to it in the mix file.

asummers avatar Jul 18 '19 15:07 asummers

Hmmm, I have a thought - is your "git@my_enterprise_url/my_repo.git" server available over https? That's what Dependabot will be using to try to access it (from within your firewall).

greysteil avatar Jul 18 '19 16:07 greysteil

Negative. Due to security requirements internally, we're not allowed to expose it over https. That seems like it would definitely be the source of the bug. I guess this then turns into a feature request to allow SSH read access or (and this is probably better) use the existing access token to find the latest commit/tag via the GHE APIs in the same way that (from my understanding) it is done for normal public GH pings.

asummers avatar Jul 18 '19 16:07 asummers

Good to have got to the bottom of it!

I guess this then turns into a feature request to allow SSH read access or (and this is probably better) use the existing access token to find the latest commit/tag via the GHE APIs in the same way that (from my understanding) it is done for normal public GH pings.

Makes sense can you rename this issue? The relevant code here is in GitMetadataFetcher, which is very generic. I'd rather not introduce GitHub as a special case there, so allowing it to use SSH is probably the way forward but non-trivial.

greysteil avatar Jul 18 '19 16:07 greysteil

Curious if there's been any progress on this.

asummers avatar Dec 16 '19 13:12 asummers

This also applies if you depend on another private repo hosted with the same organisation on github.com.

I was confused initially because Dependabot helpfully told me that I need to grant it access, but it was still failing with the same reason. It wasn't until I found this ticket that I realised it was because I defined the repo using the ssh url in my Gemfile.

liamnichols avatar Apr 16 '20 16:04 liamnichols

any update on this.

chrillep avatar May 05 '20 17:05 chrillep