dependabot-script icon indicating copy to clipboard operation
dependabot-script copied to clipboard
verified publisher icon dependabot

Support for private nuget feeds

Open ianpaul10 opened this issue 5 years ago • 5 comments

Hi Team!

I got the script setup and running for my GitLab repo and it doesn't seem to create MRs for th private nuget packages referenced in my .csproj.

Is this only supported in dependabot core/dependabot on github?

ianpaul10 avatar Jun 03 '20 21:06 ianpaul10

You can solve this by adding credentials of type nuget_feed to your credentials. Here's an example for adding a private organization-scoped feed from Azure DevOps.

if ENV["PRIVATE_FEED_NAME"]
  if package_manager == "nuget"
    credentials << {
      "type" => "nuget_feed",
      "url" => "https://api.nuget.org/v3/index.json",
    }
    credentials << {
      "type" => "nuget_feed",
      "url" => "https://pkgs.dev.azure.com/#{ENV["ORGANIZATION"]}/_packaging/#{ENV["PRIVATE_FEED_NAME"]}/nuget/v3/index.json",
      "token" => ":#{ENV["SYSTEM_ACCESSTOKEN"]}", # do not forget the colon
    }
  end
end

If you do not explicitly add the public NuGet, it won't update public packages.

This section is drawn from dependabot-azure-devops.

mburumaxwell avatar Dec 03 '20 10:12 mburumaxwell

@mburumaxwell are there any other steps required to make that work? My code successfully updates public feeds but I am using code like yours but still getting an error like

/opt/hostedtoolcache/Ruby/2.6.6/x64/lib/ruby/gems/2.6.0/gems/dependabot-nuget-0.111.59/lib/dependabot/nuget/update_checker/repository_finder.rb:116:in `check_repo_reponse': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): https://<myorg>.pkgs.visualstudio.com/DefaultCollection/_packaging/<myfeedname>/nuget/v3/index.json (Dependabot::PrivateSourceAuthenticationFailure)
	from /opt/hostedtoolcache/Ruby/2.6.6/x64/lib/ruby/gems/2.6.0/gems/dependabot-nuget-0.111.59/lib/dependabot/nuget/update_checker/repository_finder.rb:44:in `build_url_for_details'
	from /opt/hostedtoolcache/Ruby/2.6.6/x64/lib/ruby/gems/2.6.0/gems/dependabot-nuget-0.111.59/lib/dependabot/nuget/update_checker/repository_finder.rb:38:in `block in find_dependency_urls'
	from /opt/hostedtoolcache/Ruby/2.6.6/x64/lib/ruby/gems/2.6.0/gems/dependabot-nuget-0.111.59/lib/dependabot/nuget/update_checker/repository_finder.rb:31:in `each'

I see your latest code no longer uses the snippet you posted but instead relies on json formatted input. Was that just for convenience/configuration or was it functionally necessary for some other reason?

danquirk avatar Mar 12 '21 02:03 danquirk

@danquirk

I did not do any more steps to get it working. The code was changed to allow multiple sets of credentials not just credentials from Azure DevOps private feeds such as Docker registries and MyGet feeds.

Initially, I struggled with a similar issue where the repository is not found. I realized the issue was my mixing of hostnames. If your code references https://<myorg>.pkgs.visualstudio.com/DefaultCollection/_packaging/<myfeedname>/nuget/v3/index.json but you supply the new URL https://pkgs.dev.azure.com/<myorg>/_packaging/<myfeedname>/nuget/v3/index.json. Check on that and find out if it works. I also notice that you are using version 0.111.59 (August 2019), given that NuGet support in dependabot is still in beta, there may be somethings that have changed and I suggest you upgrade to one of the more recent versions e.g. 0.133.6.

On a closer look at the log you gave, it appears the issue may not be finding the private feed but accessing the git repository. Check the credentials type you are setting, nuget_feed is for the custom feed while git_source provides credentials for the git repository. Dependabot needs to access the repository before it can access the private feed to check for updates.

mburumaxwell avatar Mar 12 '21 06:03 mburumaxwell

Oh jeez you are right it was the package feed URL schema. Using the https://<myorg>.pkgs.visualstudio.com/DefaultCollection/_packaging/<myfeedname>/nuget/v3/index.json immediately worked perfectly. I was banging my head against the wall all Friday trying to figure that out. Thanks so much :)

I did have a similar realization about updating the dependabot version after I posted but that didn't help either. I knew it could access the git repo because I was getting dependabot PRs correctly for repos that only referenced packages on nuget.org, so the error message from dependabot was accurate/good aside from how hard it was to figure out what it did want instead.

danquirk avatar Mar 15 '21 18:03 danquirk

@danquirk happy to help

mburumaxwell avatar Mar 15 '21 19:03 mburumaxwell