docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon github

Fix dependabot registries examples for maven-repositories with a token

Open tclass opened this issue 3 years ago • 2 comments

What article on docs.github.com is affected?

https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#maven-repository

What part(s) of the article would you like to see updated?

the part that you can use a token for maven-repositories is wrong. You can see here, that you still need to defined username and password even when you use a token, as you can see in this PR https://github.com/dependabot/dependabot-core/pull/3403/files#diff-48b048f6d8a8b732434e30d186e65de8e3303c03308c116f8e078697b372abecR312 If you try to use the "token" keyword you will get an error from dependabot, so the documentation is not up-to-date for maven-repositories.

Additional information

related PR https://github.com/github/docs/pull/5868

Content changes needed

Update May 6, 2021 ✏️ by @felicitymay

I looked into this problem with the engineering team. I wanted to make sure that this was a docs issue and not a bug in Dependabot. During our investigation, it became clear that the existing information about username, password and token was too brief and that this issue needed a larger-scale change to the article.

Tech summary

  • token is used to provide an access token for an external system and should not be used to provide a GitHub personal access token. It's supported only by: npm-registry, nuget-feed, python-index, rubygems-server. As highlighted by this issue, it is not supported for maven-repository.
  • username should be an account username or email address.
  • password should be a password for the account specified by the username. If this is a GitHub account, you can use a GitHub personal access token in place of the password.

Docs changes needed

  1. In the Configuration options for private registries section:
    • Expand the information in the table for token, username and password so that their use is clear. In particular, explain that a token is for an external system and that when you want to use a GitHub access token you should supply it as a password.
    • Update all descriptions: "The type supports username and password." to explain that the password can be a GitHub personal access token.
  2. In the registries section:
    • Update the maven-github example to use a username and password with an access token.
    • Remove token from this example.
  3. In the git example, change the username to: username: octocat.
  4. In the maven-repository section:
    • Remove "token" from the description.
    • Update the description to match those for other systems that only support a username and password.
    • Update the second example to use a username and password with an access token.

tclass avatar May 03 '21 09:05 tclass

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

welcome[bot] avatar May 03 '21 09:05 welcome[bot]

👋🏻 Hi @tclass

I spent this morning looking into this with the engineering team. It turns out that you uncovered a larger issue with the documentation here than you realized. 🙇🏻‍♀️

You're absolutely right to highlight the fact that token is not supported for maven-repository. It's also true that you can pass a GitHub personal access token as a password. In fact this is true for all private registries. When you supply a personal access token as a password, the username isn't particularly important.

Thank you so much for raising this issue and highlighting this bug in the docs. ✨

I've updated the issue description with this information and also with a summary of the wider docs changes that we need to make so that this article is clear for all private registries. Hopefully this will help anyone else who comes across this problem until someone fixes this issue.

felicitymay avatar May 06 '21 15:05 felicitymay

@tclass 👋🏻 - Thanks for raising this issue. Apologies for not getting to this sooner. I am working in this area of the docs at the moment, so I am going to close this OS issue and raise an internal issue instead so that I can liaise with the Dependabot Updates engineering team, and see what the situation is today for Maven, in case there has been changes to the behavior.

mchammer01 avatar Aug 29 '23 12:08 mchammer01