evergreen icon indicating copy to clipboard operation
evergreen copied to clipboard
verified publisher icon github

Does Evergreen support Dependabot configuration for private registries?

Open AppSecCharlie opened this issue 1 year ago • 2 comments

Is your feature request related to a problem?

When setting up dependabot.yml files I typically need to set up at least one private registry, depending on the ecosystems being used. Is there a way to configure Evergreen to include the private registry config in the deployed dependabot.yml files?

Describe the solution you'd like

Ideally I'd like to be able to configure that for particular ecosystems, Evergreen should include the private registry config in the dependabot.yml, for example for npm:

version: 2
registries:
  npm-npmjs:
    type: npm-registry
    url: https://registry.npmjs.org
    username: octocat
    password: ${{secrets.MY_NPM_PASSWORD}}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-npmjs
    schedule:
      interval: "weekly"

Describe alternatives you've considered

No response

Additional context

No response

AppSecCharlie avatar Aug 14 '24 20:08 AppSecCharlie

Great use case! Evergreen doesn't support this today but implementing this is feasible. Likely would need to specify a file to use to override specific package managers.

zkoppert avatar Aug 14 '24 22:08 zkoppert

This issue is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] avatar Sep 05 '24 01:09 github-actions[bot]

Just giving my input here. I think that we would need to understand how to assign a private repo to a package type. For example if on an organization there are several npm, maven, docker, etc repositories we would need to add a private repository configuration for each one of them. Since evergreen is supposed to run for all repositories, maybe this could be some kind of yaml file that could be referenced as input on the action and then added to the generated dependabot.yml file, depending on the type of dependencies found on the repositories. There are several private registries that can serve as a proxy mirror to public repositories for example. The created file would be something similar to:

  npm:
    type: npm-registry
    url: https://yourrepository.com/npm/
    username: username
    password: ${{secrets.password}}
  maven:
    type: maven-repository
    url: https://yourrepository.com/maven/
    username: username
    password: ${{secrets.password}}
  docker:
    type: docker-registry
    url: https://yourrepository.com/docker/
    username: username
    password: ${{secrets.password}}

When building the dependabot.yaml the code would look into this created file with the private registries and try to match the found dependencies list with the first level on the yaml file adding the private registry in the key registries: under the dependabot.yaml file and on the detected registry configuration.

I will try to think on an update to add this change, let me know what you think

ricardojdsilva87 avatar Oct 24 '24 15:10 ricardojdsilva87