Open wadey opened 1 week ago
Can I tell dependabot to set GOPRIVATE=my-ghe.com
somewhere? I'm not sure if that is the cause of this issue. It doesn't look like that is possible though according to: #7254
Ideally for GHE the domain for the instance should be added to GOPRIVATE automatically I'd say.
But I still can't tell if this is the root issue here or not.
Currently there's no way to set GOPRIVATE manually. The Dependabot service sets it based on a few factors:
GOPRIVATE=*
GOPRIVATE=${hostname}/${repo.account_name}/*
These assumptions aren't great so we'll have to work on that.
In the meantime I can offer you workarounds! You can set the repo to be private, or define any registry on the update config in the dependabot.yml:
version: 2
registries:
workaround: # see https://github.com/dependabot/dependabot-core/issues/10086
type: rubygems-server
url: example.com
token: fake-token
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
registries:
- workaround
Sorry for the inconvenience! 🙇
Thanks for the workaround! For GHE it would be great it if defaulted to GOPRIVATE=${hostname}
I think. That should fix the issue for everyone using GHE.
ah that workaround as stated doesn't work, it complains with:
Tokens should be stored as a GitHub secret.
So it has to be more complicated with a fake secret added to the repo:
registries:
workaround: # see https://github.com/dependabot/dependabot-core/issues/10086
type: rubygems-server
url: example.com
token: ${{secrets.WORKAROUND}}
But I can confirm that the workaround solves the core issue, and dependabot creates the PR with the workaround in place.
Is there an existing issue for this?
Package ecosystem
Go
Package manager version
No response
Language version
1.22
Manifest location and content before the Dependabot update
go.mod
The relevant section:
dependabot.yml content
Updated dependency
my-ghe.com/my-org/my-repo v1.3.1 -> v1.3.2
What you expected to see, versus what you actually saw
This is with GHE 3.12, but with an updated version of the dependabot runner. Both the dependency repo and the repo running dependabot are "public" in the GHE instance.
When checking for the updates for a Go dependency that is hosted on our GHE instance it appears to find the new version number (1.3.2 in the logs below), but then it appears to attempt usinattempt the request against the public
github.com
and get a 404 after trying the public go module proxy and then give up.versions:
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response