search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.74k stars 1.03k forks source link

Private repositories not used for version checks -> missing updates for internal libs/plugins #10274

Closed rd-tobias-woerenkaemper closed 1 month ago

rd-tobias-woerenkaemper commented 4 months ago

Is there an existing issue for this?

... and only found somewhat similar issues like #10267, which again points to #5288 and #6507.

tl;dr

Dependabot no longer uses configured private repositories for dependency version resolution.

Timeline

First failure recognition: 2024/07/19 ~18:00 UTC Last success: 2024/07/18 ~18:00 UTC

Noticed that the first failing run is attended with dependabot appearing as a 'usual' GitHub Actions Dependabot updates run named gradle in /. - Update #123456789 #1.

Package ecosystem

gradle

Package manager version

8.8

Language version

Java 21

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "gradle"
    directory: "/"
    ...
    registries: "*"
registries:
  artifactory-libs:
    type: maven-repository
    url: https://artifactory.my.company/libs
    username: ${{secrets.USER}}
    password: ${{secrets.PASSWORD}}
  artifactory-plugins:
    type: maven-repository
    url: https://artifactory.my.company/plugins
    username: ${{secrets.USER}}
    password: ${{secrets.PASSWORD}}

Expected Behavior

Find and update dependencies based on the configured private repositories.

Actual Behavior

Only https://repo.maven.apache.org:443/maven2 gets checked, which of course returns 404 for private artifacts.

rd-tobias-woerenkaemper commented 4 months ago

Workaround: disable Settings -> Security -> Code security and analysis -> Dependabot on Actions runners introduced (as opt-in) with https://github.blog/changelog/2024-07-10-dependabot-migration-to-github-actions-for-enterprise-cloud-and-free-pro-and-teams-accounts-with-actions-enabled/ which got enabled in our repos between 2024/07/18 and 2024/07/19 without us noticing and causing the problems we observed.

vreyespue commented 3 months ago

Update: enabling both options Dependabot on Actions runners and Dependabot on self-hosted runners seems to resolve the issue as well.

rd-tobias-woerenkaemper commented 1 month ago

Workarounds suffice.