search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.74k stars 1.03k forks source link

Using Private Shared GitHub Action Workflows in my Organisation breaks dependabot #11018

Open baynezy opened 6 days ago

baynezy commented 6 days ago

Is there an existing issue for this?

Package ecosystem

GitHub Actions

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
registries:
  nuget-code-artifact:
    type: nuget-feed
    url: https://redacted.amazonaws.com/nuget/redacted/v3/index.json
    username: aws
    password: ${{secrets.CODE_ARTIFACT_TOKEN_PRIVATE_REPOS}}
updates:
  - package-ecosystem: "nuget"
    directory: "/" # Location of package manifests
    registries:
      - nuget-code-artifact
    schedule:
      interval: "daily"
    labels:
      - "flag:dependencies"
    open-pull-requests-limit: 10

  - package-ecosystem: "github-actions"
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"
    labels:
      - "flag:dependencies"

Updated dependency

No response

What you expected to see, versus what you actually saw

I have a workflow in GitHubActions that looks like this:

name: Deploy Develop Branch

on:
  push:
    branches:
      - develop
  workflow_dispatch:

jobs:
  get-version:
    uses: Redacted/Shared.Workflows/.github/workflows/step-version.yml@0.0.0.1

  build:
    needs: [get-version]
    uses: ./.github/workflows/step-build.yml
    secrets: inherit
    with:
      version: ${{ needs.get-version.outputs.version }}
      checkout-ref: ${{ github.base_ref }}

Note I have redacted my organisation name

This works well, I would expect that dependabot would create PRs for updates to the Shared.Workflows repository like it does for other repos in the marketplace.

What actually happens is that I get an error in the logs and dependabot is failing.

updater | 2024/11/26 01:46:44 INFO Results:
Dependabot encountered '1' error(s) during execution, please check the logs for more details.
+-------------------------------------------------------------------+
|                   Dependencies failed to update                   |
+----------------------------------+--------------------------------+
| Redacted/Shared.Workflows | git_dependencies_not_reachable |
+----------------------------------+--------------------------------+
Failure running container 5d5999060e4e3a374071811a0f9a64dea42c162dcfba3c1d74e[215](https://github.com/Afterlife-Guide/AfterLife.Core/actions/runs/12022209085/job/33514031445#step:3:217)0861bfdf81
Cleaned up container 5d5999060e4e3a374071811a0f9a64dea42c162dcfba3c1d74e2150861bfdf81
  proxy | 2024/11/26 01:46:44 41/61 calls cached (67%)
  proxy | 2024/11/26 01:46:44 Posting metrics to remote API endpoint
Error: Dependabot encountered an error performing the update

Error: The updater encountered one or more errors.

How do I fix this?

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

brettfo commented 5 days ago

@baynezy Do you have a full log you can attach? There's likely something interesting further up. If you don't want to share the log you can also email it directly to me at brettfo@microsoft.com

baynezy commented 5 days ago

Thank you @brettfo I have just sent you the logs you requested by email.

baynezy commented 4 days ago

For those who may find themselves here the solution was as follows (massive thanks to @brettfo)

  1. I had to create a PAT token with actions:read and contents:read for the repository where my shared workflows are
  2. Add that PAT token as a Organisation secret on for dependabot
  3. Update my dependabot.yml (see below)
version: 2
registries:
  nuget-code-artifact:
    type: nuget-feed
    url: https://redacted.amazonaws.com/nuget/redacted/v3/index.json
    username: aws
    password: ${{secrets.CODE_ARTIFACT_TOKEN_PRIVATE_REPOS}}
  private-github-actions:
    type: git
    url: https://github.com
    username: x-access-token
    password: ${{secrets.PRIVATE_GITHUB_ACTIONS_TOKEN}}
updates:
  - package-ecosystem: "nuget"
    directory: "/" # Location of package manifests
    registries:
      - nuget-code-artifact
    schedule:
      interval: "daily"
    labels:
      - "flag:dependencies"
    open-pull-requests-limit: 10

  - package-ecosystem: "github-actions"
    directory: "/" # Location of package manifests
    registries:
      - private-github-actions
    schedule:
      interval: "daily"
    labels:
      - "flag:dependencies"

It is the addition of the registry of type git and its reference on the package registry.

Documentation: