search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.64k stars 994 forks source link

GitHub Dependabot security updates are failing with 401 Authentication error, when it initiates a connection with Artifactory pypi private registry for security updates #7382

Open p-torq opened 1 year ago

p-torq commented 1 year ago

Is there an existing issue for this?

Package ecosystem

pip

Package manager version

poetry

Language version

python = "~3.10.4"

Manifest location and content before the Dependabot update

/.../poerty.lock

dependabot.yml content

registries:
  tqt:
    type: python-index
    url: https://########.jfrog.io/artifactory/api/pypi/pypi/simple
    username: ######
    password: ${{secrets.##################}}
    replaces-base: false
  gcr:
    type: docker-registry
    url: #################
    username: _json_key
    password: ${{secrets.##################}}
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
    commit-message:
      prefix: "[Draft]"
    rebase-strategy: "disabled"
  - package-ecosystem: "pip"
    directory: #################
    registries: "*"
    insecure-external-code-execution: allow
    schedule:
      interval: "daily"
    commit-message:
      prefix: "[Draft]"
    target-branch: "main"
    open-pull-requests-limit: 25
    rebase-strategy: "disabled"
  - package-ecosystem: "pip"
    directory: #################
    registries: "*"
    insecure-external-code-execution: allow
    schedule:
      interval: "daily"
    commit-message:
      prefix: "[Draft]"
    target-branch: "main"
    open-pull-requests-limit: 25
    rebase-strategy: "disabled"
  - package-ecosystem: "pip"
    directory: #################
    registries: "*"
    insecure-external-code-execution: allow
    schedule:
      interval: "daily"
    commit-message:
      prefix: "[Draft]"
    target-branch: "main"
    open-pull-requests-limit: 25
    rebase-strategy: "disabled"
  - package-ecosystem: "docker"
    directory: "/api"
    registries:
      - gcr
    schedule:
      interval: "daily"
    commit-message:
      prefix: "[Draft]"
    target-branch: "main"
    open-pull-requests-limit: 25
    rebase-strategy: "disabled"
  - package-ecosystem: "docker"
    directory: #################
    registries:
      - gcr
    schedule:
      interval: "daily"
    commit-message:
      prefix: "[Draft]"
    target-branch: "main"
    open-pull-requests-limit: 25
    rebase-strategy: "disabled"
  - package-ecosystem: "docker"
    directory: #################
    registries:
      - gcr
    schedule:
      interval: "daily"
    commit-message:
      prefix: "[Draft]"
    target-branch: "main"
    open-pull-requests-limit: 25
    rebase-strategy: "disabled"

Updated dependency

starlette >= 0.13.5, < 0.27.0. to 0.27.0

What you expected to see, versus what you actually saw

We expect the dependabot to create a PR after security update

Images of the diff or a link to the PR, issue, or logs


  proxy | 2023/05/23 05:36:40 Listening (:1080)
updater | 2023-05-23T05:36:41.563875496 [666711683:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-05-23T05:36:43Z" level=info msg="guest starting" commit=8ab4a20db815b67034070152643b9878c12b051d
updater | time="2023-05-23T05:36:43Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=666711683 updater_timeout=45m0s updater_version=49704c16cb0893c0ab8c5f884471c324baf39b83-pip
updater | 2023/05/23 05:36:45 INFO Raven 3.1.2 ready to catch errors
updater | 2023/05/23 05:36:47 INFO <job_666711683> Starting job processing
  proxy | 2023/05/23 05:36:47 [002] GET https://api.github.com:443/repos/###############
  proxy | 2023/05/23 05:36:47 [002] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:48 [002] 200 https://api.github.com:443/repos/###############
  proxy | 2023/05/23 05:36:48 [004] GET https://api.github.com:443/repos/###############/git/refs/heads/main
  proxy | 2023/05/23 05:36:48 [004] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:48 [004] 200 https://api.github.com:443/repos/###############/git/refs/heads/main
  proxy | 2023/05/23 05:36:48 [006] GET https://api.github.com:443/repos/###############/contents/daemon?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [006] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:48 [006] 200 https://api.github.com:443/repos/###############/contents/daemon?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [008] GET https://api.github.com:443/repos/###############/contents/daemon/pyproject.toml?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [008] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:48 [008] 200 https://api.github.com:443/repos/###############/contents/daemon/pyproject.toml?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [010] GET https://api.github.com:443/repos/###############/contents/daemon/poetry.lock?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [010] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:48 [010] 200 https://api.github.com:443/repos/###############/contents/daemon/poetry.lock?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [012] GET https://api.github.com:443/repos/###############/contents/daemon/.devcontainer?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [012] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:48 [012] 200 https://api.github.com:443/repos/###############/contents/daemon/.devcontainer?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [014] GET https://api.github.com:443/repos/###############/contents/daemon/tx_in_daemon?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [014] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:48 [014] 200 https://api.github.com:443/repos/###############/contents/daemon/tx_in_daemon?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [016] GET https://api.github.com:443/repos/###############/contents/lib/tx_in_utils/setup.py?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [016] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:48 [016] 404 https://api.github.com:443/repos/###############/contents/lib/tx_in_utils/setup.py?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [018] GET https://api.github.com:443/repos/###############/contents/lib/tx_in_utils?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:48 [018] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:49 [018] 200 https://api.github.com:443/repos/###############/contents/lib/tx_in_utils?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:49 [020] GET https://api.github.com:443/repos/###############/contents/lib/tx_in_utils/pyproject.toml?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:49 [020] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:49 [020] 200 https://api.github.com:443/repos/###############/contents/lib/tx_in_utils/pyproject.toml?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:49 [022] GET https://api.github.com:443/repos/###############/contents/lib/tx_in_utils/setup.cfg?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:49 [022] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:49 [022] 404 https://api.github.com:443/repos/###############/contents/lib/tx_in_utils/setup.cfg?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:49 [024] GET https://api.github.com:443/repos/###############/contents/?ref=b493d916acd54991f161dee2eab633907eb49373
  proxy | 2023/05/23 05:36:49 [024] * authenticating github api request with token for api.github.com
  proxy | 2023/05/23 05:36:49 [024] 200 https://api.github.com:443/repos/###############/contents/?ref=b493d916acd54991f161dee2eab633907eb49373
updater | 2023/05/23 05:36:49 INFO <job_666711683> Finished job processing
updater | time="2023-05-23T05:36:49Z" level=info msg="task complete" container_id=job-666711683-file-fetcher exit_code=0 job_id=666711683 step=fetcher
updater | 2023/05/23 05:36:51 INFO Raven 3.1.2 ready to catch errors
updater | 2023/05/23 05:36:52 INFO <job_666711683> Starting job processing
updater | 2023/05/23 05:36:57 INFO <job_666711683> Starting update job for ###############
updater | 2023/05/23 05:36:57 INFO <job_666711683> Checking if starlette 0.26.1 needs updating
  proxy | 2023/05/23 05:36:57 [030] GET https://pypi.org:443/simple/starlette/
  proxy | 2023/05/23 05:36:57 [030] 200 https://pypi.org:443/simple/starlette/
  proxy | 2023/05/23 05:36:58 [032] GET https://#######.jfrog.io:443/artifactory/api/pypi/pypi/simple/starlette/
  proxy | 2023/05/23 05:36:58 [032] 401 https://#######.jfrog.io:443/artifactory/api/pypi/pypi/simple/starlette/
  proxy | 2023/05/23 05:36:58 [034] GET https://#######.jfrog.io:443/artifactory/api/pypi/pypi/simple/
  proxy | 2023/05/23 05:36:58 [034] 401 https://#######.jfrog.io:443/artifactory/api/pypi/pypi/simple/
updater | 2023/05/23 05:36:58 INFO <job_666711683> Handled error whilst updating starlette: private_source_authentication_failure {:source=>"https://#######.jfrog.io/artifactory/api/pypi/pypi/simple/"}
updater | 2023/05/23 05:36:59 INFO <job_666711683> Finished job processing
updater | 2023/05/23 05:36:59 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------------------------------------------+
updater | |           Dependencies failed to update           |
updater | +-----------+---------------------------------------+
updater | | starlette | private_source_authentication_failure |
updater | +-----------+---------------------------------------+
updater | time="2023-05-23T05:36:59Z" level=info msg="task complete" container_id=job-666711683-updater exit_code=0 job_id=666711683 step=updater```
MirahImage commented 11 months ago

Having a similar issue with security updates for Golang repositories with a registry configured.

pj-kf commented 8 months ago

Also encountering this issue with a private npm registry, again using jfrog.

Entry in dependabot.yml with example manifest for a project in our monorepo:

  npm:
    type: npm-registry
    url: https:/xxxx.jfrog.io/xxxxx/api/npm/npm/
    token: ${{secrets.SECRET_NAME}} 
 updates:
  - package-ecosystem: "npm"
    directory: ./<EXAMPLE_PATH>
    open-pull-requests-limit: 0
    schedule:
      interval: weekly
      day: friday
    commit-message:
      prefix: "build"

And the 401 error in logs for when auth fails.

updater | 2024/01/12 11:55:50 INFO <job_773593677> Starting security update job for xxxxxxx
updater | 2024/01/12 11:55:50 INFO <job_773593677> Checking if axios 0.27.2 needs updating
  proxy | 2024/01/12 11:55:50 [015] GET https://xxxxxxx.jfrog.io:443/artifactory/api/npm/npm/axios
  proxy | 2024/01/12 11:55:50 [015] 401 https://xxxxxxx.jfrog.io:443/artifactory/api/npm/npm/axios
  proxy | 2024/01/12 11:55:50 [015] Remote response: {
  proxy |   "errors" : [ {
  proxy |     "status" : 401,
  proxy |     "message" : "Authentication is required"
  proxy |   } ]
  proxy | }
updater | 2024/01/12 11:55:51 INFO <job_773593677> Handled error whilst updating axios: private_source_authentication_failure {:source=>"xxxxxxx.jfrog.io/artifactory/api/npm/npm"}
updater | 2024/01/12 11:55:51 INFO <job_773593677> Finished job processing
updater | 2024/01/12 11:55:51 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +-----------------------------------------------+
updater | |         Dependencies failed to update         |
updater | +-------+---------------------------------------+
updater | | axios | private_source_authentication_failure |
updater | +-------+---------------------------------------+
and2352000 commented 8 months ago

same issue with npm package management

Sam13 commented 4 days ago

Similar issue with GHES v3.13 and NuGet ecosystem: Private registry configured in dependabot.yml. Dependabot version updates do work but Dependabot security updates fail with _private_source_authenticationfailure

This used to work with previous versions of GHES.