Open jjolidon opened 6 months ago
Dependabot is executed in the context of Azure DevOps through the TingleSoftware docker image: https://github.com/tinglesoftware/dependabot-azure-devops
Solution proposed in #8887 DOES NOT apply to ProGet, the feed manifest includes the needed endpoints.
(Also to note: ProGet does support nuspec download, but I don't think there's an easy way of figuring out the feed is a ProGet feed short of trying downloading the nuspec...)
@jjolidon Do you have an example of a public repo and a full log where this failure occurs? I'd like to see how the authentication is passed around and how it should get passed to MSBuild.
Unfortunately not. Here is the relevant section of script:
foreach ($feed in $credentials) {
$feed["token"] = "${env:PROGET_USER_NAME}:${env:PROGET_USER_PASSWORD}"
}
$env:DEPENDABOT_EXTRA_CREDENTIALS = ConvertTo-Json $credentials -Compress
This ends up being a structure of the form:
[
{
"type": "nuget_feed",
"url": "https://proget.example.org/nuget/FeedName/v3/index.json"
"token": "ProGetUserName:ProGetPassword"
}
]
While I can't give you the whole script and sources, I'm willing to do my best providing the information you're missing, so do not hesitate to ask!
Hi @jjolidon, I see you are using the Dependabot Azure DevOps Extension here. It might be possible to get this to work by using your personal api key as the raw token value. e.g.
[
{
"type": "nuget_feed",
"url": "https://proget.example.org/nuget/FeedName/v3/index.json"
"token": "ProGetPAT"
}
]
If that doesn't work or you need to use username+password for auth, this issue could likely be due to to how username+password auth isn't handled correctly when doing updates using MSBuild. A proposed fix has been submitted to https://github.com/tinglesoftware/dependabot-azure-devops/pull/1248 which adds better support for feeds requiring username+password auth.
For context, when Dependabot uses MSBuild to perform NuGet updates, it relies on credentials stored in an auto-generated nuget.config
. Dependabot only supports "token" auth when using this config file. If your registry is configured with username+password, it wouldn't work as username is always set to "user" and password is always set to the registry token property. See: https://github.com/dependabot/dependabot-core/blob/8441dbad1bb13149f897cdbe92c11d36f98c8248/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb#L38-L41
After https://github.com/tinglesoftware/dependabot-azure-devops/pull/1248, it should be possible to use username and password auth for projects that update via MSBuild. e.g.
version: 2
registries:
proget:
type: nuget-feed
url: https://proget.example.org/nuget/FeedName/v3/index.json
username: ${{ProGetUserName}}
password: ${{ProGetPassword}}
token: ${{ProGetUserName}}:${{ProGetPassword}}
Or using a personal api key. e.g.
version: 2
registries:
proget:
type: nuget-feed
url: https://proget.example.org/nuget/FeedName/v3/index.json
username: api
password: ${{ProGetPAT}}
token: api:${{ProGetPAT}}
Is there an existing issue for this?
Package ecosystem
nuget
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
Expected: credentials are properly passed to the MSBuild step and used during restore.
The updater properly authenticates with ProGet and finds updates, but later the restore step with MSBuild fails to authenticate and retrieve packages.
The error looks like this:
This seems somewhat related to #8887. At least parts of #9004 might solve the issue, in that ProGet expects a user name and password.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response