Can't auth to ACR

[grubyhs]

Describe the bug Can't connect to ACR

Categorization

• [X] This is not a permissions issue (We cannot solve permission issues)

/home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-docker-0.262.0/lib/dependabot/docker/update_checker.rb:208:in `rescue in tags_from_registry': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): iversparkcontainers.azurecr.io (Dependabot::PrivateSourceAuthenticationFailure)

Well I can't connect to ACR using this config:

# Basicdependabot.yml` file with

minimum configuration for two package managers

registries: dockerhub: # Define access for a private registry type: docker-registry url: iversparkcontainers.azurecr.io username: ${{acr.pullpush.username}} password: ${{acr.pullpush.password}} version: 2 updates:

Enable version updates for Docker

• package-ecosystem: "docker"

  Look for a Dockerfile in the root directory

  directory: "/docker/azure-agent" registries: "*"

  Check for updates once a week

  schedule: interval: "daily"

• package-ecosystem: "docker"

  Look for a Dockerfile in the root directory

  directory: "/docker/base" registries: "*"

  Check for updates once a week

  schedule: interval: "daily"

• package-ecosystem: "docker"

  Look for a Dockerfile in the root directory

  directory: "/docker/services" registries: "*"

  Check for updates once a week

  schedule: interval: "daily"`

  Maybe I am doing something wrong? If I am it should be added to readme in my opinion

[cherealnice]

Adding to this: I've been debugging why I keep getting 401s from https://pkgs.dev.azure.com/ when running update_script. I cannot figure out what is going on. I get a successful curl with base64 encoded org:<PAT> token with basic auth, but when I add the same token to my DEPENDABOT_EXTRA_CREDENTIALS it throws auth errors. Looking at the update script, it seems like this should be using the same auth as my curl (see curl below). Is there any way to log the auth header to see what value the request is getting?

curl: curl -L -H "Authorization: Basic " \ -H "Accept: application/octet-stream" \ -o my-package.tgz \ -v \ "https://pkgs.dev.azure.com/org/_packaging/eSmart/npm/registry/eslint"

docker command (I've tried 1.24, 1.27 and 1.29): docker run --rm -i \ -e DEPENDABOT_PACKAGE_MANAGER=npm \ -e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=1 \ -e DEPENDABOT_DIRECTORY=/ \ -e DEPENDABOT_TARGET_BRANCH=main \ -e DEPENDABOT_EXTRA_CREDENTIALS='[{"type":"npm_registry","token":"","replaces-base":true,"registry":"pkgs.dev.azure.com/org/_packaging/company/npm/registry/"}]' \ -e DEPENDABOT_FAIL_ON_EXCEPTION=true \ -e DEPENDABOT_CLOSE_PULL_REQUESTS=true \ -e AZURE_ORGANIZATION=org \ -e AZURE_PROJECT=project \ -e AZURE_REPOSITORY=repo \ -e AZURE_ACCESS_TOKEN=token \ -e AZURE_MERGE_STRATEGY=squash \ -e AZURE_SET_AUTO_COMPLETE=true \ ghcr.io/tinglesoftware/dependabot-updater-npm:1.29 update_script \