Question 105484 in Azure Question posted in
The official documentation to get you started can be found here.

Azure devops NPM Authentication in dependabot.yml

I currently have the following pipeline working:

schedules:
  - cron: "0 20 * * FRI"
    displayName: 'Weekly Run'
    always: true
    branches:
      include:
        - 'develop'

trigger: none

variables:
  DEPENDABOT_EXTRA_CREDENTIALS: '[{"type":"npm_registry","token":"$(DEPENDABOT_PAT)","registry":"SOME_URL"}]' # put the credentials for private registries and feeds
pool:
  vmImage: 'ubuntu-latest'

stages:
  - stage: CheckDependencies
    displayName: 'Check Dependencies'
    jobs:
      - job: Dependabot
        displayName: 'Run Dependabot'
        pool:
          vmImage: 'ubuntu-latest'
        steps:
          - task: dependabot@1
            displayName: 'Run Dependabot - npm'
            inputs:
              useConfigFile: false
              packageManager: 'npm'
              setAutoComplete: false
              azureDevOpsAccessToken: $(DEPENDABOT_PAT)  # env variable 
              gitHubAccessToken: $(GITHUB_TOKEN)  # env variable
              targetBranch: 'develop'
              openPullRequestsLimit: 15

However, it has started given the following warning:
"Using explicit inputs instead of a configuration file will be deprecated in the next minor release.
Migrate to using a config file at .azuredevops/dependabot.yml or .github/dependabot.yml."

I have added the config file per the docs: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries

with my config file looking like this:

version: 2
registries:
  npm-reg:
    type: npm-registry
    url: https://pkgs.dev.azure.com/BC-SDPR-Research/_packaging/Research/npm/registry/
    token: ${{secrets.AZURE_ACCESS_TOKEN}}
updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-reg
    schedule:
      interval: "weekly"
      day: "Friday"
      time: "20:00"
      timezone: "America/Los_Angeles"
    open-pull-requests-limit: 15
    setAutoComplete: false
    azureDevOpsAccessToken: ${{secrets.AZURE_ACCESS_TOKEN}}
    gitHubAccessToken: ${{secrets.GITHUB_TOKEN}}
    targetBranch: 'develop'
    openPullRequestsLimit: 15

I have tried everything, and I am still getting the error:
Dependabot::Clients::Azure::Forbidden (Dependabot::Clients::Azure::Forbidden)

This is likely generated due to authentication with my npm registry.

Any help would be greatly appreciated.

Thanks

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    The Azure Dependabot Docs and authentication method have been updated:

    version: 2
registries:
  communities:
    type: npm-registry
    token: PAT:${{DEPENDABOT_PAT}}
    url: pkgs.dev.azure.com/BC-SDPR-Research/_packaging/Research/npm/registry/

    Works great, per docs: https://github.com/tinglesoftware/dependabot-azure-devops


  2. 0

    Based on this post and on this Github issue comment, we can’t use the token property but instead the username&password properties, with the PAT token used as a password

    registries:
  npm-reg:
  type: npm-registry
  url: https://pkgs.dev.azure.com/<org>/<id>/_packaging/<feed-name>/npm/registry/
  username: <username> # I am not 100% sure that this value HAS to match the PAT...
  password: ${{secrets.DEVOPS_PAT}} # this is the non-base64 encoded PAT
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search