dependabot-azure-devops: [🚧] Dependabot 0.14 problem with credentials for private nuget feed in azure devops pipeline

Hi guys,

Can someone assist me with getting this into a dependabot.yml file? This is my current dependabot setup in pipeline

- task: dependabot@1
  displayName: 'Run Dependabot'
  inputs:
    packageManager: 'nuget'
    directory: '$(Dependabot.Directory)'
    openPullRequestsLimit: '$(Dependabot.OpenPullRequestsLimit)'
    milestone: $(Dependabot.Milestone)
    setAutoComplete: true
    mergeStrategy: '1'
    gitHubAccessToken: '$(Dependabot.GitHubAccessToken)'
    azureDevOpsAccessToken: '$(System.AccessToken)'
    targetRepositoryName: '${{ variables.Repository }}'
    extraEnvironmentVariables: 'DEPENDABOT_EXTRA_CREDENTIALS=[{"type":"nuget_feed","token":"$(VSS_NUGET_ACCESSTOKEN)","url":"https://pkgs.dev.azure.com/$(org)/$(project)/_packaging/$(feed)/nuget/v3/index.json"}]'

It took me hours to get this setup and now it is no longer supported by latest release. The problem I got with ./github/dependabot.yml file is that I need to declare variables inside of that file that are available in the pipeline like the "token":"$(VSS_NUGET_ACCESSTOKEN)"

I know that the task in pipeline now has to be something like this, with no inputs…

- task: dependabot@1
  displayName: 'Run Dependabot'

I tried it few times and nothing works at the moment. Can you provide me with a working example of the ./github/dependabot.yml file for this scenario, please? (with pipeline variables inside that file that work fine, and don’t tell me that now I need extra powershell to construct the damn config file) Also, is there a way to force this task dependabot@1 to use specific version of the tinglesoftware/dependabot-azure-devops? It seems to pick the latest on it’s own. Cheers!

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 21 (10 by maintainers)

Most upvoted comments

Hi guys, Sorry for late reply, a lot of other work came up. I have just tested this and it works perfectly fine on my end. I also thought I’d share my setup with anyone that wants a nice a clean setup for this.

Azure DevOps YAML Pipelines: Pipeline name must follow this pattern: Dependabot - name.of.your.repo

It’s easy to setup, you create a template for pipeline and populate your repos with configs. Then just manage them form devops pipeline page via the name of your repo, and a one variables that you setup in the UI.

  • Dependabot.GitHubAccessToken (just a github access token so that you can pull the docker image from github public repo without problems. Best to put it in a variable group and add to the pipeline definition below)
trigger: none # Disable CI trigger
schedules:     # Use weekly schedule instead
  - cron: '0 7 * * 1' # on Mondays at 7am UTC
    always: true # run even when there are no code changes
    branches:
      include:
        - 'main'
    batch: true
    displayName: 'on Mondays'

variables:
  - name: Repository
    value: ${{ replace(variables['Build.DefinitionName'],'Dependabot - ', '') }}

stages:
  - stage: CheckDependencies
    displayName: 'Check Dependencies'
    jobs:
      - job: Dependabot
        displayName: 'Dependabot'
        pool:
          # Only works with MacOS and Linux
          vmImage: 'ubuntu-latest' 
        steps:
          # This step authenticates your agent user/context to use this repo/REST API
          - checkout: git://your_project_name/${{ variables.Repository }}

          # Creates $(VSS_NUGET_ACCESSTOKEN) for Private feeds
          - task: NuGetAuthenticate@1
            displayName: 'NuGet Private Feed Authentication'

          - task: dependabot@1
            displayName: 'Run Dependabot'
            inputs:
              setAutoComplete: true
              mergeStrategy: '1'
              gitHubAccessToken: '$(Dependabot.GitHubAccessToken)'
              azureDevOpsAccessToken: '$(System.AccessToken)'
              targetRepositoryName: '${{ variables.Repository }}'

And the /.github/dependabot.yml

  • it doesn’t need the schedule block in here.
version: 2
updates:
- package-ecosystem: "nuget" # See documentation for possible values
  directory: "/" # Location of package manifests
  milestone: 6809 # work item identifier 
  open-pull-requests-limit: 1
  reviewers:
  - "email@example.com"
registries:
  private-nuget:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/your_org/your_project/_packaging/feed_name/nuget/v3/index.json
    token: '${{VSS_NUGET_ACCESSTOKEN}}'
+1
jakubtrebacz-dev on Feb 14, 2023
Read more comments on GitHub
← nxrocks: [Bug] Using Latest Nx (14.1.4) make our CI break
dependabot-azure-devops: Azure pipeline execution - process '/usr/bin/docker' failed with exit code 1 →