How to provide GitHub and Azure DevOps Token? #1509

mikeKuester · 2024-12-09T13:45:12Z

mikeKuester
Dec 9, 2024

Hello,

I'm a bit confused how to provide the tokens?

I have a .NET 8 solution in a private organization and only packages from nuget.org.

I started with dependabot-script and got this "partially" working. I wasn't able to limit the updates to security updates (seems to ignore my dependabot.yml and so on). But before digging deeper, I found this project here, installed the Marketplace Extension and create the mentioned pipeline:

trigger:
- main

pool:
  vmImage: ubuntu-latest

steps:
- task: dependabot@2

I was wondering, that no tokens seems to be required, but I run the pipeline and was happy as it says: Success ...

But, after opening the result, I saw that it has two errors:

Dependabot failed with exit code 1
Update job error: dependency_file_not_found {"file-path":null,"message":"No files found in /"}

cli | 2024/12/09 12:31:24 Failed to find credentials for GitHub container registry.

In the readme.md I found only examples with tokens for private registries.

Do I have to provide a GitHub and / or an Azure DevOps Access Token? Like with the dependabot-script? How?

Full log

2024-12-09T12:30:53.3673494Z ##[section]Starting: dependabot
2024-12-09T12:30:53.3683547Z ==============================================================================
2024-12-09T12:30:53.3683749Z Task         : Dependabot
2024-12-09T12:30:53.3683839Z Description  : Automatically update dependencies and vulnerabilities in your code using [Dependabot CLI](https://github.com/dependabot/cli)
2024-12-09T12:30:53.3684009Z Version      : 2.39.1099
2024-12-09T12:30:53.3684112Z Author       : Tingle Software
2024-12-09T12:30:53.3684204Z Help         : https://github.com/tinglesoftware/dependabot-azure-devops/issues
2024-12-09T12:30:53.3684332Z ==============================================================================
2024-12-09T12:30:53.8305879Z ##[warning]Security-only updates incur a slight performance overhead due to limitations in Dependabot CLI. For more info, see: https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/docs/migrations/v1-to-v2.md#security-only-updates
2024-12-09T12:30:54.1520893Z ##[group]Job 'discover-0-nuget-dependency-list'
2024-12-09T12:30:54.1529490Z ##[section]Installing Dependabot CLI
2024-12-09T12:30:54.1541016Z [command]/usr/bin/go install github.com/dependabot/cli/cmd/dependabot@latest
2024-12-09T12:30:54.5741890Z go: downloading github.com/dependabot/cli v1.57.0
2024-12-09T12:30:54.7230770Z go: downloading github.com/MakeNowJust/heredoc v1.0.0
2024-12-09T12:30:54.7252580Z go: downloading github.com/spf13/cobra v1.8.1
2024-12-09T12:30:54.8444412Z go: downloading gopkg.in/yaml.v3 v3.0.1
2024-12-09T12:30:54.9893261Z go: downloading github.com/docker/cli v27.3.1+incompatible
2024-12-09T12:30:54.9933815Z go: downloading github.com/docker/docker v27.3.1+incompatible
2024-12-09T12:30:56.0006274Z go: downloading github.com/hexops/gotextdiff v1.0.3
2024-12-09T12:30:56.0007314Z go: downloading github.com/goware/prefixer v0.0.0-20160118172347-395022866408
2024-12-09T12:30:56.0954628Z go: downloading github.com/moby/moby v27.3.1+incompatible
2024-12-09T12:30:57.0293149Z go: downloading github.com/moby/sys/signal v0.7.1
2024-12-09T12:30:57.1789214Z go: downloading github.com/spf13/pflag v1.0.5
2024-12-09T12:30:57.2864034Z go: downloading github.com/moby/term v0.5.0
2024-12-09T12:30:57.3032036Z go: downloading github.com/sirupsen/logrus v1.9.3
2024-12-09T12:30:57.3794522Z go: downloading github.com/docker/go-connections v0.5.0
2024-12-09T12:30:57.4254228Z go: downloading github.com/opencontainers/go-digest v1.0.0
2024-12-09T12:30:57.4756044Z go: downloading github.com/opencontainers/image-spec v1.1.0
2024-12-09T12:30:57.5337604Z go: downloading github.com/docker/go-units v0.5.0
2024-12-09T12:30:57.6009737Z go: downloading github.com/moby/docker-image-spec v1.3.1
2024-12-09T12:30:57.6378596Z go: downloading github.com/containerd/log v0.1.0
2024-12-09T12:30:57.6911657Z go: downloading github.com/klauspost/compress v1.17.11
2024-12-09T12:30:57.7281747Z go: downloading github.com/moby/patternmatcher v0.6.0
2024-12-09T12:30:57.8392535Z go: downloading github.com/moby/sys/sequential v0.6.0
2024-12-09T12:30:57.9075064Z go: downloading github.com/moby/sys/userns v0.1.0
2024-12-09T12:30:58.0174307Z go: downloading github.com/pkg/errors v0.9.1
2024-12-09T12:30:58.1100565Z go: downloading golang.org/x/sys v0.26.0
2024-12-09T12:30:58.4438031Z go: downloading github.com/distribution/reference v0.6.0
2024-12-09T12:30:58.5573780Z go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0
2024-12-09T12:30:58.6895953Z go: downloading go.opentelemetry.io/otel/trace v1.31.0
2024-12-09T12:30:58.7932777Z go: downloading go.opentelemetry.io/otel v1.31.0
2024-12-09T12:30:59.0746427Z go: downloading github.com/moby/sys/user v0.3.0
2024-12-09T12:30:59.1094645Z go: downloading github.com/felixge/httpsnoop v1.0.4
2024-12-09T12:30:59.1859824Z go: downloading go.opentelemetry.io/otel/metric v1.31.0
2024-12-09T12:30:59.2121009Z go: downloading github.com/gogo/protobuf v1.3.2
2024-12-09T12:30:59.2899853Z go: downloading github.com/go-logr/logr v1.4.2
2024-12-09T12:30:59.4192961Z go: downloading github.com/go-logr/stdr v1.2.2
2024-12-09T12:31:24.2437065Z 
2024-12-09T12:31:24.2438387Z ##[section]Processing job from '/tmp/dependabot-jobs/discover-0-nuget-dependency-list/job.yaml'
2024-12-09T12:31:24.2439537Z [command]/home/vsts/go/bin/dependabot update --file /tmp/dependabot-jobs/discover-0-nuget-dependency-list/job.yaml --output /tmp/dependabot-jobs/discover-0-nuget-dependency-list/scenario.yaml --provider azure
2024-12-09T12:31:24.2509618Z cli | 2024/12/09 12:31:24 Failed to find credentials for GitHub container registry.
2024-12-09T12:31:24.2511017Z cli | 2024/12/09 12:31:24 pulling image: ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest
2024-12-09T12:31:26.1457909Z cli | 2024/12/09 12:31:26 using image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest at sha256:65840fd51552409dc30655c6c926be38277e1ff4d0f3d39f397908afeb6ad5f9
2024-12-09T12:31:26.1462937Z cli | 2024/12/09 12:31:26 Failed to find credentials for GitHub container registry.
2024-12-09T12:31:26.1470743Z cli | 2024/12/09 12:31:26 pulling image: ghcr.io/dependabot/dependabot-updater-nuget
2024-12-09T12:32:06.8536214Z cli | 2024/12/09 12:32:06 using image ghcr.io/dependabot/dependabot-updater-nuget at sha256:886b4cfb7376fa18ad2f7fbef5eed734e4524d8e8cb25f6f15a6074e9ee08fec
2024-12-09T12:32:07.7901023Z updater | Updating certificates in /etc/ssl/certs...
2024-12-09T12:32:08.6636158Z updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
2024-12-09T12:32:08.6711795Z updater | 1 added, 0 removed; done.
2024-12-09T12:32:08.6712339Z updater | Running hooks in /etc/ca-certificates/update.d...
2024-12-09T12:32:08.6731027Z updater | done.
2024-12-09T12:32:08.7114808Z updater | NuGet native updater experiment value: null
2024-12-09T12:32:11.3982872Z updater | 2024/12/09 12:32:11 INFO <job_discover_0_nuget_dependency_list> Starting job processing
2024-12-09T12:32:11.3984437Z updater | 2024/12/09 12:32:11 INFO <job_discover_0_nuget_dependency_list> Job definition: {"job":{"package-manager":"nuget","allowed-updates":[{"update-type":"all"}],"debug":false,"dependency-groups":[],"dependencies":null,"dependency-group-to-refresh":null,"existing-pull-requests":[],"existing-group-pull-requests":[],"experiments":null,"ignore-conditions":[{"dependency-name":"*"}],"lockfile-only":false,"requirements-update-strategy":null,"security-advisories":[],"security-updates-only":false,"source":{"provider":"azure","repo":"***/***/_git/***","directory":"/","hostname":"***","api-endpoint":"https://***:/"},"update-subdependencies":false,"updating-a-pull-request":false,"vendor-dependencies":false,"reject-external-code":false,"repo-private":false,"commit-message-options":null,"credentials-metadata":[{"host":"***","type":"git_source"}],"max-updater-run-time":0}}
2024-12-09T12:32:12.1112122Z updater | 2024/12/09 12:32:12 INFO <job_discover_0_nuget_dependency_list> Discovery JSON path for workspace path [/] created for file [/home/dependabot/.dependabot/discovery_map.json] at location [/home/dependabot/.dependabot/discovery.1.json]
2024-12-09T12:32:12.1129037Z updater | running NuGet discovery:
2024-12-09T12:32:12.1129528Z updater | /opt/nuget/NuGetUpdater/NuGetUpdater.Cli discover --job-path /home/dependabot/dependabot-updater/job.json --repo-root /home/dependabot/dependabot-updater/repo --workspace / --output /home/dependabot/.dependabot/discovery.1.json
2024-12-09T12:32:12.3962989Z updater | 2024/12/09 12:32:12 INFO Discovering build files in workspace [/home/dependabot/dependabot-updater/repo].
2024-12-09T12:32:12.3964515Z updater | 2024/12/09 12:32:12 INFO   No dotnet-tools.json file found.
2024-12-09T12:32:12.3964818Z updater | 2024/12/09 12:32:12 INFO   No global.json file found.
2024-12-09T12:32:12.3965049Z updater | 2024/12/09 12:32:12 INFO   Discovering projects beneath [.].
2024-12-09T12:32:12.3965255Z updater | 2024/12/09 12:32:12 INFO   No project files found.
2024-12-09T12:32:12.3965454Z updater | 2024/12/09 12:32:12 INFO Discovery complete.
2024-12-09T12:32:12.4008146Z updater | 2024/12/09 12:32:12 INFO <job_discover_0_nuget_dependency_list> Discovery JSON content: {
2024-12-09T12:32:12.4009352Z updater |   "Path": "",
2024-12-09T12:32:12.4009726Z updater |   "IsSuccess": true,
2024-12-09T12:32:12.4010075Z updater |   "Projects": [],
2024-12-09T12:32:12.4010426Z updater |   "GlobalJson": null,
2024-12-09T12:32:12.4010739Z updater |   "DotNetToolsJson": null,
2024-12-09T12:32:12.4011163Z updater |   "ErrorType": null,
2024-12-09T12:32:12.4011655Z updater |   "ErrorDetails": null
2024-12-09T12:32:12.4011878Z updater | }
2024-12-09T12:32:12.4031309Z updater | 2024/12/09 12:32:12 INFO <job_discover_0_nuget_dependency_list> Discovery JSON path for workspace path [/] found in file [/home/dependabot/.dependabot/discovery_map.json] at location [/home/dependabot/.dependabot/discovery.1.json]
2024-12-09T12:32:12.4111368Z updater | 2024/12/09 12:32:12 INFO <job_discover_0_nuget_dependency_list> Discovery JSON path for workspace path [/] found in file [/home/dependabot/.dependabot/discovery_map.json] at location [/home/dependabot/.dependabot/discovery.1.json]
2024-12-09T12:32:12.4157417Z updater | 2024/12/09 12:32:12 ERROR <job_discover_0_nuget_dependency_list> Error during file fetching; aborting: No files found in /
2024-12-09T12:32:12.4732902Z {"data":{"error-type":"dependency_file_not_found","error-details":{"file-path":null,"message":"No files found in /"}},"type":"record_update_job_error"}
2024-12-09T12:32:12.4795629Z {"data":{"base-commit-sha":"c017ee799cbd6d0e542ab550b1ab74a8675e651a"},"type":"mark_as_processed"}
2024-12-09T12:32:12.4801508Z updater | 2024/12/09 12:32:12 INFO <job_discover_0_nuget_dependency_list> Finished job processing
2024-12-09T12:32:12.4815663Z updater | 2024/12/09 12:32:12 INFO Results:
2024-12-09T12:32:12.4816142Z updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
2024-12-09T12:32:12.4816543Z updater | +---------------------------+
2024-12-09T12:32:12.4816912Z updater | |          Errors           |
2024-12-09T12:32:12.4867107Z updater | +---------------------------+
2024-12-09T12:32:12.4867351Z updater | | dependency_file_not_found |
2024-12-09T12:32:12.4867537Z updater | +---------------------------+
2024-12-09T12:32:13.2057214Z cli | 2024/12/09 12:32:13 updater failure: updater exited with code 1
2024-12-09T12:32:13.2071869Z ##[error]Dependabot failed with exit code 1
2024-12-09T12:32:13.2084680Z ##[section]Processing job outputs from '/tmp/dependabot-jobs/discover-0-nuget-dependency-list/scenario.yaml'
2024-12-09T12:32:13.2089915Z ##[section]Processing 'record_update_job_error'
2024-12-09T12:32:13.2091019Z ##[error]Update job error: dependency_file_not_found {"file-path":null,"message":"No files found in /"}
2024-12-09T12:32:13.2114007Z ##[section]Processing 'mark_as_processed'
2024-12-09T12:32:13.2114720Z ##[endgroup]
2024-12-09T12:32:13.2114980Z ##[section]GHSA dependency vulnerability check
2024-12-09T12:32:13.2115320Z No vulnerabilities detected in any dependencies
2024-12-09T12:32:13.2115584Z Nothing to update; dependencies are not affected by any known vulnerability
2024-12-09T12:32:13.2172782Z ##[section]Finishing: dependabot

Answered by rhyskoedijk

Dec 9, 2024

@mikeKuester have a look at the task parameters documentation if you haven't already, it covers the token parameters you're looking for.

Example using service connections:

        - task: dependabot@2
          inputs:
            azureDevOpsServiceConnection: 'Dependabot DevOps User'
            gitHubConnection: 'Dependabot GitHub User'

Example using access tokens:

        - task: dependabot@2
          inputs:
            azureDevOpsAccessToken: $(MY_SECRET_DEVOPS_TOKEN)
            gitHubAccessToken: $(MY_SECRET_GITHUB_TOKEN)

Regarding the error in your logs, it looks like a dependabot.yml misconfiguration to me; Dependabot could not find any .NET solution or project files in the dire…

View full answer

rhyskoedijk · 2024-12-09T21:04:20Z

rhyskoedijk
Dec 9, 2024

@mikeKuester have a look at the task parameters documentation if you haven't already, it covers the token parameters you're looking for.

Example using service connections:

        - task: dependabot@2
          inputs:
            azureDevOpsServiceConnection: 'Dependabot DevOps User'
            gitHubConnection: 'Dependabot GitHub User'

Example using access tokens:

        - task: dependabot@2
          inputs:
            azureDevOpsAccessToken: $(MY_SECRET_DEVOPS_TOKEN)
            gitHubAccessToken: $(MY_SECRET_GITHUB_TOKEN)

Regarding the error in your logs, it looks like a dependabot.yml misconfiguration to me; Dependabot could not find any .NET solution or project files in the directory /. Are you sure there is a file in the root directory? do you need to update your directory/directories config to point to the correct path?

3 replies

mikeKuester Dec 10, 2024
Author

Hello @rhyskoedijk,

😯

sorry, shame on me. I searched hours for a solution with the other project and ...

With the access tokens and the right path it works! Thank you.

My .NET solution file is in the subfolder "DepenabotTestApp", so I have to use this setting:

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/DepenabotTestApp"
    # only security updates
    open-pull-requests-limit: 0

The created pull requests leads me to a bug (character encoding in the PR message) and a question (this script updates the vulnerable package SharpZipLib to 1.3.3. and the dependabot-script to 1.4.2). I'll create an issue for the bug and try to search a bit, before creating a new question here.

mikeKuester Dec 10, 2024
Author

Ok, I found the reason for different package version:

this script updates the vulnerable package SharpZipLib to 1.3.3. and the dependabot-script to 1.4.2

If I remove the limiting to the security updates (open-pull-requests-limit: 0) I got also the bump to 1.4.2. Seems this limits the selected version.

rhyskoedijk Dec 11, 2024

If you think there might be a problem with the selected version for the update, feel free to log an issue with the relevant logs from the update and we can investigate further. thanks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to provide GitHub and Azure DevOps Token? #1509

{{title}}

Replies: 1 comment 3 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

How to provide GitHub and Azure DevOps Token? #1509

mikeKuester Dec 9, 2024

Replies: 1 comment · 3 replies

rhyskoedijk Dec 9, 2024

mikeKuester Dec 10, 2024 Author

mikeKuester Dec 10, 2024 Author

rhyskoedijk Dec 11, 2024

mikeKuester
Dec 9, 2024

Replies: 1 comment 3 replies

rhyskoedijk
Dec 9, 2024

mikeKuester Dec 10, 2024
Author

mikeKuester Dec 10, 2024
Author