-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cargo private registry support #3478
Comments
We've been recommending folks use the
Alternatively, are you looking for #1767? |
hi @asciimike , |
@tomershaniii I believe you can just use
As the actual dependency should have the full URL. Mind giving that a try and letting me know if it works? |
unfortunately it does not, i've reached out to the clousmith team who indicated the full url is required |
Hi Mike, Also, do you know how to add a token instead of basic auth username and password. username: x-access-token |
No. The
Should work, if you have a
I believe we only support HTTP basic auth, as that's what the GitHub |
Using url: https://dl.cloudsmith.io/ |
Full dependancy.yml
|
Hi @asciimike, My environmental variable will be something like CARGO_REGISTRIES_CLOUDSMITH_TEST_CIARA_REPO1_INDEX=URL So, I added the CARGO_REGISTRIES_CLOUDSMITH_TEST_CIARA_REPO1_INDEX environmental variable secret to Settings->Secrets->Dependabot and I continued to get the same error- maybe it can't directly access the environmental variable- does it expect it to be preseeded by 'secrets' like the password above?. Any advice on how to add an environmental variable that Dependabot can access would be great. Thanks |
Ok, I think my brain got a bit scrambled between We don't have the ability to plumb arbitrary env vars (the secrets are a pretty special case), and I feel like the former (parsing |
@asciimike thanks so much for getting back to us, |
Hey guys, do you know if dependabot supports Cargo Private registries? or if there is a way to use arbitrary env var? |
Unfortunately we haven't been able to prioritize this work, and probably won't be able to for at least another quarter. There isn't a way to do arbitrary env vars at present. |
I closed #1767 as a dupe of this, since this has a little more implementation details. There is a fork of Dependabot mentioned in #1767 (comment) where @johnbatty added the necessary bits to talk to private registries. Also two crates that @lilymara-onesignal put together for initial testing/debugging purposes: #1767 (comment) We're definitely interested in PR's if someone wants to take a crack at this (hint @johnbatty 😄 ). However, I should mention that within GitHub we use an internal proxy for handling credentials so that they're never exposed to untrusted user code while evaluating package managers... ie, landing on That said, since Dependabot can also be wired up to run as a GitHub action, once the code lands in |
I see from the documentation here that a token is an option for the arguments. Does this mean that we can set this up now, or is there still something barring the way? Trying to clarify before doing a bunch of configuration only to find out this ticket is still open for a reason. |
Alternate registry authentication has stabilized in the Rust toolchain (x-ref rust-lang/cargo#10474 for the tracking issue). Are there any plans to add support here now that everything is private registry auth is stable? |
It feels like I am running exactly into this configuration mismatch. I am using a private registry and the registries index is configured in the ...
[dependencies]
name = { version = "...", registry = "..." }
... Cargo is able to resolve this because it knows the registries index by parsing the updater | 2024/01/11 08:33:55 INFO <job_3566> Handled error whilst updating derive-new: dependency_file_not_resolvable {:message=>"error: failed to parse manifest at `dependabot_tmp_dir/Cargo.toml`\n\nCaused by:\n no index found for registry: `...`"} Is there any plan to fix this? BR, |
@danielhaap83 That change is included in #8719. I'm waiting on reviews right now for the full change to support private registries there. |
Hey @CodingAnarchy do you want me to test out anything? |
Support for fetching Alternate registry authentication may be a little tricky. Dependabot on GitHub (and via the CLI) doesn't provide authentication directly to package managers and instead applies authentication to network requests with a http proxy. If the |
@ciaracarey ; would it be possible to get some testing done please? @mctofu and @pavera shipped some changes towards this goal this week. |
I think I've added support for sparse cargo registry authentication to our proxy but I don't have access to a registry to test against. It's currently available to try via the Dependabot CLI. I expect there may be further changes needed in the updater to get this fully working but this should help determine what's needed in #8719. To try it out, first install the CLI. Create a job.yml file as follows. Replace the source repo with your own as well as the url and token for the cargo credentials. The proxy will apply authentication to requests matching the host of the url and under the path of the url. The value of the token will be directly set as the
If the source repo is private, set an env variable named LOCAL_GITHUB_ACCESS_TOKEN to a github PAT which can read the repo. Run dependabot update -f job.yml and verify you can get updates to the private dependency. To use the CLI to test changes to core, check out the debugging guide. edit: Note this is only for sparse registries. If using a git registry then use the existing guidance for configure authentication for git: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#git |
Absolutely, I'll bring this on Monday to the support team
…On Fri 1 Mar 2024, 19:08 AbdulFattaah Popoola, ***@***.***> wrote:
@ciaracarey <https://github.com/ciaracarey> ; would it be possible to get
some testing done please? @mctofu <https://github.com/mctofu> and @pavera
<https://github.com/pavera> shipped some changes towards this goal this
week.
—
Reply to this email directly, view it on GitHub
<#3478 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUB2CFN2HDUPNCL7B2PJHVDYWDG2NAVCNFSM42ZYJKQ2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJXGM3TMNRQHE4Q>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@mctofu were you able to get any validation of this? I am interested in helping get private registries working end-to-end and I have a test case Azure DevOps repo I'm working with internally. I will try your above instructions out against that repository and report back. |
That's great to know @RobJellinghaus ! Let us know how it goes. cc: @carlincherry as fyi and @jonjanego too |
I believe I have set up the correct reproduction of this locally, using my own fork of #8719 merged with current dependabot-core main. Unfortunately it is not working:
This may be a token encoding issue, or something else. My dependabot-cli YAML configuration is:
@mctofu can you please provide a link to the PR where this proxy support was added? I would love to debug it but I haven't been able to locate your change. Thanks very much. |
@mctofu I finally managed to test #8719 with Dependabot CLI and this appears to have worked to resolve the expected updates. The output (trimmed of the network request logs, etc.) is below:
The ---
job:
package-manager: cargo
allowed-updates:
- dependency-type: direct
update-type: all
source:
provider: github
repo: Shopify/shopify-cdp
directory: "/grpc"
branch: main
api-endpoint: https://api.github.com/
hostname: github.com
credentials:
- type: cargo_registry
registry: shopify-rust
url: "https://cargo.cloudsmith.io/shopify/rust/"
token: "Token [pat]" Without the I tried to remove the auth work as suggested in #8719 (comment), but that failed on the requests where those tokens are injected (before the I plan to update #8719 to resolve the conflicts it now has with |
Can someone clarify what the state is? With #8719 merged, is private registry support coming to the Github dependabot service ( |
I reached out to GH support last week because support for GH Dependabot still needs to be implemented. |
This feature launched today! https://github.blog/changelog/2024-06-03-dependabot-now-supports-private-cargo-registries/ |
Cargo scanning doesn't seem to support private cargo registries.
It'd be great to be able to add something like this;
The text was updated successfully, but these errors were encountered: