add docker hub token for auth'd requested; add cooldown back into dependabot.yml

[eviljeff]

Fixes: mozilla/addons#16103 ...?

Description

Adds in auth for dockerhub, so api calls that were previously rejected now work. Also reverts the change to drop cooldown for docker-compose, because the cooldown is what appeared to trigger the api calls.

Context

Note, this only addresses the docker hub registry. If this works for docker hub hosted images we need to repeat for Github's registry (for zizmor), and either get an equivalent token for elasticsearch's dedicated registrry, or switch to use docker hub (elasticsearch seems to publish their images on docker hub too).

After merging it might be some time before we know if this actually fixes the issue for sure - we need both a new version of a docker-compose package; and to wait for 7 days for the cooldown period to end. (we could set a shorter, say 1 day, cooldown to accelerate?)

Testing

n/a

Checklist

• Add #ISSUENUM at the top of your PR to an existing open issue in the mozilla/addons repository.
• Successfully verified the change locally.
• The change is covered by automated tests, or otherwise indicated why doing so is unnecessary/impossible.
• Add before and after screenshots (Only for changes that impact the UI).
• Add or update relevant docs reflecting the changes made.

[diox]

Don't we need replaces-base: true as well ?

[eviljeff]

replaces-base wasn't a suggested property - it should only be needed when we're using images that are stored on a different registry url than they specify in the docker-compose/dockerfile. (i.e. you're using a private repo). That said, the docs are very unclear. And now I'm doubting that the url I specified is actually the correct url (that's the api url, looks like, but some examples in the docs use https://registry.hub.docker.com instead).

[diox]

mmm yeah we probably want https://registry.hub.docker.com ? I agree the docs are confusing

[diox]

Also, we want that for docker package ecosystem as well, not just docker-compose

[eviljeff]

Also, we want that for docker package ecosystem as well, not just docker-compose

It's defined at the top level rather than separately under docker and docker-compose. There's only a single docker-registry ecosystem.

[eviljeff]

https://github.com/mozilla/addons-server/pull/24703/checks?check_run_id=70237566496
*le sigh * "The property '#/registries' includes the "dockerhub" registry which is not used in any of the configurations"
(It'd be great if Github copilot would suggest valid values for Github dependabot configuration, in Github)

[eviljeff]

https://github.com/mozilla/addons-server/pull/24703/checks?check_run_id=70237566496 *le sigh * "The property '#/registries' includes the "dockerhub" registry which is not used in any of the configurations" (It'd be great if Github copilot would suggest valid values for Github dependabot configuration, in Github)

which is also what's written in their doc:
https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#docker-registry

registries:
  dockerhub:
    type: docker-registry
    url: https://registry.hub.docker.com
    username: "mozilla"

registries:
  dockerhub:
    type: docker-registry
    url: https://registry.hub.docker.com
    username: octocat

😕