Any way to skip private registries?
sblatnick opened this issue · 5 comments
When dependabot runs in GitHub Actions, it seems to work without access to private registries.
How can I get that functionality from dependabot/cli?
When it hits a private registry and fails to authenticate, the process exits with an error. I'd like to still get the results I would have from GitHub Actions.
There isn't a way to skip private registries that I'm aware of.
- If your dependency tree includes private packages, then for many ecosystems
needs to fetch those packages in order to know whether it can safely upgrade other packages in the tree--even if it's not upgrading the private registry ones. - Also, for many ecosystems, doesn't even control the access/tree walking--it hands off to the native package manager process (
pip,bundler,yarn, etc) and waits for answers. We intentionally want to be a wrapper around native package managers wherever possible, rather than us trying to replicate (poorly) their behavior.
Thank you for the feedback, but I still am having trouble understanding the result discrepancies.
How does this work in Github Actions? Dependabot can't access private registries from there, but it can still return results? The problem I perceive is that Github Actions can still return at least partial results whereas the CLI client fails without any results.
Hmm... you got me there. Re-opening.
Can you share logs of a GitHub Actions run vs a CLI run? Feel free to do so via a support ticket if needed, and mention that I requested you do so in this ticket and request that the ticket be assigned to me.
To set expectations, if there is a bug it'll have to go through our normal triage queue for prioritizing when to fix, but I'm happy to take a quick skim through the logs to see if anything immediately jumps out at me that might just be a misunderstanding... perhaps there's something about how Dependabot works that I'm ignorant of.
Upon Brett's recommendation in the above ticket, I created a personal ticket #2876981
Leaving this one open in case you want to use it for tracking the CLI side of things.
FYI, I have lumped in #282 with my request for logs, which was about dependabot performance.
virtual-care-manager finally finished scanning with dependabot/cli. It took 23.5 hours, and failed in an error causing 0 findings after all of that processing.
Please reopen that ticket if you prefer to track that separately. Otherwise we can combine those here.