Issue running with private artifacts repo and yarn v3

Question

Issue running with private artifacts repo and yarn v3

Closed this issue a year ago · 5 comments

Hello,

I've recently updated from classic yarn to use yarn v3 in my repository. When running dependabot in my pipeline, I get Invalid authentication (as an unknown user) even though I have not changed any configuration or access tokens related to my dependabot setup. Any ideas why this might be happening? Here's the related section of my dependabot.yml:

registries:
  npm-azure:
    type: npm-registry
    url: https://pkgs.dev.azure.com/{ORG}/_packaging/{FEED}/npm/registry/
    token: "{ORG}:${{PAT}}"
    replaces-base: true

Answer 1 · 2023-05-15T20:58:32.000Z

If the dependabot configuration hasn't changed in between the other changes, I'd recommend you create a test repository with v3 and attempt to reproduce with minimal setup.

Answer 2 · 2023-06-02T08:05:24.000Z

I did some more digging and found I had 2 issues:

My .yarnrc.yml was using a substitution for an environment variable that I wasn't passing to the docker container. The fix for this was to add it to extraEnvironmentVariables in my pipeline's dependabot@1 task.
${{ VARIABLE }} style substitutions in the dependabot.yml file do not seem to be working for System.AccessToken.

Here's the registries section of my dependabot.yml:

registries:
  npm-azure:
    type: npm-registry
    url: https://pkgs.dev.azure.com/org/_packaging/feed/npm/registry/
    token: PAT:${{System.AccessToken}}
    replaces-base: true

The config gets sent through to DEPENDABOT_EXTRA_CREDENTIALS without substitutions:

DEPENDABOT_EXTRA_CREDENTIALS=[{"type":"npm_registry","token":"PAT:${{System.AccessToken}}","replaces-base":true,"registry":"pkgs.dev.azure.com/org/_packaging/feed/npm/registry/"}]

The fix for me was to add a pipeline variable set to the value $(System.AccessToken), and that worked.

Is this expected behavior? This part of the docs mentions some limitations to the substitutions, but maybe default pipeline variables are not "considered secret in the registries section"?

Answer 3 · 2023-06-03T03:31:57.000Z

Try SYSTEM_ACCESSTOKEN instead of System.AccessToken

Answer 4 · 2023-06-05T08:05:06.000Z

That worked :D Do you know where the docs are on how the predefined variables get mapped?

Answer 5 · 2023-06-05T16:20:44.000Z

Usually, the variables names with dots inside are also environment variables with the dots replaced with underscores.

The variables are listed in the official docs:

https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables