Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any way to skip private registries? #288

Open
sblatnick opened this issue Feb 28, 2024 · 5 comments
Open

Any way to skip private registries? #288

sblatnick opened this issue Feb 28, 2024 · 5 comments

Comments

@sblatnick
Copy link

When dependabot runs in GitHub Actions, it seems to work without access to private registries.

How can I get that functionality from dependabot/cli?

When it hits a private registry and fails to authenticate, the process exits with an error. I'd like to still get the results I would have from GitHub Actions.
@jeffwidman
Copy link
Member

There isn't a way to skip private registries that I'm aware of.

  1. If your dependency tree includes private packages, then for many ecosystems :dependabot: needs to fetch those packages in order to know whether it can safely upgrade other packages in the tree--even if it's not upgrading the private registry ones.
  2. Also, for many ecosystems, :dependabot: doesn't even control the access/tree walking--it hands off to the native package manager process (pip, bundler, yarn, etc) and waits for answers. We intentionally want :dependabot: to be a wrapper around native package managers wherever possible, rather than us trying to replicate (poorly) their behavior.

@jeffwidman jeffwidman closed this as not planned Won't fix, can't repro, duplicate, stale Jul 4, 2024
@sblatnick
Copy link
Author

Thank you for the feedback, but I still am having trouble understanding the result discrepancies.

How does this work in Github Actions? Dependabot can't access private registries from there, but it can still return results? The problem I perceive is that Github Actions can still return at least partial results whereas the CLI client fails without any results.

@jeffwidman
Copy link
Member

Hmm... you got me there. Re-opening.

Can you share logs of a GitHub Actions run vs a CLI run? Feel free to do so via a support ticket if needed, and mention that I requested you do so in this ticket and request that the ticket be assigned to me.

To set expectations, if there is a bug it'll have to go through our normal triage queue for prioritizing when to fix, but I'm happy to take a quick skim through the logs to see if anything immediately jumps out at me that might just be a misunderstanding... perhaps there's something about how Dependabot works that I'm ignorant of.

@jeffwidman jeffwidman reopened this Jul 6, 2024
@sblatnick
Copy link
Author

Upon Brett's recommendation in the above ticket, I created a personal ticket #2876981
Leaving this one open in case you want to use it for tracking the CLI side of things.

@sblatnick
Copy link
Author

FYI, I have lumped in #282 with my request for logs, which was about dependabot performance.

virtual-care-manager finally finished scanning with dependabot/cli. It took 23.5 hours, and failed in an error causing 0 findings after all of that processing.

Please reopen that ticket if you prefer to track that separately. Otherwise we can combine those here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeffwidman @sblatnick