Based on this question Dependabot with AWS CodeArtifact
My dependabot.yml looks like so:-
version: 2
registries:
nuget-code-artifact:
type: nuget-feed
url: https://xxxxxxxxxxxxxxxx.d.codeartifact.eu-west-2.amazonaws.com/nuget/team-packages/v3/index.json
token: aws:${{secrets.CODE_ARTIFACT_TOKEN_PRIVATE_REPOS}}
updates:
- package-ecosystem: "nuget"
directory: "/" # Location of package manifests
registries:
- nuget-code-artifact
schedule:
interval: "daily"
labels:
- "dependencies"
I have a GitHub Action for resetting the secret every 10 hours.
name: Update AWS Code Artifact Token
on:
schedule:
# Runs every 10 hours
- cron: "0 */10 * * *"
workflow_dispatch:
jobs:
update-code-artifact-token:
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: eu-west-2
GH_TOKEN: ${{ secrets.CREATE_ORG_SECRET }}
steps:
- name: Get Code Artifact Token
run: |
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain ${{ secrets.AWS_CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.AWS_CODEARTIFACT_ACCOUNT_NUMBER }} --query authorizationToken --output text`
- name: Update Code Artifact Token
run: |
gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --org MyOrg --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"
The Action runs and I have a secret showing in the dependabot settings for my repository. However, it never authenticates with AWS. The relevant part of the logs look like so:-
updater | 2023/09/13 16:29:10 INFO <job_721546674> Starting job processing
updater | 2023/09/13 16:29:10 INFO <job_721546674> Starting update job for My-Org/My-Repo
updater | 2023/09/13 16:29:10 INFO <job_721546674> Checking all dependencies for version updates...
updater | 2023/09/13 16:29:10 INFO <job_721546674> Checking if Bogus 34.0.2 needs updating
proxy | 2023/09/13 16:29:10 [066] GET https://xxxxxxxxxxxxxxxxxxxxxx.d.codeartifact.eu-west-2.amazonaws.com:443/nuget/team-packages/v3/index.json
proxy | 2023/09/13 16:29:10 [066] * authenticating nuget feed request (host: xxxxxxxxxxxxxxxxxxxxxx.d.codeartifact.eu-west-2.amazonaws.com, basic auth)
proxy | 2023/09/13 16:29:11 [066] 401 https://xxxxxxxxxxxxxxxxxxxxxx.d.codeartifact.eu-west-2.amazonaws.com:443/nuget/team-packages/v3/index.json
proxy | 2023/09/13 16:29:11 [066] Unauthenticated: request used invalid credentials. Please renew your credentials.
updater | 2023/09/13 16:29:11 INFO <job_721546674> Handled error whilst updating Bogus: private_source_authentication_failure {:source=>"https://xxxxxxxxxxxxxxxxxxxxxx.d.codeartifact.eu-west-2.amazonaws.com/nuget/team-packages/v3/index.json"}
I am really stuck on what I am doing wrong.
I fixed the issue.
export was not doing what I hoped, and it was setting the token to an empty string.
steps:
- name: Get Code Artifact Token
run: |
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain ${{ secrets.AWS_CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.AWS_CODEARTIFACT_ACCOUNT_NUMBER }} --query authorizationToken --output text`
- name: Update Code Artifact Token
run: |
gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --org MyOrg --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"
So I combined this into one statement.
steps:
- name: Set Code Artifact Token
run: |
CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain ${{ secrets.AWS_CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.AWS_CODEARTIFACT_ACCOUNT_NUMBER }} --query authorizationToken --output text`
gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --org MyOrg --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"