amazon-web-servicesnugetgithub-actionsdependabotaws-codeartifact

Cannot get dependabot to authenticate with AWS CodeArtifact for my packages


Based on this question Dependabot with AWS CodeArtifact

My dependabot.yml looks like so:-

version: 2
registries:
  nuget-code-artifact:
    type: nuget-feed
    url: https://xxxxxxxxxxxxxxxx.d.codeartifact.eu-west-2.amazonaws.com/nuget/team-packages/v3/index.json
    token: aws:${{secrets.CODE_ARTIFACT_TOKEN_PRIVATE_REPOS}}
updates:
  - package-ecosystem: "nuget"
    directory: "/" # Location of package manifests
    registries:
      - nuget-code-artifact
    schedule:
      interval: "daily"
    labels:
      - "dependencies"

I have a GitHub Action for resetting the secret every 10 hours.

name: Update AWS Code Artifact Token

on:
  schedule:
    # Runs every 10 hours
    - cron: "0 */10 * * *"
  workflow_dispatch:

jobs:
  update-code-artifact-token:
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: eu-west-2
      GH_TOKEN: ${{ secrets.CREATE_ORG_SECRET }}
    steps:
      - name: Get Code Artifact Token
        run: |
          export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain ${{ secrets.AWS_CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.AWS_CODEARTIFACT_ACCOUNT_NUMBER }} --query authorizationToken --output text`
      - name: Update Code Artifact Token
        run: |
          gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --org MyOrg --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"

The Action runs and I have a secret showing in the dependabot settings for my repository. However, it never authenticates with AWS. The relevant part of the logs look like so:-

updater | 2023/09/13 16:29:10 INFO <job_721546674> Starting job processing
updater | 2023/09/13 16:29:10 INFO <job_721546674> Starting update job for My-Org/My-Repo
updater | 2023/09/13 16:29:10 INFO <job_721546674> Checking all dependencies for version updates...
updater | 2023/09/13 16:29:10 INFO <job_721546674> Checking if Bogus 34.0.2 needs updating
  proxy | 2023/09/13 16:29:10 [066] GET https://xxxxxxxxxxxxxxxxxxxxxx.d.codeartifact.eu-west-2.amazonaws.com:443/nuget/team-packages/v3/index.json
  proxy | 2023/09/13 16:29:10 [066] * authenticating nuget feed request (host: xxxxxxxxxxxxxxxxxxxxxx.d.codeartifact.eu-west-2.amazonaws.com, basic auth)
  proxy | 2023/09/13 16:29:11 [066] 401 https://xxxxxxxxxxxxxxxxxxxxxx.d.codeartifact.eu-west-2.amazonaws.com:443/nuget/team-packages/v3/index.json
  proxy | 2023/09/13 16:29:11 [066] Unauthenticated: request used invalid credentials. Please renew your credentials.
updater | 2023/09/13 16:29:11 INFO <job_721546674> Handled error whilst updating Bogus: private_source_authentication_failure {:source=>"https://xxxxxxxxxxxxxxxxxxxxxx.d.codeartifact.eu-west-2.amazonaws.com/nuget/team-packages/v3/index.json"}

I am really stuck on what I am doing wrong.


Solution

  • I fixed the issue.

    export was not doing what I hoped, and it was setting the token to an empty string.

        steps:
          - name: Get Code Artifact Token
            run: |
              export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain ${{ secrets.AWS_CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.AWS_CODEARTIFACT_ACCOUNT_NUMBER }} --query authorizationToken --output text`
          - name: Update Code Artifact Token
            run: |
              gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --org MyOrg --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"
    

    So I combined this into one statement.

        steps:
          - name: Set Code Artifact Token
            run: |
              CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain ${{ secrets.AWS_CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.AWS_CODEARTIFACT_ACCOUNT_NUMBER }} --query authorizationToken --output text`
              gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --org MyOrg --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"