Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question targetRepositoryName is set but configuration cannot be found #1095

Closed
LockTar opened this issue Apr 19, 2024 · 7 comments
Closed

Question targetRepositoryName is set but configuration cannot be found #1095

LockTar opened this issue Apr 19, 2024 · 7 comments

Comments

@LockTar
Copy link

LockTar commented Apr 19, 2024

I'm trying to setup a pipeline for multiple repositories. My setup is as follow:

Repo 1:
config file:
.azuredevops/dependabot.yml
pipeline yaml file:

- task: dependabot@1
  displayName: repo 2
  inputs:
    packageManager: 'nuget'
    targetBranch: 'main'
    targetRepositoryName: 'repo 2 name'
    openPullRequestsLimit: 1

Repo 2:
config file:
.azuredevops/dependabot.yml

I'm getting the error:
Configuration file not found at possible locations: /.azuredevops/dependabot.yml, /.azuredevops/dependabot.yaml, /.github/dependabot.yaml, /.github/dependabot.yml

When I set system.debug to true I see the following log:

##[debug]Attempting to fetch configuration file via REST API ...
##[debug]GET https://dev.azure.com/foo/bar/_apis/git/repositories/repo2/items?path=/.azuredevops/dependabot.yml
##[debug]No configuration file at 'https://dev.azure.com/foo/bar/_apis/git/repositories/repo2/items?path=/.azuredevops/dependabot.yml'

But when I navigate to that url the file is downloaded. How can that be?
@LockTar
Copy link
Author

LockTar commented Apr 22, 2024

I found out that using a service connection (parameter azureDevOpsServiceConnection) does work. It must have something to do with the accesstoken of SystemVssConnection.

This works:

- task: dependabot@1
  inputs:
    packageManager: 'nuget'
    targetRepositoryName: 'repo2'
    dockerImageTag: '1.24' # another open issue in this repo
    azureDevOpsServiceConnection: myconnection

This doesn't:

- task: dependabot@1
  inputs:
    packageManager: 'nuget'
    targetRepositoryName: 'repo2'
    dockerImageTag: '1.24' # another open issue in this repo

@LockTar
Copy link
Author

LockTar commented Apr 22, 2024

I have set all permissions to allow on the Project collection service account but doesn't help.

@mburumaxwell
Copy link
Contributor

The error No configuration file at '....' is only written out when the response is 404 (NotFound). Authentication issues (401 and 403) should print different logs. See below:

dependabot-azure-devops/extension/task/utils/parseConfigFile.ts

Lines 68 to 82 in 4ffc72b

if (responseStatusCode === 404) {
tl.debug(`No configuration file at '${url}'`);
continue;
} else if (responseStatusCode === 401) {
throw new Error(
`No access token has been provided to access '${url}'`
);
} else if (responseStatusCode === 403) {
throw new Error(
`The access token provided does not have permissions to access '${url}'`
);
} else {
throw error;
}
}

@LockTar
Copy link
Author

LockTar commented Apr 23, 2024

I see it. This is then very strange. Can it be something with dockerImageTag: '1.24'? I've done this because of issue #921.

Again, when I click the link that is logged by the error, the configuration file is downloaded. Enabling the service connection (only change) works.

This is my complete setup:

My pipeline:

trigger: none
schedules:
- cron: '0 2 * * *'
  always: true
  branches:
    include:
      - main
  batch: true
  displayName: Nightly

variables:
  # Define the system.debug variable
  system.debug: true

parameters:
  - name: myObject
    type: object
    default:
      repos:
        - 'my.repo2'

stages:
- stage: dependabot
  displayName: dependabot
  pool:
    name: Azure Pipelines
    vmImage: ubuntu-latest

  jobs:
  - job: dependabot
    displayName: Run dependabot
    steps:
    - ${{ each repo in parameters.myObject.repos }}:
      - task: dependabot@1
        displayName: ${{ repo }}
        continueOnError: true
        inputs:
          targetRepositoryName: ${{ repo }}
          # azureDevOpsServiceConnection: my-service-connection # without service connection configuration file can't be found.
          dockerImageTag: '1.24' # https://github.com/tinglesoftware/dependabot-azure-devops/issues/921
        env:
          AZURE_ARTIFACTS_TOKEN: $(System.AccessToken)

In repo 2 config .azuredevops/dependabot.yml:

version: 2
registries:
  foo:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/MyCollection/MyProject/_packaging/foo/nuget/v3/index.json
    token: PAT:${{AZURE_ARTIFACTS_TOKEN}}
updates:
  - package-ecosystem: nuget
    registries:
    - foo
    directory: "/"
    target-branch: main
    commit-message:
      prefix: fix
      include: scope
    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-major", "version-update:semver-minor"]

Output log:

##[debug]loading INPUT_TARGETREPOSITORYNAME
##[debug]loading INPUT_DOCKERIMAGETAG
##[debug]loading INPUT_FORWARDHOSTSSHSOCKET
##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
##[debug]loading SECRET_SYSTEM_ACCESSTOKEN
##[debug]loaded 14
##[debug]Agent.ProxyUrl=undefined
##[debug]Agent.CAInfo=undefined
##[debug]Agent.ClientCert=undefined
##[debug]Agent.SkipCertValidation=undefined
##[debug]useConfigFile=true
##[debug]Checking for docker install ...
##[debug]which 'docker'
##[debug]found: '/usr/bin/docker'
##[debug]System.TeamFoundationCollectionUri=https://dev.azure.com/MyCollection/
##[debug]System.TeamProject=MyProject
##[debug]targetRepositoryName=my.repo2
##[debug]gitHubAccessToken=undefined
##[debug]gitHubConnection=undefined
##[debug]azureDevOpsUser=undefined
##[debug]azureDevOpsAccessToken=undefined
##[debug]azureDevOpsServiceConnection=undefined
##[debug]No custom token provided. The SystemVssConnection's AccessToken shall be used.
##[debug]SystemVssConnection auth param AccessToken = ***
##[debug]setAutoComplete=false
##[debug]mergeStrategy=squash
##[debug]autoCompleteIgnoreConfigIds=undefined
##[debug]autoApprove=false
##[debug]autoApproveUserToken=undefined
##[debug]failOnException=true
##[debug]excludeRequirementsToUnlock=undefined
##[debug]updaterOptions=undefined
##[debug]targetUpdateIds=undefined
##[debug]securityAdvisoriesFile=undefined
##[debug]skipPullRequests=false
##[debug]abandonUnwantedPullRequests=false
##[debug]extraEnvironmentVariables=undefined
##[debug]forwardHostSshSocket=false
##[debug]dockerImageTag=1.24
##[debug]Attempting to fetch configuration file via REST API ...
##[debug]GET https://dev.azure.com/MyCollection/MyProject/_apis/git/repositories/my.repo2/items?path=/.azuredevops/dependabot.yml
##[debug]No configuration file at 'https://dev.azure.com/MyCollection/MyProject/_apis/git/repositories/my.repo2/items?path=/.azuredevops/dependabot.yml'
##[debug]GET https://dev.azure.com/MyCollection/MyProject/_apis/git/repositories/my.repo2/items?path=/.azuredevops/dependabot.yaml
##[debug]No configuration file at 'https://dev.azure.com/MyCollection/MyProject/_apis/git/repositories/my.repo2/items?path=/.azuredevops/dependabot.yaml'
##[debug]GET https://dev.azure.com/MyCollection/MyProject/_apis/git/repositories/my.repo2/items?path=/.github/dependabot.yaml
##[debug]No configuration file at 'https://dev.azure.com/MyCollection/MyProject/_apis/git/repositories/my.repo2/items?path=/.github/dependabot.yaml'
##[debug]GET https://dev.azure.com/MyCollection/MyProject/_apis/git/repositories/my.repo2/items?path=/.github/dependabot.yml
##[debug]No configuration file at 'https://dev.azure.com/MyCollection/MyProject/_apis/git/repositories/my.repo2/items?path=/.github/dependabot.yml'
##[debug]task result: Failed
##[error]Configuration file not found at possible locations: /.azuredevops/dependabot.yml, /.azuredevops/dependabot.yaml, /.github/dependabot.yaml, /.github/dependabot.yml

@LockTar
Copy link
Author

LockTar commented Apr 23, 2024

Are we sure that when a user (in our example the build service) is getting a 403 or a 401 with azure devops rest api when it's trying to get a file that it hasn't permissions to?
I think it's masked as a 404.

I also tried something else for more debugging.
When I use azureDevOpsServiceConnection, a PAT has to be set in the service connection. When I remove the claim for repository read, the configuration cannot be found as well.

So that is the reason why I think the rest client is returning a 404 when the user has not enough permissions.

@Lukejkw
Copy link

Lukejkw commented May 31, 2024

I can confirm that this is a permissions issue due to the Access Token being scoped to the build pipeline.

Import to turn off "Protect access to repositories in YAML pipelines"

The following settings worked for me:

image

@LockTar
Copy link
Author

LockTar commented Jun 7, 2024
edited
Loading

@Lukejkw Thank you for the reply. I checked this setting and it brought me in the right direction. This option is of course for safety so it's not recommended to turn it off. It's on by default and mostly forced on organization/collection level.

So I digged into it because turning this setting off made it working. But! I found a better workaround. I now knew the reason so it's easier to search for it.

If you read the documentation for the setting Protect access to repositories in YAML pipelines here and here it states that a yaml pipeline by default can't access another repo (in same or another project) because of that setting.

But you can use the checkout step or a uses statement in your pipeline to connect to another repository. We don't need the code for this dependabot task to work so I went for uses. This gave me the error Job 'Job1' references the repository 'R1' which is not defined by the pipeline.. On StackOverflow I found the solution for this. Apparently you also need to use the resources statement. Sample:

resources:
  repositories:
  - repository: R1
    type: git
    name: MyDevOpsProject/R1
  - repository: R2
    type: git
    name: MyDevOpsProject/R2
  - repository: R3
    type: git
    name: MyDevOpsProject/R3
  - repository: Rnnn
    type: git
    name: MyDevOpsProject/Rnnn

So I ended with the following pipeline:

trigger: none
schedules:
- cron: '0 2 * * *'
  always: true
  branches:
    include:
      - main
  batch: true
  displayName: Nightly

variables:
  # Define the system.debug variable
  system.debug: true

parameters:
  - name: repositories
    displayName: Repositories
    type: object
    default:
      names:
        - 'my.repo2'

resources:
  repositories:
  - repository: my.repo2
    type: git
    name: my.repo2 # I didn't use project because repo is in the same project

stages:
- stage: dependabot
  displayName: dependabot
  pool:
    name: Azure Pipelines
    vmImage: ubuntu-latest

  jobs:
  - job: dependabot
    displayName: Run dependabot

    uses:
      repositories: # List of referenced repositories
      - 'my.repo2' # Repository reference from the resources section

# or
    # uses:
      # repositories: ${{ parameters.repositories.names }}

    steps:
    - ${{ each repo in parameters.repositories.names }}:
      - task: dependabot@1
        displayName: ${{ repo }}
        continueOnError: true
        inputs:
          targetRepositoryName: ${{ repo }}
          dockerImageTag: '1.24' # https://github.com/tinglesoftware/dependabot-azure-devops/issues/921
        env:
          AZURE_ARTIFACTS_TOKEN: $(System.AccessToken)

When you queue the pipeline, you need to Permit the pipeline to access the repository. You will have to do that for every repository.

Only need to find a way to remove the duplicate repository names here in the pipeline.

@LockTar LockTar closed this as completed Jun 7, 2024
@mburumaxwell mburumaxwell mentioned this issue Jun 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LockTar @mburumaxwell @Lukejkw