Question about Notify Dependabot of a private dependency release

Question

Question about Notify Dependabot of a private dependency release

Ramon-Balaguer opened this issue 5 years ago · comments

Ramon Balaguer Altadill commented 5 years ago

Hello,
I've been trying push a notification following the directions on this link.

We are using the following call

{"name":"Voxel.ObjectStorage:Platform","version":"1.1.19207.1","package-manager":"nuget"}

Assuming that for the name parameter, we are using our nuget's ID and Owner as GroupId and ArtifactId, respectively

<?xml version="1.0" encoding="utf-8"?>
<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
  <metadata>
    <id>Voxel.ObjectStorage</id>
    <version>1.1.19206.31962</version>
    <authors>Platform</authors>
    <owners>Platform</owners>
    <requireLicenseAcceptance>false</requireLicenseAcceptance>
    <description>Wraper de la librería de AmazonS3 para acceder a un ObjectStorage</description>
    <copyright>Copyright © Voxel Media 2007-2019</copyright>
    <repository type="git" url="https://github.com/VoxelGroup/Voxel.ObjectStorage.git" />
    <dependencies>
      <group targetFramework=".NETStandard2.0">
        <dependency id="AWSSDK.S3" version="3.3.104.2" exclude="Build,Analyzers" />
      </group>
    </dependencies>
  </metadata>
</package>

However, we do not obtain a response, or any PR on our repository, as expected.
What could be the error?

Thanks!

Grey Baker commented 5 years ago

Deployed!

Grey Baker · Answer 1 · Tue Jul 30 2019 00:51:27 GMT+0800 (China Standard Time)

The name here should just be Voxel.ObjectStorage.

Ramon Balaguer Altadill · Answer 2 · Tue Jul 30 2019 00:59:04 GMT+0800 (China Standard Time)

Hey! Thanks for the prompt response! I've tried that option already and it didn't work. We receive a 204 response and we don't see any PR. Wevare really interested in this project... Thank you very much!! El lun., 29 jul. 2019 18:51, Grey Baker <notifications@github.com> escribió:

…

The name here should just be Voxel.ObjectStorage. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#6?email_source=notifications&email_token=ACW2XDQG3OV2Z46FTOXS4E3QB4NY7A5CNFSM4IHUJHO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3BKAAI#issuecomment-516071425>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACW2XDRMNMU4IKQ6IPDZCG3QB4NY7ANCNFSM4IHUJHOQ> .

Grey Baker · Answer 3 · Tue Jul 30 2019 01:11:12 GMT+0800 (China Standard Time)

Are you definitely making the request with an access token that has access to the VoxelGroup organisation? Dependabot hits https://api.github.com/user/orgs with the access token to determine which orgs it has access to.

Ramon Balaguer Altadill · Answer 4 · Tue Jul 30 2019 01:40:35 GMT+0800 (China Standard Time)

I can use the same token with this link: https://api.github.com/user/orgs
With this headers: "Authorization: token OAUTH-TOKEN" and it works correctly.

We received:

[
    {
        "login": "VoxelGroup",
        "id": XXXXX,
        "node_id": "XXXXXX",
        "url": "https://api.github.com/orgs/VoxelGroup",
        "repos_url": "https://api.github.com/orgs/VoxelGroup/repos",
        "events_url": "https://api.github.com/orgs/VoxelGroup/events",
        "hooks_url": "https://api.github.com/orgs/VoxelGroup/hooks",
        "issues_url": "https://api.github.com/orgs/VoxelGroup/issues",
        "members_url": "https://api.github.com/orgs/VoxelGroup/members{/member}",
        "public_members_url": "https://api.github.com/orgs/VoxelGroup/public_members{/member}",
        "avatar_url": "https://avatars1.githubusercontent.com/u/34061716?v=4",
        "description": ""
    }
]

In your API I don't receive any authentication error.

Grey Baker · Answer 5 · Tue Jul 30 2019 01:49:15 GMT+0800 (China Standard Time)

Just dug into this a bit more on our side and it looks like there's some name-normalisation that's causing problems here. I'll get that fixed...

Ramon Balaguer Altadill · Answer 6 · Tue Jul 30 2019 01:54:22 GMT+0800 (China Standard Time)

Thank you! we will wait.

Grey Baker · Answer 7 · Tue Jul 30 2019 01:58:45 GMT+0800 (China Standard Time)

Deploying now - will be out in ~5 minutes.

Ramon Balaguer Altadill · Answer 8 · Tue Jul 30 2019 02:19:44 GMT+0800 (China Standard Time)

Thanks, but we continue with the same problem

Grey Baker · Answer 9 · Tue Jul 30 2019 02:52:23 GMT+0800 (China Standard Time)

Have had to jump on a couple of calls. Will try to get back to this. Not sure what could be causing it now though...

Grey Baker · Answer 10 · Tue Jul 30 2019 02:52:50 GMT+0800 (China Standard Time)

(The 204 response is expected btw - it's just that you should be getting a PR!)

Grey Baker · Answer 11 · Tue Jul 30 2019 02:57:57 GMT+0800 (China Standard Time)

Ah, hang on - it looks like an update job is now being successfully triggered, but that Dependabot can't find the updated version when it looks for it in the update job. Do you have a NuGet.config committed, or have you set a config variable in Dependabot, with details of your private registry? This endpoint is only to get Dependabot to kick off an update run - Dependabot still needs to be able to find the version on your registry.

Ramon Balaguer Altadill · Answer 12 · Tue Jul 30 2019 21:12:25 GMT+0800 (China Standard Time)

That is the problem, our Nuget server is private and we thought that from our "nuget continous integration flow" we could make push notifications to dependabot.

Grey Baker · Answer 13 · Tue Jul 30 2019 22:11:58 GMT+0800 (China Standard Time)

OK, in that case I'm going to close this as we're not planning to denormalise private registry contents in Dependabot (it would be a lot of work on our side). Thanks for talking it through with me, though.