Automatic PR merging with private npm packages
bennycode opened this issue · comments
Hello Dependabot/GitHub Team,
I have a repository setup which uses npm private packages. I release these packages from a Lerna monorepo where I integrated Dependabot to make automatic dependency updates.
In my project I have a .yarnrc
file which makes use of the NPM_TOKEN
to fetch my private packages:
.yarnrc
always-auth=true
registry "https://registry.npmjs.org/:_authToken=${NPM_TOKEN}"
save-prefix ""
I defined a read-only NPM_TOKEN
in my GitHub Secrets to make my GitHub Actions work with it. It's working fine.
Unfortunately I have not been able to get Dependabot to work with it. I put a value for "registry.npmjs.org" in my Dependabot config variables but I am still getting this error:
updater | ERROR <job_29417555> Failed to replace env in config: ${NPM_TOKEN}
updater | ERROR <job_29417555> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.117.5/lib/dependabot/shared_helpers.rb:111:in run_helper_subprocess'
updater | ERROR <job_29417555> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.117.5/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb:137:in run_yarn_top_level_updater'
Have I done something wrong or why does Dependabot fail to replace NPM_TOKEN
?
After some time I found the solution to my problem:
- Open config variables in Dependabot dashboard: https://app.dependabot.com/accounts/your-name/config-variables
- Add type "JavaScript Registry" with registry value "registry.npmjs.org" and your plain read-only auth token value (looks like a UUIDv4, i.e. "e0f9afba-b6c7-11ea-b3de-0242ac130004")
- Add a
.yarnrc
file to your repository (watched by Dependabot) which DOES NOT define a "registry" and DOES NOT define "always-auth" - Add a
.npmrc
file to your repository which enforces authentication and defines the registry (including a placeholder for the "NPM_TOKEN"). Your yarn configuration will automatically make use of your.npmrc
file.
.yarnrc
save-prefix ""
.npmrc
Note: The //
in front of registry.npmjs.org
is intentional.
always-auth=true
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
Tested with:
- npm v6.13.7 (node v13.10.1)
- yarn v1.21.1