Giters

renovatebot / config-help

Please use the Discussions feature of https://github.com/renovatebot/renovate instead

Home Page:https://github.com/renovatebot/renovate/discussions

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Renovate fail with node module from gitlab private repository

MariaMokbel opened this issue · comments

commented

What Renovate type, platform and version are you using?

Gitlab using the latest image version.

Our gitlab-ci job :
renovate: image: name: renovate/renovate entrypoint: [""] stage: dependency-update script: - 'export RENOVATE_CONFIG_FILE="renovate-config.js"' - 'renovate --token=$USER_ERPC_TECH_TOKEN' only: refs: - schedules

Describe the bug

All the MRs that are created by the bot contain this issue : ⚠️ Artifact update problem
because of a dependency from a private gitlab repository in our package.json :
"@projet_name/design-system": "git+ssh://git@gitlab.com:project_name_path/tools/design-system.git#0.1.0-rc.3",
Renovate is not able to update the yarn.lock file because it doesnt have the access (I am guessing the correct private key):
`
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
`

Relevant debug logs

INFO: Branch updated (repository=project_name_path, branch=renovate/cypress-5.x)
       "commitSha": "61e9ec1"
 INFO: PR created (repository=project_name_path, branch=renovate/cypress-5.x)
       "pr": 331,
       "prTitle": "chore(deps): update dependency cypress to v5"
 WARN: artifactErrors (repository=project_name_path, branch=renovate/cypress-5.x)
       "artifactErrors": [
         {
           "lockFile": "yarn.lock",
           "stderr": "error Command failed.\nExit code: 128\nCommand: git\nArguments: ls-remote --tags --heads git@gitlab.com:project_name/tools/design-system.git\nDirectory: /tmp/renovate/repos/gitlab/project_name_path\nOutput:\nHost key verification failed.\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n"
         }
       ]

Additional context

We tried ignore this dependency in several ways :
by adding :

  • ignoreDeps: ["@project_name/design-system"]
    or
  • ignoreDeps: ["design-system"]

or

  • packageRules: [
    {
    packagePatterns: ["^@project_name/design-system"],
    enabled: "false",
    },
    ]

but it doesnt seem to work.

I understand that we cannot connect via SSH with the Renovate bot but is there any way to just ignore this dependency and make the pipeline pass ?

commented

Yarn needs access to this repository in order to update the lock file. Without it, the lock file update fails, and I don't recommend you try any form of ignoring for that. It's yarn failing and not renovate directly. Can you try adding an ssh key that has permissions required by yarn?

commented

Hello ! Thank you for your quick answer !

It almost worked : one of the updates (the first one) still fails for the same reason and i don't understand why since the ssh key is added in the "before_script" part.

 INFO: Branch updated (repository=path, branch=renovate/testing-library-dom-7.26.x)
       "commitSha": "6d7b380"
 INFO: PR created (repository=path, branch=renovate/testing-library-dom-7.26.x)
       "pr": 342,
       "prTitle": "chore(deps): update dependency @testing-library/dom to v7.26.7"
 WARN: artifactErrors (repository=path, branch=renovate/testing-library-dom-7.26.x)
       "artifactErrors": [
         {
           "lockFile": "yarn.lock",
           "stderr": "error Command failed.\nExit code: 128\nCommand: git\nArguments: ls-remote --tags --heads git@gitlab.com:path/tools/design-system.git\nDirectory: /tmp/renovate/repos/gitlab/path\nOutput:\nWarning: Permanently added 'gitlab.com,172.65.251.78' (ECDSA) to the list of known hosts.\r\ngit@gitlab.com: Permission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n"
         }
       ]
commented

What do you mean by "almost worked"? Did something work that didn't before? Yarn still appears to be failing, same as if you had no ssh key at all.

commented

As we already told you, renovate works normally. Renovate is calling yarn install to update the yarn.lock file.

For this to work, you need to make sure yarn install succeeds on your pipeline without renovate.

Maybe you need to configure trustLevel, so renovate passes the ssh agent env.
https://docs.renovatebot.com/self-hosted-configuration/#trustlevel

Btw: you can remove the entrypoint override, renovate should work without it.

commented

What I meant by "almost worked" is that some of the updates worked well and the pipeeline passed and we didnt have any issue with yarn and some not.
By the way I added :

before_script:
    - eval `ssh-agent -s`
    - echo "${SSH_DESIGN_SYSTEM_PRIVATE_KEY}" | tr -d '\r' | ssh-add - > /dev/null
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh
    - 'echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'

which should work because I did the same for another job and the yarn command worked there.

I will try to configure trustLevel as you advised !
And thanks for the tips :)

commented

You need to set trustLevel=high in bot config, because otherwise renovate will not pass the ssh agent socket environment variable to yarn, so yarn can't find the ssh agent.

commented

It seems to work ! Thank you very much ! 👍