当前位置: 文江博客 话题详情

与AWS CodeArtifact的Disperabot

发布于 2025-02-11 11:28:57 字数 1221 浏览 0 评论 0 原文

我正在尝试将Disponabot与AWS CodeArtifact一起使用,并且我一直在遇到身份验证问题。

depentabot无法对私人软件包注册表进行身份验证 使用了以下专用软件包注册表并导致更新失败:### - ###。d.codeartifact..amazonaws.com/npm/private。

日志:

代理| 2022/06/29 16:52:05 [022]获取https://###-### 代理| 2022/06/29 16:52:06 [022] 401 https://###-### 代理| 2022/06/29 16:52:06 [024]获取https://##-#-### 代理| 2022/06/29 16:52:06 [024] 401 https://###-### 更新程序| info< job_408163671>更新Hermes-engine时处理错误:Private_source_authentication_failure {:source =>“ ### - ###。d.codeartifact。###。

更新Hermes-engine的处理错误:Private_source_authentication_failure {:source =&gt ; > disterabot.yml 配置,例如带有路径的完整codeartifact url或使用令牌而不是用户名和密码。

我的 distrabot.yml 

version: 2
registries:
  npm-codeartifact:
    type: npm-registry
    url: https://<registry>-<account>.d.codeartifact.<region>.amazonaws.com
    username: aws
    password: ${{secrets.CODEARTIFACT_TOKEN}}

  - package-ecosystem: "npm"
    schedule:
      interval: "daily"
    registries:
      - npm-codeartifact

我应该使用什么来使Displionabot与CodeArtifact一起使用?

原文

I'm trying to use Dependabot with AWS CodeArtifact and I keep getting authentication issues.

Dependabot can't authenticate to a private package registry
The following private package registry was used and caused the update to fail: ###-###.d.codeartifact..amazonaws.com/npm/private.

Logs:

proxy | 2022/06/29 16:52:05 [022] GET https://###-###.d.codeartifact.###.amazonaws.com:443/npm/private/hermes-engine
proxy | 2022/06/29 16:52:06 [022] 401 https://###-###.d.codeartifact.###.amazonaws.com:443/npm/private/hermes-engine
proxy | 2022/06/29 16:52:06 [024] GET https://###-###.d.codeartifact.###.amazonaws.com:443/npm/private/hermes-engine
proxy | 2022/06/29 16:52:06 [024] 401 https://###-###.d.codeartifact.###.amazonaws.com:443/npm/private/hermes-engine
updater | INFO <job_408163671> Handled error whilst updating hermes-engine: private_source_authentication_failure {:source=>"###-###.d.codeartifact.###.amazonaws.com/npm/private"}

I've tried playing with different dependabot.yml configs, such as full CodeArtifact URL with path or using token instead of username and password.

My dependabot.yml:

version: 2
registries:
  npm-codeartifact:
    type: npm-registry
    url: https://<registry>-<account>.d.codeartifact.<region>.amazonaws.com
    username: aws
    password: ${{secrets.CODEARTIFACT_TOKEN}}

  - package-ecosystem: "npm"
    schedule:
      interval: "daily"
    registries:
      - npm-codeartifact

What should I be using to make dependabot work with CodeArtifact?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

生生不灭 2025-02-18 11:28:57

此答案基于 @AphexLog 答案和 @andrea de luisi 关于的评论如何更新代码伪影代币,因为它在12个小时后过期。我的解决方案使用Nuget Package Manager作为示例,并使用单独的GitHub Action(.yml File),该操作运行了与Depentabot配置分开的Cron-Job。

precousites

  • disterabot.yml位于 yourProject/.github/disterabot.yml
  • aws-code-artifact-updateToken.yml(将其称为您想要的任何您想要的) 。
  • ​对于此用例,我认为没有到期或365天到期是安全的。

要创建您的 pat (classic)获得您的个人帐户设置,请向下滚动,直到看到&lt;&gt;开发人员设置,然后转到个人访问令牌下拉列表,然后选择令牌(经典)。生成一个新的令牌,并确保点击生成新的令牌(经典)。单击工作流程范围(如果您不属于组织,这将迫使回购范围)。如果您确实属于组织,请单击管理:org范围

选项1

  • 创建或属于GitHub组织
  • Goto组织设置,滚动到“秘密” 的位置。然后选择“ disterabot” 并创建一个依赖机组织的秘密

选项2

  • 获取您的存储库,请单击“设置” tab
  • scroll scroll scroll scroll scroll scroll scroll tos to “ secrets” 和选择“ distionabot” 并创建一个新的Disporabot存储库Secret,

我创建了我的秘密,作为一个依赖性组织的秘密,带有名称code_artifact_token_private_repos,并且仅适用于私人存储库。我的最初值是虚拟值“

name: Update AWS Code Artifact Token

on:
  schedule:
    # Runs every 10 hours
    - cron: "0 */10 * * *"
  workflow_dispatch:

测试 工作流并设置一个cron-job,每10个小时自动在github操作上运行,

jobs:
  update-code-artifact-token:
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: us-west-2
      GH_TOKEN: ${{ secrets.ORG_SECRETS }}
    steps:
      - name: Get Code Artifact Token
        run: |
          export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain fullstackindie --domain-owner 896630178141 --query authorizationToken --output text`

创建一个在Ubuntu上运行的作业。以一种格式创建环境变量,该变量将由 aws cli gh cli(github)自动使用,该变量安装在GitHub Action Runner上。我将codeartifact_auth_token导出为当前外壳的变量,将在以后的步骤中使用。该变量获得适当的codeartifact令牌。 替换-Domain FullstackIndie-Domain所有者896630178141带有您的AWS CodeArtifact帐户信息。

  - name: Update Code Artifact Token
    run: |
      gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --org FullStackIndieLLC --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"

这最后一步使用Github Cli到 set 创建的依赖性依赖>较早的回购或组织。您可以为。您还必须插入包含令牌的 - 身体 arg。使用环境变量时,您必须使用“ $ MY_ENV”格式进行 - 身体。因为我的依赖性组织的秘密仅适用于私人存储库有效,所以我将其视为私人。我还使用 - org flag 来改变我的依赖机构组织的秘密。如果使用Disperabot存储库秘密,那么您的令牌看起来与此相似,

  - name: Update Code Artifact Token
    run: |
      gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --repo MyRepo --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"

我建议我建议通过转到存储库中的“操作”选项卡,单击工作流,然后在下拉列表中单击“运行工作流”。如果没有,您的存储库可能不会在第一次运行之前更新10个小时左右

This answer is based off of @aphexlog answer and @Andrea De Luisi comment about how to update the Code Artifact token because it expires after 12 hours. My solution uses Nuget Package Manager as an example and uses a separate GitHub Action (.yml file) that runs a cron-job which is separate from the dependabot configuration.

Prequisites

  • dependabot.yml located YourProject/.github/dependabot.yml
  • aws-code-artifact-updatetoken.yml (call it whatever you want) located at YourProject\.github\workflows\aws-code-artifact-updatetoken.yml
  • AWS credentials as a repository/organization secret
  • A personal access token classic (PAT) with an expiration of 30-90 days if you need to be secure. For this use case tho I think no expiration or 365 days expiration is safe enough.

To create your PAT (classic) goto your personal account settings, scroll down until you see <> Developer Settings, then go to the personal access tokens dropdown and choose Tokens (classic). Generate a new token and make sure to click Generate New Token (classic). Click workflow scope (this will force repo scopes) if you do not belong to an organization. If you do belong to organization, also click admin:org scope

Option 1

  • Create or belong to a GitHub organization
  • Goto Organization settings, scroll-down to where it says "secrets" and choose "dependabot" and create an Dependabot Organization Secret

Option 2

  • Goto your repository, click on the "Settings" tab
  • Scroll down to where it says "secrets" and choose "dependabot" and create a new Dependabot Repository Secret

I have created my secret as a dependabot organization secret with the name CODE_ARTIFACT_TOKEN_PRIVATE_REPOS and it is only accessible to private repositories. My initial value was a dummy value "test" because it was going to get run and updated to a proper token after the workflow is run

aws-code-artifact-updatetoken.yml

name: Update AWS Code Artifact Token

on:
  schedule:
    # Runs every 10 hours
    - cron: "0 */10 * * *"
  workflow_dispatch:

This creates a name for the workflow and sets up a cron-job to run on GitHub Actions automatically every 10 hours

jobs:
  update-code-artifact-token:
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: us-west-2
      GH_TOKEN: ${{ secrets.ORG_SECRETS }}
    steps:
      - name: Get Code Artifact Token
        run: |
          export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain fullstackindie --domain-owner 896630178141 --query authorizationToken --output text`

Create a job that runs on ubuntu. Creates environment variables in a format that will be used automatically by the aws cli and gh cli (github) that comes installed on the GitHub Action runner. I am exporting CODEARTIFACT_AUTH_TOKEN as a variable to the current shell to be used in a later step. This variable gets a proper CodeArtifact token. Replace --domain fullstackindie --domain-owner 896630178141 with your AWS CodeArtifact account information.

  - name: Update Code Artifact Token
    run: |
      gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --org FullStackIndieLLC --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"

This last step uses the github cli to set the Dependabot Repository/Organization secret that was created earlier for your repo or organization. You can set different flags/args for the gh secret set but You have to include the --app dependabot to update Dependabot secrets. You must also inlcude the --body arg that contains the token. When using environment variables, you have to use "$MY_ENV" format for --body. Because my dependabot organization secret is only valid for private repositories I have put visibility as private. I am also using the --org flag to change my Dependabot Organization secret. If using a Dependabot Repository secret then your token will look similar to this

  - name: Update Code Artifact Token
    run: |
      gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --repo MyRepo --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"

I would recommend forcing a workflow run by going to the "Actions" tab in your repo, click on the workflow and then click "run workflow" in the dropdown. If not, your repo might not update the token for 10 hours or so before the first run

回复 原文
佼人 2025-02-18 11:28:57

@aphexlog错过了一个关键点,使依赖动枪与诗歌一起工作。

您需要在令牌值之前添加添加 aws: 

version: 2
registries:
  npm-codeartifact:
    type: npm-registry
    url: https://<registry>-<account>.d.codeartifact.<region>.amazonaws.com
    token: aws:${{secrets.CODEARTIFACT_TOKEN}}
updates:
  # Keep npm dependencies up to date
    - package-ecosystem: "npm"
      schedule:
        interval: "daily"
      registries:
      - npm-codeartifact

@aphexlog missed one key point to make dependabot work with poetry.

You need to add add aws: before the token value.

version: 2
registries:
  npm-codeartifact:
    type: npm-registry
    url: https://<registry>-<account>.d.codeartifact.<region>.amazonaws.com
    token: aws:${{secrets.CODEARTIFACT_TOKEN}}
updates:
  # Keep npm dependencies up to date
    - package-ecosystem: "npm"
      schedule:
        interval: "daily"
      registries:
      - npm-codeartifact
回复 原文
画▽骨i 2025-02-18 11:28:57

如果您使用的是代币,则无需指定用户名:

version: 2
registries:
  npm-codeartifact:
    type: npm-registry
    url: https://<registry>-<account>.d.codeartifact.<region>.amazonaws.com
    token: ${{secrets.CODEARTIFACT_TOKEN}}
updates:
  # Keep npm dependencies up to date
    - package-ecosystem: "npm"
      schedule:
        interval: "daily"
      registries:
      - npm-codeartifact

If you are using tokens, you don't need to specify a username:

version: 2
registries:
  npm-codeartifact:
    type: npm-registry
    url: https://<registry>-<account>.d.codeartifact.<region>.amazonaws.com
    token: ${{secrets.CODEARTIFACT_TOKEN}}
updates:
  # Keep npm dependencies up to date
    - package-ecosystem: "npm"
      schedule:
        interval: "daily"
      registries:
      - npm-codeartifact
回复 原文
~没有更多了~

关于作者

獨角戲

暂无简介

文章
评论
27 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

alipaysp_snBf0MSZIv

文章 0 评论 0

梦断已成空

文章 0 评论 0

瞎闹

文章 0 评论 0

凯凯我们等你回来

文章 0 评论 0

寄意

文章 0 评论 0

似梦非梦

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文