Seeking Alternative for Deprecated DEPENDABOT_EXTRA_CREDENTIALS in Dependabot V2

[vishnuprakash9845]

Describe the bug
I have NuGet package configurations in Azure Artifacts and created the following dependabot.yml file. In the Azure pipeline, I was triggering Dependabot using this configuration:

-task: dependabot@1
  inputs:
    setAutoComplete: true
    mergeStrategy: 'noFastForward'
    autoApprove: false
    autoApproveUserToken: $(DEPLOY_PAT)
    azureDevOpsAccessToken: $(DEPLOY_PAT)
    dockerImageTag: 'latest'
    extraEnvironmentVariables: DEPENDABOT_EXTRA_CREDENTIALS=[{"type":"nuget_feed","token":"PAT:$(DEPLOY_PAT)","url":"https://pkgs.dev.azure.com/Org/Project/_packaging/Configurations/nuget/v3/index.json"}]

Categorization

• This is not a permissions issue (Seek help at 403 error when Dependabot tries to create a pull request #1245)

Expected behavior
However, with Dependabot V2, it appears that extraEnvironmentVariables has been deprecated. Could someone from the community guide me on the alternative approach for setting credentials in the new version of Dependabot? Any help would be appreciated.

https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/docs/migrations/v1-to-v2.md

Extension (please complete the following information):

• Host: Azure DevOps
• Version : 1.35.3.955

Additional context
I have successfully used DEPENDABOT_EXTRA_CREDENTIALS in Dependabot V1 to authenticate my NuGet feed hosted on Azure Artifacts. However, after upgrading to Dependabot V2, I found that DEPENDABOT_EXTRA_CREDENTIALS is now deprecated. My pipeline configuration for triggering Dependabot is part of an Azure DevOps pipeline where I rely on this for package updates. I need guidance on how to pass authentication credentials for private NuGet feeds using Dependabot V2, as my current approach doesn't seem to work, and I haven't found a clear alternative in the documentation.

[rhyskoedijk]

@vishnuprakash9845 thanks for the report.
Private feed credentials should be configured in your dependabot.yml, see configuring private feeds and registries for more.

Based on the info provided, you'll need to add this to your config:

version: 2
registries:
  my-org-feed:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/Org/Project/_packaging/Configurations/nuget/v3/index.json
    token: PAT:${{ DEPLOY_PAT }}
updates:
  - package-ecosystem: 'nuget'
    registries: 
    - 'my-org-feed'

[vishnuprakash9845]

Thank you, @rhyskoedijk , for the suggestion! It worked perfectly! 😊

Now, I’m facing an issue with attaching reviewers to the pull requests. I referred to the documentation on reviewers but still couldn't get it to work. I've tried various formats including my org+fullname, full team name, display name (used when someone tags me as @vishnu), and even my email, but none of them seem to work.

Any suggestions on how to fix this? Here’s the link to the doc I followed:
Doc Link

Your help would be greatly appreciated!

[Ammanyi]

Thank you @vishnuprakash9845 for bringing up this point! I was about to ask the same thing in my issue #1384 . I'm experiencing the exact same problem when trying to attach a group as reviewers.

dependabot.yml

version: 2
updates:
- package-ecosystem: "nuget" # See documentation for possible values
  directory: "/" # Location of package manifests
  target-branch: "test-dev"
  labels:
    - "Nuget dependencies"
  commit-message:
      prefix: "Nuget.Configuration Dependency Update"
      include: "scope"
  reviewers:
    - "xxxxx-TestGuards"
  allow:
    - dependency-name: "Configuration"
  open-pull-requests-limit: 5
  registries:
      - azure_artifacts
registries:
  azure_artifacts:
    type: "nuget-feed"
    url: "https://pkgs.dev.azure.com/xxxxx/xxxx/_packaging/xxx.xxx/nuget/v3/index.json"
    token: PAT:${{TOKEN}}    

I attempted to add the group "xxxx-TestGuards," but encountered the following error:

##[error]Failed to create pull request: Error: Invalid argument value.
Parameter name: The identity xxxx-TestGuards is not recognized.
Error: Invalid argument value.
Parameter name: The identity xxxxx-TestGuards is not recognized.
    at RestClient.<anonymous> (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.35.955/node_modules/typed-rest-client/RestClient.js:204:31)
    at Generator.next (<anonymous>)
    at fulfilled (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-xxxx-234f14697896/2.35.955/node_modules/typed-rest-client/RestClient.js:7:58)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  statusCode: 400,
  result: {
    '$id': '1',
    innerException: null,
    message: 'Invalid argument value.\r\n' +
      'Parameter name: The identity xxxxx-TestGuards is not recognized.',
    typeName: 'Microsoft.TeamFoundation.SourceControl.WebServer.InvalidArgumentValueException, Microsoft.TeamFoundation.SourceControl.WebServer',
    typeKey: 'InvalidArgumentValueException',
    errorCode: 0,
    eventId: 0
  },

I tried several options, but none seemed to work. @rhyskoedijk or @berendhaan I'd appreciate any guidance or help with resolving this issue as well!

[rhyskoedijk]

Now, I’m facing an issue with attaching reviewers to the pull requests

@vishnuprakash9845 The reviewers must be a user id (GUID) or email address (string); If it is not working then I'd recommend disabling your reviewers config until it is fixed. As part of #1385, I am reworking the identity lookup code so that it will work with more input types (i.e. user id, email, full name, group name).

I'm experiencing the exact same problem when trying to attach a group as reviewers.

@Ammanyi groups are not currently supported, only individual users. As mentioned above, I will attempt to include group support as part of #1385.