Dependabot is not showing updates from public Github registry

I have a parent pom, which uses another parent pom:
Parent-jdk11-mongo project uses my own parent-jdk11 project

As you can see, the Parent-jdk11 project is released at Github registry as version 2.3.4.1

In my parent-jdk-mongo the version is still at 2.3.3-9.RELEASE

Dependabot is not checking my own registry, that there is a new one, but it works for all Maven central dependencies.
My dependabot file looks like this:

version: 2
updates:
- package-ecosystem: maven
  directory: "/"
  schedule:
    interval: daily
    time: '04:00'
  reviewers:
    - "joergi"
  open-pull-requests-limit: 100

it works

I have seen the discussion about some private repos here, but as this is a public repository on Github, I was assuming it will work?

Thanks for your help

Are the Security and Analysis features enabled on joergi/parent-jdk11-mongo?

yes, it is! it’s working for other dependencies.


as you can see, it’s all enabled.

If you check the dependencies for this repo, it doesn’t include your other repo. https://github.com/joergi/parent-jdk11-mongo/network/dependencies

You may need to Add the joergi/parent-jdk11 package to the dependencies element of your project pom.xml file.

So what is true: you need to authenticate against Github registry, which is pretty bad

The log looks like this.
but it’s not really private. it’s a public project with public artifacts.
but Github tells you you MUST have the permission to use it.

see this thread about the problem

proxy | time=“2020-09-22T04:00:28Z” level=info msg=“proxy starting” commit=21b6f1887d5de684c459cfb01dade71c33d44db4
proxy | 2020/09/22 04:00:28 Listening (:1080)
updater | 2020-09-22T04:00:30.553653713 [63165733:WARN:src/devices/src/legacy/serial.rs:319] Detached the serial input due to peer error/close.
updater | time=“2020-09-22T04:00:34Z” level=info msg=“guest starting” commit=f5a336b594678fecab7da6cdcd54b914fc2d0082
updater | time=“2020-09-22T04:00:34Z” level=info msg=“starting job…” fetcher_timeout=5m0s job_id=63165733 updater_timeout=45m0s updater_version=0.119.4-a0f473723b1bb4d7c8ae0de9d808c3e1b0afe222
updater | yarn config v1.22.5
updater | success Set “cafile” to “/etc/ssl/certs/ca-certificates.crt”.
updater | Done in 0.09s.
updater | I, [2020-09-22T04:00:40.505029 #72] INFO – sentry: ** [Raven] Raven 3.1.0 ready to catch errors
updater | INFO <job_63165733> Starting job processing
proxy | 2020/09/22 04:00:45 [002] GET https://api.github.com:443/repos/joergi/parent-jdk11-mongo
proxy | 2020/09/22 04:00:45 * authenticating github api request
proxy | 2020/09/22 04:00:46 [002] 200 https://api.github.com:443/repos/joergi/parent-jdk11-mongo
proxy | 2020/09/22 04:00:46 [004] GET https://api.github.com:443/repos/joergi/parent-jdk11-mongo/git/refs/heads/main
proxy | 2020/09/22 04:00:46 * authenticating github api request
proxy | 2020/09/22 04:00:46 [004] 200 https://api.github.com:443/repos/joergi/parent-jdk11-mongo/git/refs/heads/main
proxy | 2020/09/22 04:00:46 [006] GET https://api.github.com:443/repos/joergi/parent-jdk11-mongo/contents/pom.xml?ref=815772cb549d860985b517392b09c7466ecc6d35
proxy | 2020/09/22 04:00:46 * authenticating github api request
proxy | 2020/09/22 04:00:46 [006] 200 https://api.github.com:443/repos/joergi/parent-jdk11-mongo/contents/pom.xml?ref=815772cb549d860985b517392b09c7466ecc6d35
updater | INFO <job_63165733> Finished job processing
updater | time=“2020-09-22T04:00:46Z” level=info msg=“task complete” container_id=job-63165733-file-fetcher exit_code=0 job_id=63165733 step=fetcher
updater | yarn config v1.22.5
updater | success Set “cafile” to “/etc/ssl/certs/ca-certificates.crt”.
updater | Done in 0.20s.
updater | I, [2020-09-22T04:00:53.841415 #73] INFO – sentry: ** [Raven] Raven 3.1.0 ready to catch errors
updater | INFO <job_63165733> Starting job processing
updater | INFO <job_63165733> Starting update job for joergi/parent-jdk11-mongo
updater | INFO <job_63165733> Checking if de.flapdoodle.embed:de.flapdoodle.embed.mongo needs updating
proxy | 2020/09/22 04:00:58 [010] GET https://maven.pkg.github.com:443/joergi/parent-jdk11/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:58 [010] 401 https://maven.pkg.github.com:443/joergi/parent-jdk11/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:58 [012] GET https://repo.maven.apache.org:443/maven2/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:58 [012] 404 https://repo.maven.apache.org:443/maven2/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:58 [014] GET https://maven.pkg.github.com:443/joergi/parent-jdk11/de/flapdoodle/embed/de.flapdoodle.embed.mongo/maven-metadata.xml
proxy | 2020/09/22 04:00:58 [014] 401 https://maven.pkg.github.com:443/joergi/parent-jdk11/de/flapdoodle/embed/de.flapdoodle.embed.mongo/maven-metadata.xml
proxy | 2020/09/22 04:00:58 [016] GET https://repo.maven.apache.org:443/maven2/de/flapdoodle/embed/de.flapdoodle.embed.mongo/maven-metadata.xml
proxy | 2020/09/22 04:00:58 [016] 200 https://repo.maven.apache.org:443/maven2/de/flapdoodle/embed/de.flapdoodle.embed.mongo/maven-metadata.xml
proxy | 2020/09/22 04:00:58 [018] HEAD https://maven.pkg.github.com:443/joergi/parent-jdk11/de/flapdoodle/embed/de.flapdoodle.embed.mongo/2.2.0/de.flapdoodle.embed.mongo-2.2.0.jar
proxy | 2020/09/22 04:00:58 [018] 401 https://maven.pkg.github.com:443/joergi/parent-jdk11/de/flapdoodle/embed/de.flapdoodle.embed.mongo/2.2.0/de.flapdoodle.embed.mongo-2.2.0.jar
proxy | 2020/09/22 04:00:58 [020] HEAD https://repo.maven.apache.org:443/maven2/de/flapdoodle/embed/de.flapdoodle.embed.mongo/2.2.0/de.flapdoodle.embed.mongo-2.2.0.jar
proxy | 2020/09/22 04:00:58 [020] 200 https://repo.maven.apache.org:443/maven2/de/flapdoodle/embed/de.flapdoodle.embed.mongo/2.2.0/de.flapdoodle.embed.mongo-2.2.0.jar
updater | INFO <job_63165733> Latest version is 2.2.0
updater | INFO <job_63165733> No update needed for de.flapdoodle.embed:de.flapdoodle.embed.mongo
updater | INFO <job_63165733> Checking if io.joergi:parent-jdk11 2.3.3-2.RELEASE needs updating
proxy | 2020/09/22 04:00:58 [022] GET https://maven.pkg.github.com:443/joergi/parent-jdk11/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:58 [022] 401 https://maven.pkg.github.com:443/joergi/parent-jdk11/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:59 [024] GET https://repo.maven.apache.org:443/maven2/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:59 [024] 404 https://repo.maven.apache.org:443/maven2/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:59 [026] GET https://maven.pkg.github.com:443/joergi/parent-jdk11/io/joergi/parent-jdk11/maven-metadata.xml
proxy | 2020/09/22 04:00:59 [026] 401 https://maven.pkg.github.com:443/joergi/parent-jdk11/io/joergi/parent-jdk11/maven-metadata.xml
proxy | 2020/09/22 04:00:59 [028] GET https://repo.maven.apache.org:443/maven2/io/joergi/parent-jdk11/maven-metadata.xml
proxy | 2020/09/22 04:00:59 [028] 404 https://repo.maven.apache.org:443/maven2/io/joergi/parent-jdk11/maven-metadata.xml
updater | INFO <job_63165733> Handled error whilst updating io.joergi:parent-jdk11: private_source_authentication_failure {:source=>“https://maven.pkg.github.com/joergi/parent-jdk11”}
updater | INFO <job_63165733> Checking if org.springframework.boot:spring-boot-starter-data-mongodb needs updating
proxy | 2020/09/22 04:00:59 [032] GET https://maven.pkg.github.com:443/joergi/parent-jdk11/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:59 [032] 401 https://maven.pkg.github.com:443/joergi/parent-jdk11/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:59 [034] GET https://repo.maven.apache.org:443/maven2/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:59 [034] 404 https://repo.maven.apache.org:443/maven2/io/joergi/parent-jdk11/2.3.3-2.RELEASE/parent-jdk11-2.3.3-2.RELEASE.pom
proxy | 2020/09/22 04:00:59 [036] GET https://maven.pkg.github.com:443/joergi/parent-jdk11/org/springframework/boot/spring-boot-starter-data-mongodb/maven-metadata.xml
proxy | 2020/09/22 04:00:59 [036] 401 https://maven.pkg.github.com:443/joergi/parent-jdk11/org/springframework/boot/spring-boot-starter-data-mongodb/maven-metadata.xml
proxy | 2020/09/22 04:00:59 [038] GET https://repo.maven.apache.org:443/maven2/org/springframework/boot/spring-boot-starter-data-mongodb/maven-metadata.xml
proxy | 2020/09/22 04:00:59 [038] 200 https://repo.maven.apache.org:443/maven2/org/springframework/boot/spring-boot-starter-data-mongodb/maven-metadata.xml
proxy | 2020/09/22 04:00:59 [040] HEAD https://maven.pkg.github.com:443/joergi/parent-jdk11/org/springframework/boot/spring-boot-starter-data-mongodb/2.3.4.RELEASE/spring-boot-starter-data-mongodb-2.3.4.RELEASE.jar
proxy | 2020/09/22 04:00:59 [040] 401 https://maven.pkg.github.com:443/joergi/parent-jdk11/org/springframework/boot/spring-boot-starter-data-mongodb/2.3.4.RELEASE/spring-boot-starter-data-mongodb-2.3.4.RELEASE.jar
proxy | 2020/09/22 04:00:59 [042] HEAD https://repo.maven.apache.org:443/maven2/org/springframework/boot/spring-boot-starter-data-mongodb/2.3.4.RELEASE/spring-boot-starter-data-mongodb-2.3.4.RELEASE.jar
proxy | 2020/09/22 04:00:59 [042] 200 https://repo.maven.apache.org:443/maven2/org/springframework/boot/spring-boot-starter-data-mongodb/2.3.4.RELEASE/spring-boot-starter-data-mongodb-2.3.4.RELEASE.jar
updater | INFO <job_63165733> Latest version is 2.3.4.RELEASE
updater | INFO <job_63165733> No update needed for org.springframework.boot:spring-boot-starter-data-mongodb
updater | INFO <job_63165733> Finished job processing
updater | time=“2020-09-22T04:00:59Z” level=info msg=“task complete” container_id=job-63165733-updater exit_code=0 job_id=63165733 step=updater

it’s not a dependency, it’s the parent!
and if I use there a public one, like spring-boot, dependabot is able to use it!

I guess, the problem is, that the dependabot has no rights to “read the secrets”
So, it can’t access the github artifacts

  1. It looks like you’re missing a settings.xml file in joergi/parent-jdk11

  2. For the password (<password>PAT</password>), use a Personal Access Token (PAT) with the read:packages scope from an account that doesn’t own any private packages and is therefore safe to share. The PAT should be an XML encoded token because GitHub automatically deletes/revokes PATs when it appears on a public repository.

If you have Docker installed, you can XML encode a read:packages scoped token like this:

docker run jcansdale/gpr encode PAT

Example repo: https://github.com/jcansdale-test/maven-consume

1 Like

Thanks, I will give it a try!