Dependabot: specify insecure code execution for specific registry #3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In order to get Dependabot to work with our govuk_chat_private private repo, we needed to define a "github" registry in the config file with a set of credentials which allows Dependabot to check out that repo. Furthermore it wouldn't check out the repo unless we set the `insecure-external-code-execution` option to `"allow"`. But it feels a bit risky to be allowing insecure code execution for all of our gem dependencies. This commit is an attempt to tighten up this requirement by adding another Bundler ecosystem that's references just the "github" registry and sets the `insecure-external-code-execution` to `"allow"` hopefully for just that registry. The idea being that the other Bundler ecosystem doesn't have a registry defined so perhaps Dependabot will use that one for all the public gems, and use the "github" registry ecosystem for our private gem.
kevindew
reviewed
Jan 22, 2025
| @@ -1,7 +1,11 @@ | |||
| version: 2 | |||
| updates: | |||
| - package-ecosystem: bundler | |||
There was a problem hiding this comment.
I think we should have registries section for this bit too, would that be rubygems?
There was a problem hiding this comment.
The docs say that the registries section is only for private registries:
Configure access to private package registries to allow Dependabot to update a wider range of dependencies
There was a problem hiding this comment.
Oh great - well let's give it a whirl. I'm probably less than 50% confident this'll work but worth a shot.
kevindew
approved these changes
Jan 23, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In order to get Dependabot to work with our govuk_chat_private private
repo, we needed to define a "github" registry in the config file with a
set of credentials which allows Dependabot to check out that repo.
Furthermore it wouldn't check out the repo unless we set the
insecure-external-code-executionoption to"allow". But it feels abit risky to be allowing insecure code execution for all of our gem
dependencies.
This commit is an attempt to tighten up this requirement by adding
another Bundler ecosystem that's references just the "github" registry
and sets the
insecure-external-code-executionto"allow"hopefullyfor just that registry.
The idea being that the other Bundler ecosystem doesn't have a registry
defined so perhaps Dependabot will use that one for all the public gems,
and use the "github" registry ecosystem for our private gem.