Search code examples
azureazure-devopsdevopsrenovate

Renovate bot Azure DevOps npm feed auth error

I get an 401 error if I try to use my private npm registry in Azure DevOps. My configuration looks like this:

# pipeline.yaml (repo root folder)
steps:
  - task: npmAuthenticate@0
    inputs:
      workingFile: .npmrc
  - script: |
      git config --global user.email 'bot@renovateapp.com'
      git config --global user.name 'Renovate Bot'
      npx --userconfig .npmrc renovate
    env:
      TOKEN: $(System.AccessToken)
      PAT: $(PAT)

# config.js (repo root folder)
module.exports = {
    platform: 'azure',
    endpoint: 'https://devops.<url>.de/.../',
    logLevel: 'debug',
    token: process.env.TOKEN,
    repositories: ['...'],
    enabledManagers: ["npm"],
    hostRules: [
        {
            enabled: true,
            hostType: 'npm',
            matchHost: 'devops.<url>.de',
            token: process.env.PAT,
        },
    ],
};

# .npmrc (repo root folder)
registry=https://devops.<url>.de/Collaboration/_packaging/.../npm/registry/
always-auth=true

The installation of renovate works and my registry get used for it. But renovate itself runs into a 401. How can I tell renovate to use the .npmrc generated from the `npmAuthenticate@0` task?

Error stack:

ERROR: Repository has unknown error (repository=...)
       "err": {
         "statusCode": 401,
         "message": "Failed request: (401)",
         "stack": "Error: Failed request: (401)\n    at RestClient.<anonymous> (/root/.npm/_npx/05eeecd92f4e18e0/node_modules/typed-rest-client/RestClient.js:202:31)\n    at Generator.next (<anonymous>)\n    at fulfilled (/root/.npm/_npx/05eeecd92f4e18e0/node_modules/typed-rest-client/RestClient.js:6:58)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"
       }
Solution

  • The renovate command will modify the repo you defined in the config.js file(e.g. repositories: ['...']).

    Since you are using the $(System.AccessToken) as authentication method, you need to grant Contribute permissions (e.g. Contribute,Contribute to pull requests,Create branch ) of target repo to the corresponding build service account.

    Project Level Build Service Account Name: Your-project-name Build Service (your-collection-name)

    Organization Level Build Service Account Name: Project Collection Build Service (your-collection-name)

    You can navigate to Project Settings -> Repositories -> Target Repo -> Security and grant the Contribute permission to the two build service account.

    For example:

    enter image description here

    For more detailed info, you can refer to this doc: Manage build service account permissions

    On the other hand, if you need to update the repo from another project. You need to disable the option: Limit job authorization scope to current project for non-release pipelines in Project Settings -> Settings.