This answer is based off of @aphexlog answer and @Andrea De Luisi comment about how to update the Code Artifact token because it expires after 12 hours. My solution uses Nuget Package Manager as an example and uses a separate GitHub Action (.yml file) that runs a cron-job which is separate from the dependabot configuration.
Prequisites
- dependabot.yml located
YourProject/.github/dependabot.yml
- aws-code-artifact-updatetoken.yml (call it whatever you want) located at
YourProject\.github\workflows\aws-code-artifact-updatetoken.yml
- AWS credentials as a repository/organization secret
- A personal access token classic (PAT) with an expiration of 30-90 days if you need to be secure. For this use case tho I think no expiration or 365 days expiration is safe enough.
To create your PAT (classic) goto your personal account settings, scroll down until you see <> Developer Settings, then go to the personal access tokens dropdown and choose Tokens (classic). Generate a new token and make sure to click Generate New Token (classic). Click workflow scope (this will force repo scopes) if you do not belong to an organization. If you do belong to organization, also click admin:org scope
Option 1
- Create or belong to a GitHub organization
- Goto Organization settings, scroll-down to where it says "secrets" and choose "dependabot" and create an Dependabot Organization Secret
Option 2
- Goto your repository, click on the "Settings" tab
- Scroll down to where it says "secrets" and choose "dependabot" and create a new Dependabot Repository Secret
I have created my secret as a dependabot organization secret with the name CODE_ARTIFACT_TOKEN_PRIVATE_REPOS and it is only accessible to private repositories. My initial value was a dummy value "test" because it was going to get run and updated to a proper token after the workflow is run
aws-code-artifact-updatetoken.yml
name: Update AWS Code Artifact Token
on:
schedule:
# Runs every 10 hours
- cron: "0 */10 * * *"
workflow_dispatch:
This creates a name for the workflow and sets up a cron-job to run on GitHub Actions automatically every 10 hours
jobs:
update-code-artifact-token:
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-2
GH_TOKEN: ${{ secrets.ORG_SECRETS }}
steps:
- name: Get Code Artifact Token
run: |
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain fullstackindie --domain-owner 896630178141 --query authorizationToken --output text`
Create a job that runs on ubuntu. Creates environment variables in a format that will be used automatically by the aws cli and gh cli (github) that comes installed on the GitHub Action runner. I am exporting CODEARTIFACT_AUTH_TOKEN as a variable to the current shell to be used in a later step. This variable gets a proper CodeArtifact token. Replace --domain fullstackindie --domain-owner 896630178141 with your AWS CodeArtifact account information.
- name: Update Code Artifact Token
run: |
gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --org FullStackIndieLLC --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"
This last step uses the github cli to set the Dependabot Repository/Organization secret that was created earlier for your repo or organization. You can set different flags/args for the gh secret set but You have to include the --app dependabot to update Dependabot secrets. You must also inlcude the --body arg that contains the token. When using environment variables, you have to use "$MY_ENV" format for --body. Because my dependabot organization secret is only valid for private repositories I have put visibility as private. I am also using the --org flag to change my Dependabot Organization secret. If using a Dependabot Repository secret then your token will look similar to this
- name: Update Code Artifact Token
run: |
gh secret set CODE_ARTIFACT_TOKEN_PRIVATE_REPOS --repo MyRepo --visibility private --app dependabot --body "$CODEARTIFACT_AUTH_TOKEN"
I would recommend forcing a workflow run by going to the "Actions" tab in your repo, click on the workflow and then click "run workflow" in the dropdown. If not, your repo might not update the token for 10 hours or so before the first run
