Skip to content

Add jit access endpoint support in the cli #554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
VXianOng wants to merge 4 commits into from
+57 −0
Closed

Add jit access endpoint support in the cli #554

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
05b1fe4
add jitaccess endpoint
VXianOng Jan 5, 2026
0a6000a
add test
VXianOng Jan 5, 2026
499ab20
textfix: unset env var for cleanup
VXianOng Jan 5, 2026
e38d650
add host and remove username
VXianOng Jan 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions cmd/dependabot/internal/cmd/update.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,7 @@ func processInput(input *model.Input, flags *UpdateFlags) {
// doesn't already exist. This way the user doesn't run out of calls from being anonymous.
hasLocalToken := os.Getenv("LOCAL_GITHUB_ACCESS_TOKEN") != ""
hasLocalAzureToken := os.Getenv("LOCAL_AZURE_ACCESS_TOKEN") != ""
hasGitHubJitAccessEndpoint := os.Getenv("GITHUB_JITACCESS_TOKEN_ENDPOINT") != ""

var isGitSourceInCreds bool
for _, cred := range input.Credentials {
Expand Down Expand Up @@ -359,6 +360,17 @@ func processInput(input *model.Input, flags *UpdateFlags) {
"username": "x-access-token",
"password": "$LOCAL_GITHUB_ACCESS_TOKEN",
})

if hasGitHubJitAccessEndpoint {
log.Println("Adding jit_access type for GitHub credentials")
input.Credentials = append(input.Credentials, model.Credential{
"type": "jit_access",
"host": host,
"credential-type": "git_source",
"endpoint": "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
})
Comment on lines 366 to 371
Copy link
Member

@jakecoffman jakecoffman Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You will need to pass a host property to tell the proxy which hosts can use JIT. The property username is not used for JIT access, the request is authenticated using the job token, so this property can be removed.

Also I wanted to mention this is already possible to do without environment variables by specifying a jit_access credential in the job definition passed to Dependabot CLI using the -f flag:

$ dependabot update -f job.json

or

$ dependabot update -f job.yml

The definition would be something like:

job:
  # job definition goes here, this goes to dependabot-core
credentials:
  - type: jit_access
    credential-type: git_source
    host: github.com
    endpoint: example.com

Copy link
Author

@VXianOng VXianOng Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching the missing host! Fixing that and removing username.

Yes! I used that -f flag to test this locally for proof of concept but on ADO Dependabot, it looks like we are passing credentials through env variables and we construct the credentials input in the CLI (in this file) so Im thinking to just use the same approach here. The jit_access endpoint value here will be unique to each jobs we run. Are you suggesting to prepopulate the jit_access credential type in the input before we call the CLI? That might work too, I'll have to take another look on our service.

During my test, I have two credential type in my job file -- one with github token and one for jit_access. This is how it looks like and what I'm attempting to add here!

credentials:
  - type: git_source
    password: SAMPLE_TOKEN
    username: x-access-token
    host: github.com
  - type: jit_access
    host: github.com
    credential-type: git_source
    endpoint: $GITHUB_JITACCESS_TOKEN_ENDPOINT

Copy link
Author

@VXianOng VXianOng Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: I think I found the place where I can insert credentials in our job definition before calling the CLI! I'll work on that first, if it works out then I wont need to pass a new env var anymore

Copy link
Member

@jakecoffman jakecoffman Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it's best to put it all in the job definition. We started using environment variables as a convenience running on our local machines because we had $LOCAL_GITHUB_ACCESS_TOKEN set already, makes it easier to run jobs with the short-hand dependabot update go_modules dependabot/cli, but for production it's best to provide the full job and credentials in a file.

}

if len(input.Job.CredentialsMetadata) > 0 {
// Add the metadata since the next section will be skipped.
input.Job.CredentialsMetadata = append(input.Job.CredentialsMetadata, map[string]any{
Expand Down
45 changes: 45 additions & 0 deletions cmd/dependabot/internal/cmd/update_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ func Test_processInput(t *testing.T) {
t.Cleanup(func() {
os.Unsetenv("LOCAL_GITHUB_ACCESS_TOKEN")
os.Unsetenv("LOCAL_AZURE_ACCESS_TOKEN")
os.Unsetenv("GITHUB_JITACCESS_TOKEN_ENDPOINT")
})
t.Run("initializes some fields", func(t *testing.T) {
os.Setenv("LOCAL_GITHUB_ACCESS_TOKEN", "")
Expand Down Expand Up @@ -203,6 +204,50 @@ func Test_processInput(t *testing.T) {

assertStringArraysEqual(t, expectedGitCredentalsMetadataHosts, actualCredentialsMetadataHosts)
})

t.Run("Add Jit Access credentials when endpoint is present", func(t *testing.T) {
var input model.Input
os.Setenv("LOCAL_GITHUB_ACCESS_TOKEN", "token")
host := "github.example.com"
input.Job.Source.Hostname = &host
os.Setenv("GITHUB_JITACCESS_TOKEN_ENDPOINT", "host/jit_access")

processInput(&input, nil)

if len(input.Credentials) != 2 {
t.Fatal("expected two credential types to be added")
}
if !reflect.DeepEqual(input.Credentials[0], model.Credential{
"type": "git_source",
"host": host,
"username": "x-access-token",
"password": "$LOCAL_GITHUB_ACCESS_TOKEN",
}) {
t.Error("expected git_source credentials to be added")
}
if !reflect.DeepEqual(input.Credentials[1], model.Credential{
"type": "jit_access",
"host": host,
"credential-type": "git_source",
"endpoint": "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
}) {
t.Error("expected jit_access credentials to be added")
}
if !reflect.DeepEqual(input.Job.CredentialsMetadata[0], model.Credential{
"type": "git_source",
"host": host,
}) {
t.Error("expected git_source credentials metadata to be added")
}
if !reflect.DeepEqual(input.Job.CredentialsMetadata[1], model.Credential{
"type": "jit_access",
"credential-type": "git_source",
"host": host,
"endpoint": "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
}) {
t.Error("expected jit_access credentials metadata to be added")
}
})
}

func assertStringArraysEqual(t *testing.T, expected, actual []string) {
Expand Down
Loading