dependabot: fail when bumpiing docker images

[v1v]

updater | 2025/03/24 00:59:41 INFO <job_985041479> Handled error whilst updating wolfi/chainguard-base: private_source_authentication_failure {:source=>"docker.elastic.co"}
  proxy | 2025/03/24 00:59:41 [034] POST /update_jobs/985041479/record_ecosystem_meta
  proxy | 2025/03/24 00:59:41 [034] 204 /update_jobs/985041479/record_ecosystem_meta
  proxy | 2025/03/24 00:59:42 [036] PATCH /update_jobs/985041479/mark_as_processed
  proxy | 2025/03/24 00:59:42 [036] 204 /update_jobs/985041479/mark_as_processed
updater | 2025/03/24 00:59:42 INFO <job_985041479> Finished job processing
updater | 2025/03/24 00:59:42 INFO Results:
Dependabot encountered '1' error(s) during execution, please check the logs for more details.
+---------------------------------------------------------------+
|                 Dependencies failed to update                 |
+-----------------------+---------------------------------------+
| wolfi/chainguard-base | private_source_authentication_failure |
+-----------------------+---------------------------------------+
Failure running container 1e3900a90186b0cd2307c9d9b1c6831e4a4c980808285f5325eaad738cad8510
Cleaned up container 1e3900a90186b0cd2307c9d9b1c6831e4a4c980808285f5325eaad738cad8510

That's something we could solve if we use dependabot with https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot

We have enabled in some other projects, I don't know whether this is something we want to explore and then deprecate the renovate approach.

What do you think?

[trentm]

Context: This is from https://github.com/elastic/apm-agent-nodejs/actions/runs/14024924910/job/39261942705

[trentm]

@v1v IIUC this is about Dependabot trying to update Dockerfile.wolfi in this repo.

1. Don't we already use renovate to update that file (and only that file)?
2. Do you happen to know if it is a recent change in Dependabot that it attempts to update Dockerfile.wolfi, as opposed to just Dockerfile in the root dir?

[trentm]

and then deprecate the renovate approach.

Oh, sorry. I missed this part of your comment.

Yes, I'd be happy to drop renovate and use only Dependabot, if we can get it to work for Dockerfile.wolfi.

[v1v]

Do you happen to know if it is a recent change in Dependabot that it attempts to update Dockerfile.wolfi, as opposed to just Dockerfile in the root dir?

I think Dependabot is able to find all those docker images:

apm-agent-nodejs/.github/dependabot.yml

Lines 113 to 117 in 009aeb5

	# Docker
	- package-ecosystem: "docker"
	directory: "/"
	schedule:
	interval: "weekly"

Yes, I'd be happy to drop renovate and use only Dependabot, if we can get it to work for Dockerfile.wolfi.

I can take a swing, so I'll share with you what I've done

[v1v]

I merged and it worked fine:

• https://github.com/elastic/apm-agent-nodejs/actions/runs/14081522721/job/39435371923

updater | 2025/03/26 10:54:42 INFO <job_987246633> Checking if wolfi/chainguard-base latest needs updating
updater | 2025/03/26 10:54:42 INFO <job_987246633> Latest version is latest
  proxy | 2025/03/26 10:54:42 [026] HEAD [https://docker.elastic.co:443/v2/wolfi/chainguard-base/manifests/latest](https://docker.elastic.co/v2/wolfi/chainguard-base/manifests/latest)
2025/03/26 10:54:42 [026] * authenticating docker registry request (host: docker.elastic.co)
  proxy | 2025/03/26 10:54:43 [026] 200 [https://docker.elastic.co:443/v2/wolfi/chainguard-base/manifests/latest](https://docker.elastic.co/v2/wolfi/chainguard-base/manifests/latest)
updater | 2025/03/26 10:54:43 INFO <job_987246633> No update needed for wolfi/chainguard-base latest