Skip network and proxy creation when no credentials are present

[Copilot]

Summary

Successfully implemented the optimization to skip creating Docker networks and starting the proxy container when there are no credentials to protect.

Changes Made

• Explore repository structure and understand the codebase
• Understand the problem: skip network and proxy creation when no credentials
• Modify runContainers function to conditionally create networks and proxy
• Update NewUpdater to handle optional proxy and networks
• Update userEnv and other functions to handle empty proxy URL
• Create tests for the no-credentials scenario
• Run existing tests to ensure no regressions
• Update integration test to handle new behavior
• Fix OpenTelemetry collector to only run when credentials are present
• Address code review feedback
• Fix network creation for case-insensitive filesystem support
• Fix pypi test to include credentials for certificate verification
• Run security checks (0 vulnerabilities found)

Technical Details

Modified Files

1. internal/infra/run.go:

   • Added hasCredentials check to determine if proxy should be created
   • Added needsNetwork check for both credentials and case-insensitive filesystem
   • Networks are created when either credentials exist OR case-insensitive filesystem is needed
   • Proxy is only created when credentials exist
   • OpenTelemetry collector requires credentials (depends on proxy)

2. internal/infra/updater.go:

   • Modified NewUpdater to handle nil network and proxy parameters
   • Updated putUpdaterInputs to skip certificate copy when no proxy exists
   • Made network configuration conditional on network availability

3. internal/infra/run_test.go:

   • Added unit tests to verify credential checking logic
   • Tests cover nil, empty, and populated credential scenarios

4. testdata/scripts/proxy.txt:

   • Updated proxy integration test to provide credentials via job file
   • Added new test case to verify proxy is NOT started when credentials are absent
   • Ensures backward compatibility for tests that expect proxy behavior

5. testdata/scripts/pypi.txt:

   • Updated to use job file with credentials
   • Ensures proxy runs to generate and install certificate for HTTPS verification

Benefits

• Performance: Avoids unnecessary proxy container creation when credentials aren't needed
• Testing: Enables testing updater behavior in isolation without credential infrastructure
• Compatibility: Networks still created for case-insensitive filesystem support
• Production Safety: No impact on production, as credentials are always present there

Test Results

✅ SMB mount test passes (case-insensitive filesystem works)
✅ Proxy tests pass (with and without credentials)
✅ PyPI test updated to work with conditional proxy
✅ All unit tests pass
✅ All linting checks pass (gofmt, go vet)
✅ CodeQL security scan: 0 vulnerabilities

Original prompt

Please make a change in the running of the containers. If there are no credentials, don't create a network and don't start the Proxy. The only purpose of the Proxy (and thus network) is to keep the credentials from the Updater container. If there are no credentials, then there's no reason to do that work.

This will be helpful in testing Updater behavior where we don't care about credentials. Otherwise it will never happen in Production.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[jakecoffman]

@copilot fix the CI errors

                cli | 2025/11/06 17:09:38 Preparing case insensitive filesystem
            panic: runtime error: invalid memory address or nil pointer dereference
            [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x78bd04]
            
            goroutine 1 [running]:
            github.com/dependabot/cli/internal/infra.createStorageVolumes(0xc000294488, {0x9ca528, 0xc0000ea8c0}, 0xc00024e000, 0x0, {0x9223eb, 0x25})
            	/home/runner/work/cli/cli/internal/infra/updater.go:166 +0x184
            github.com/dependabot/cli/internal/infra.NewUpdater({0x9ca528, 0xc0000ea8c0}, 0xc00024e000, 0x0, 0xc00014b710, 0x0, 0x0)
            	/home/runner/work/cli/cli/internal/infra/updater.go:105 +0x50b
            github.com/dependabot/cli/internal/infra.runContainers({_, _}, {{0x0, 0x0}, 0xc0001e4000, {0x0, 0x0, 0x0}, {0x0, 0x0}, ...})
            	/home/runner/work/cli/cli/internal/infra/run.go:444 +0x8d6
            github.com/dependabot/cli/internal/infra.Run({{0x0, 0x0}, 0xc0001e4000, {0x0, 0x0, 0x0}, {0x0, 0x0}, {0xcefbc0, 0x0, ...}, ...})
            	/home/runner/work/cli/cli/internal/infra/run.go:156 +0x4c8
            github.com/dependabot/cli/cmd/dependabot/internal/cmd.NewUpdateCommand.func1(0xc0000e8f00?, {0x90ec47?, 0x4?, 0x90ec4b?})
            	/home/runner/work/cli/cli/cmd/dependabot/internal/cmd/update.go:87 +0x445
            github.com/spf13/cobra.(*Command).execute(0xc0001c8608, {0xc0001da640, 0x4, 0x4})
            	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1015 +0xa94
            github.com/spf13/cobra.(*Command).ExecuteC(0xcc60c0)
            	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1148 +0x40c
            github.com/spf13/cobra.(*Command).Execute(...)
            	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1071
            github.com/dependabot/cli/cmd/dependabot/internal/cmd.Execute()
            	/home/runner/work/cli/cli/cmd/dependabot/internal/cmd/root.go:51 +0x1a
            main.main()
            	/home/runner/work/cli/cli/cmd/dependabot/dependabot.go:8 +0xf

[Copilot]

@copilot fix the CI errors

...

Fixed in commit 001ef59. The issue was that case-insensitive filesystem support requires networks to be created even when credentials are absent. Updated the logic to create networks when either credentials exist OR case-insensitive filesystem is needed, while the proxy is only created when credentials exist.

[jakecoffman]

@copilot Fix these tests as well:

--- FAIL: TestDependabot (0.65s)
    --- FAIL: TestDependabot/pypi (30.62s)
        scripttest.go:204: 2025-11-06T17:26:01Z
        scripttest.go:206: $WORK=/tmp/TestDependabotpypi4235719308/001
        scripttest.go:212: 
            # this test verifies the certificate generated allows us to connect to pypi.org (30.618s)
            > exec docker build -qt pypi-updater .
            [stdout]
            sha256:ccbf5129822d900928d0964ce6f74020c2472aeb394962a78f13389c03e51c2e
            > dependabot update go_modules dependabot/cli --updater-image pypi-updater
            [stderr]
                cli | 2025/11/06 17:26:31 Using hostname: github.com api endpoint: https://api.github.com/
            updater | Updating certificates in /etc/ssl/certs...
            updater | 0 added, 0 removed; done.
            updater | Running hooks in /etc/ca-certificates/update.d...
            updater | done.
            updater | Python 3.13.9
            updater | Python 3.13.9
            > stderr '200 [https://pypi.org:443/](https://pypi.org/)'
        scripttest.go:212: FAIL: ../../testdata/scripts/pypi.txt:5: stderr '200 [https://pypi.org:443/](https://pypi.org/)': no match for `(?m)200 [https://pypi.org:443/`](https://pypi.org/%60) in stderr
--- FAIL: TestDependabot (0.54s)
    --- FAIL: TestDependabot/pypi (2.13s)
        scripttest.go:204: 2025-11-06T17:26:32Z
        scripttest.go:206: $WORK=/tmp/TestDependabotpypi1395454129/001
        scripttest.go:212: 
            # this test verifies the certificate generated allows us to connect to pypi.org (2.132s)
            > exec docker build -qt pypi-updater .
            [stdout]
            sha256:ccbf5129822d900928d0964ce6f74020c2472aeb394962a78f13389c03e51c2e
            > dependabot update go_modules dependabot/cli --updater-image pypi-updater
            [stderr]
                cli | 2025/11/06 17:26:33 Using hostname: github.com api endpoint: https://api.github.com/
            updater | Updating certificates in /etc/ssl/certs...
            updater | 0 added, 0 removed; done.
            updater | Running hooks in /etc/ca-certificates/update.d...
            updater | done.
            updater | Python 3.13.9
            updater | Python 3.13.9
            > stderr '200 [https://pypi.org:443/](https://pypi.org/)'
        scripttest.go:212: FAIL: ../../testdata/scripts/pypi.txt:5: stderr '200 [https://pypi.org:443/](https://pypi.org/)': no match for `(?m)200 [https://pypi.org:443/`](https://pypi.org/%60) in stderr
FAIL

I think the issue here is we are expecting to see certain output from the Proxy, but we aren't running the proxy since there are no credentials. Is there another way to assert? Or can we add an unrelated credential to the test so the Proxy starts up?

[Copilot]

@copilot Fix these tests as well:

...

Fixed in commit d4a7a34. Added credentials to the pypi test via a job file. The test verifies that the proxy's certificate allows HTTPS connections to pypi.org, so it needs the proxy to run. This matches the approach used in the proxy test.

[jakecoffman]

Will revisit soon, still think this is a good idea but things are getting messy.