allow for extra environment variables to be passed to updater image

cmd/dependabot/internal/cmd/root.go

@@ -12,18 +12,19 @@ import (
 )
 
 type SharedFlags struct {
-	file                string
-	cache               string
-	debugging           bool
-	flamegraph          bool
-	proxyCertPath       string
-	collectorConfigPath string
-	extraHosts          []string
-	output              string
-	pullImages          bool
-	volumes             []string
-	timeout             time.Duration
-	local               string
+	file                        string
+	cache                       string
+	debugging                   bool
+	flamegraph                  bool
+	proxyCertPath               string
+	collectorConfigPath         string
+	extraHosts                  []string
+	output                      string
+	pullImages                  bool
+	volumes                     []string
+	timeout                     time.Duration
+	local                       string
+	updaterEnvironmentVariables []string
 }
 
 // root flags

cmd/dependabot/internal/cmd/test.go

@@ -74,6 +74,7 @@ func NewTestCommand() *cobra.Command {
 	cmd.Flags().StringArrayVarP(&flags.volumes, "volume", "v", nil, "mount volumes in Docker")
 	cmd.Flags().StringArrayVar(&flags.extraHosts, "extra-hosts", nil, "Docker extra hosts setting on the proxy")
 	cmd.Flags().DurationVarP(&flags.timeout, "timeout", "t", 0, "max time to run an update")
+	cmd.Flags().StringArrayVarP(&flags.updaterEnvironmentVariables, "updater-env", "e", nil, "additional environment variables to set in the update container")
 
 	return cmd
 }

cmd/dependabot/internal/cmd/update.go

@@ -6,19 +6,20 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/MakeNowJust/heredoc"
-	"github.com/dependabot/cli/internal/infra"
-	"github.com/dependabot/cli/internal/model"
-	"github.com/dependabot/cli/internal/server"
-	"github.com/spf13/cobra"
-	"gopkg.in/yaml.v3"
 	"io"
 	"log"
 	"net"
 	"net/url"
 	"os"
 	"regexp"
 	"strings"
+
+	"github.com/MakeNowJust/heredoc"
+	"github.com/dependabot/cli/internal/infra"
+	"github.com/dependabot/cli/internal/model"
+	"github.com/dependabot/cli/internal/server"
+	"github.com/spf13/cobra"
+	"gopkg.in/yaml.v3"
 )
 
 var updateCmd = NewUpdateCommand()
@@ -84,27 +85,28 @@ func NewUpdateCommand() *cobra.Command {
 			}
 
 			if err := infra.Run(infra.RunParams{
-				CacheDir:            flags.cache,
-				CollectorConfigPath: flags.collectorConfigPath,
-				CollectorImage:      collectorImage,
-				Creds:               input.Credentials,
-				Debug:               flags.debugging,
-				Flamegraph:          flags.flamegraph,
-				Expected:            nil, // update subcommand doesn't use expectations
-				ExtraHosts:          flags.extraHosts,
-				InputName:           flags.file,
-				Job:                 &input.Job,
-				LocalDir:            flags.local,
-				Output:              flags.output,
-				ProxyCertPath:       flags.proxyCertPath,
-				ProxyImage:          proxyImage,
-				PullImages:          flags.pullImages,
-				StorageImage:        storageImage,
-				Timeout:             flags.timeout,
-				UpdaterImage:        updaterImage,
-				Volumes:             flags.volumes,
-				Writer:              writer,
-				ApiUrl:              flags.apiUrl,
+				CacheDir:                    flags.cache,
+				CollectorConfigPath:         flags.collectorConfigPath,
+				CollectorImage:              collectorImage,
+				Creds:                       input.Credentials,
+				Debug:                       flags.debugging,
+				Flamegraph:                  flags.flamegraph,
+				Expected:                    nil, // update subcommand doesn't use expectations
+				ExtraHosts:                  flags.extraHosts,
+				InputName:                   flags.file,
+				Job:                         &input.Job,
+				LocalDir:                    flags.local,
+				Output:                      flags.output,
+				ProxyCertPath:               flags.proxyCertPath,
+				ProxyImage:                  proxyImage,
+				PullImages:                  flags.pullImages,
+				StorageImage:                storageImage,
+				Timeout:                     flags.timeout,
+				UpdaterImage:                updaterImage,
+				Volumes:                     flags.volumes,
+				Writer:                      writer,
+				ApiUrl:                      flags.apiUrl,
+				UpdaterEnvironmentVariables: flags.updaterEnvironmentVariables,
 			}); err != nil {
 				if errors.Is(err, context.DeadlineExceeded) {
 					log.Fatalf("update timed out after %s", flags.timeout)
@@ -137,6 +139,7 @@ func NewUpdateCommand() *cobra.Command {
 	cmd.Flags().DurationVarP(&flags.timeout, "timeout", "t", 0, "max time to run an update")
 	cmd.Flags().IntVar(&flags.inputServerPort, "input-port", 0, "port to use for securely passing input to the updater")
 	cmd.Flags().StringVarP(&flags.apiUrl, "api-url", "a", "", "the api dependabot should connect to.")
+	cmd.Flags().StringArrayVarP(&flags.updaterEnvironmentVariables, "updater-env", "e", nil, "additional environment variables to set in the update container")
 
 	return cmd
 }

internal/infra/run.go

@@ -75,6 +75,8 @@ type RunParams struct {
 	InputName string
 	InputRaw  []byte
 	ApiUrl    string
+	// UpdaterEnvironmentVariables are additional environment variables to set in the update container
+	UpdaterEnvironmentVariables []string
 }
 
 var gitShaRegex = regexp.MustCompile(`^[0-9a-f]{40}$`)
@@ -436,7 +438,7 @@ func runContainers(ctx context.Context, params RunParams) (err error) {
 	}
 
 	if params.Debug {
-		if err := updater.RunShell(ctx, prox.url, params.ApiUrl, params.Job); err != nil {
+		if err := updater.RunShell(ctx, prox.url, params.ApiUrl, params.Job, params.UpdaterEnvironmentVariables); err != nil {
 			return err
 		}
 	} else {
@@ -446,7 +448,7 @@ func runContainers(ctx context.Context, params RunParams) (err error) {
 		}
 
 		// Then run the dependabot commands as the dependabot user
-		env := userEnv(prox.url, params.ApiUrl, params.Job)
+		env := userEnv(prox.url, params.ApiUrl, params.Job, params.UpdaterEnvironmentVariables)
 		if params.Flamegraph {
 			env = append(env, "FLAMEGRAPH=1")
 		}

internal/infra/updater.go

@@ -305,7 +305,7 @@ func mountOptions(v string) (local, remote string, readOnly bool, err error) {
 	return local, remote, readOnly, nil
 }
 
-func userEnv(proxyURL string, apiUrl string, job *model.Job) []string {
+func userEnv(proxyURL string, apiUrl string, job *model.Job, additionalEnvVars []string) []string {
 	envVars := []string{
 		"GITHUB_ACTIONS=true", // sets exit code when fetch fails
 		fmt.Sprintf("http_proxy=%s", proxyURL),
@@ -329,18 +329,20 @@ func userEnv(proxyURL string, apiUrl string, job *model.Job) []string {
 		envVars = append(envVars, fmt.Sprintf("DEPENDABOT_REPO_CONTENTS_PATH=%s", guestRepoDir))
 	}
 
+	envVars = append(envVars, additionalEnvVars...)
+
 	return envVars
 }
 
 // RunShell executes an interactive shell, blocks until complete.
-func (u *Updater) RunShell(ctx context.Context, proxyURL string, apiUrl string, job *model.Job) error {
+func (u *Updater) RunShell(ctx context.Context, proxyURL string, apiUrl string, job *model.Job, additionalEnvVars []string) error {
 	execCreate, err := u.cli.ContainerExecCreate(ctx, u.containerID, container.ExecOptions{
 		AttachStdin:  true,
 		AttachStdout: true,
 		AttachStderr: true,
 		Tty:          true,
 		User:         dependabot,
-		Env:          append(userEnv(proxyURL, apiUrl, job), "DEBUG=1"),
+		Env:          append(userEnv(proxyURL, apiUrl, job, additionalEnvVars), "DEBUG=1"),
 		Cmd:          []string{"/bin/bash", "-c", "update-ca-certificates && /bin/bash"},
 	})
 	if err != nil {