getsentry/fastify-otel - pnpm install/fetch not working in CI on dependabot PRs - error code 128

[jlowcs]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which SDK are you using?

@sentry/browser

SDK Version

Framework Version

No response

Link to Sentry event

No response

Reproduction Example/SDK Setup

No response

Steps to Reproduce

A dependabot PR updated our pnpm lockfile, replacing https://codeload.github.com with git+https://git@github.com

For instance,

'@fastify/otel@https://codeload.github.com/getsentry/fastify-otel/tar.gz/d6bb1756c3db3d00d4d82c39c93ee3316e06d305(@opentelemetry/api@1.9.0)':

became

'@fastify/otel@git+https://git@github.com:getsentry/fastify-otel.git#ae3088d65e286bdc94ac5d722573537d6a6671bb(@opentelemetry/api@1.9.0)':

This change is being applied on all dependabot PRs, even those that don't bump Sentry.

This results in our CI not passing anymore, both in CircleCI and in Github Actions:

Run pnpm i --ignore-scripts
Scope: all 27 workspace projects
Lockfile is up to date, resolution step is skipped
Progress: resolved 1, reused 0, downloaded 0, added 0
Packages: +3551
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Progress: resolved 3551, reused 0, downloaded 0, added 0
Progress: resolved 3551, reused 0, downloaded 15, added 0
Progress: resolved 3551, reused 0, downloaded 11[9](https://github.com/change/corgi/actions/runs/15026969483/job/42230030476?pr=16015#step:6:10), added 117
Progress: resolved 3551, reused 0, downloaded 264, added 254
Progress: resolved 3551, reused 0, downloaded 327, added 327
Progress: resolved 3551, reused 0, downloaded 498, added 493
Progress: resolved 3551, reused 0, downloaded 522, added 513
Progress: resolved 3551, reused 0, downloaded 599, added 593
Progress: resolved 3551, reused 0, downloaded 698, added 690
 ERROR  Command failed with exit code 128: /usr/bin/git clone git@github.com:getsentry/fastify-otel.git /home/runner/setup-pnpm/node_modules/.bin/store/v3/tmp/_tmp_1886_c2c62726d7df692904a22abcf0638edc
Cloning into '/home/runner/setup-pnpm/node_modules/.bin/store/v3/tmp/_tmp_1886_c2c62726d7df692904a22abcf0638edc'...
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

pnpm: Command failed with exit code 128: /usr/bin/git clone git@github.com:getsentry/fastify-otel.git /home/runner/setup-pnpm/node_modules/.bin/store/v3/tmp/_tmp_1886_c2c62726d7df692904a22abcf0638edc
Cloning into '/home/runner/setup-pnpm/node_modules/.bin/store/v3/tmp/_tmp_1886_c2c62726d7df692904a22abcf0638edc'...
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
    at makeError (/home/runner/setup-pnpm/node_modules/.pnpm/pnpm@9.15.4/node_modules/pnpm/dist/pnpm.cjs:17875:17)
    at handlePromise (/home/runner/setup-pnpm/node_modules/.pnpm/pnpm@9.15.4/node_modules/pnpm/dist/pnpm.cjs:18446:33)
    at process.processTicksAndRejections (node:internal/process/task_queues:[10](https://github.com/change/corgi/actions/runs/15026969483/job/42230030476?pr=16015#step:6:11)5:5)
    at async execGit (/home/runner/setup-pnpm/node_modules/.pnpm/pnpm@9.15.4/node_modules/pnpm/dist/pnpm.cjs:[11](https://github.com/change/corgi/actions/runs/15026969483/job/42230030476?pr=16015#step:6:12)4213:7)
    at async gitFetcher (/home/runner/setup-pnpm/node_modules/.pnpm/pnpm@9.15.4/node_modules/pnpm/dist/pnpm.cjs:114168:11)
    at async fetcher (/home/runner/setup-pnpm/node_modules/.pnpm/pnpm@9.15.4/node_modules/pnpm/dist/pnpm.cjs:[13](https://github.com/change/corgi/actions/runs/15026969483/job/42230030476?pr=16015#step:6:14)3730:16)
    at async run (/home/runner/setup-pnpm/node_modules/.pnpm/pnpm@9.15.4/node_modules/pnpm/dist/pnpm.cjs:133180:23)
Error: Process completed with exit code 1.

This might be related to #16295.

Expected Result

pnpm i should work on dependabot PRs.

Actual Result

pnpm i fails on dependabot PRs.

[jlowcs]

My guess is that it is somehow related to #16287

[jlowcs]

possibly related: dependabot/dependabot-core#10124

[jlowcs]

They're suggesting a workaround by adding a ssh key just for the purpose of pnpm being able to clone, but it's a bit hacky imho.

[andreiborza]

Hi @jlowcs, thanks for bringing this up. Tricky one, seems to be a pnpm issue but we'll need to think of possible alternatives.

That being said, we are not expecting to push many updates to that fork. It's also a temporary fork until our next major where we'll switch back to installing the upstream package.

I know it's not satisfactory but my only suggestion for now is to fix the lockfile manually.

[jlowcs]

After bumping Sentry to the latest version, it seems to have fixed the issue. The dependabot PRs are now passing the CI without issues. I don't know if it's the Sentry bump or if it's a change on dependabot's side that fixed it though.