search

renovatebot / config-help

Please use the Discussions feature of https://github.com/renovatebot/renovate instead
https://github.com/renovatebot/renovate/discussions
MIT License
27 stars 16 forks source link

Grant Renovate access to private composer package without exposing credentials #945

Closed marijoo closed 4 years ago

marijoo commented 4 years ago

Which Renovate are you using?

WhiteSource Renovate App

Which platform are you using?

GitHub.com

Have you checked the logs? Don't forget to include them if relevant

Yes, I figured out what does not work with the help of the logs, but struggle to find out what would work. ;-)

What would you like to do?

I want to give Renovate access to a private composer package without pushing secrets to the repository.

I did encrypt my npm auth token to authenticate npm packages by adding something like this, which works fine:

"encrypted": {
    "npmToken": "ta+8LWaDeWclTeixDH87Ta65RA6U..."
}

But the same thing does not seem to work for composer. I tried to add a hostRule like this, where I tried to include login and password encrypted directly as well as in the encrypted object like above (which will give me a syntax error). I also tried to encrypt the whole hostRules array and add it to encrypted.hostRules but this does not work as well.

"hostRules": [{
    "hostName": "composer.host.com",
    "username": "<login>",
    "password": "<password>"
}]

Could someone elaborate on how to pass encrypted credentials? GitHub secret do not seem to be passed down to renovate, do they? Thank you! πŸ™

rarkins commented 4 years ago

Does your username need encrypting? If not then use this approach:

"hostRules": [{
    "hostName": "composer.host.com",
    "username": "<login>",
    "encrypted": {
      "password": "<encrypted-password>"
    }
}]

if both then I think the following should hopefully work:

"hostRules": [{
    "hostName": "composer.host.com",
    "encrypted": {
      "username": "<encrypted-login>",
      "password": "<encrypted-password>"
    }
}]

BTW it can be good for your to test with the CLI using non-encrypted first to make sure the credentials actually work. Try that if the above still doesn't work because there's a few moving parts and hard to know which might not be working.

GitHub secret do not seem to be passed down to renovate, do they?

No, they're not.

marijoo commented 4 years ago

Thank you for the blazing fast reply. Unfortunately the credentials do not seem to be taken into account.

Would the logs tell me if credentials were used when trying to access nova.laravel.com?

Failed to download laravel/nova from dist: 
  The 'https://nova.laravel.com/dist/laravel/nova/laravel-nova-xxx.zip'
URL could not be accessed: HTTP/1.1 403 Forbidden
Now trying to download from source
  - Installing laravel/nova (v3.13.0): Cloning xxxxxxxxxxx                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         

[RuntimeException]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
Failed to execute git clone --no-checkout 'https://**redacted**:***@github.com/laravel/nova.git'

In composer.json I have:

"repositories": [
    {
        "type": "composer",
        "url": "https://nova.laravel.com"
    }
]

In renovate.json I have this (at the root):

"hostRules": [{
    "hostName": "nova.laravel.com",
    "username": "<username>",
    "encrypted": {
        "password": "<encrypted-password>"
    }
}],
rarkins commented 4 years ago

Would the logs tell me if credentials were used when trying to access nova.laravel.com?

It would need to be Composer logs, so I'm not sure.

Sorry, I think I left out one important field to make sure the credentials are passed to Composer, please try instead this:

"hostRules": [{
    "hostName": "nova.laravel.com",
    "hostType": "packagist",
    "username": "<username>",
    "encrypted": {
        "password": "<encrypted-password>"
    }
}],

FYI here is the logic we're trying to trigger: https://github.com/renovatebot/renovate/blob/66b0265b46026dc51ef54e6791e40edf9c8da469/lib/manager/composer/artifacts.ts#L56-L91

marijoo commented 4 years ago

Wow, this was the missing peace. Thank you very much!

Maybe this could be clarified in the docs? Let me know if I can help. ✊🏻

rarkins commented 4 years ago

Maybe this could be clarified in the docs? Let me know if I can help. ✊🏻

I would love if you can clarify it in the docs!

Here would probably be best: https://github.com/renovatebot/renovate/blob/master/docs/usage/php.md

marijoo commented 4 years ago

I created a PR – hope this is helpful. Don’t hesitate to respond back if not.