feat: add RENOVATE_ prefix to Github com token and env host rules (#34568)

2025-05-14 08:22:26 +00:00 · 2025-03-05 13:54:30 +01:00 · 2025-03-05 13:54:30 +01:00 · 78002a0993
commit 78002a0993
parent a4438fbfb0
9 changed files with 80 additions and 13 deletions
--- a/docs/usage/examples/self-hosting.md
+++ b/docs/usage/examples/self-hosting.md
@ -84,7 +84,7 @@ metadata:
  name: renovate-env
 type: Opaque
 stringData:
-  GITHUB_COM_TOKEN: 'any-personal-user-token-for-github-com-for-fetching-changelogs'
+  RENOVATE_GITHUB_COM_TOKEN: 'any-personal-user-token-for-github-com-for-fetching-changelogs'
  # You can set RENOVATE_AUTODISCOVER to true to run Renovate on all repos you have push access to
  RENOVATE_AUTODISCOVER: 'false'
  RENOVATE_ENDPOINT: 'https://github.company.com/api/v3'
@ -162,7 +162,7 @@ If you are using CircleCI, you can use the third-party [daniel-shuy/renovate](ht

 By default, the orb looks for the self-hosted configuration file in the project root, but you can specify another path to the configuration file with the `config_file_path` parameter.

-Secrets should be configured using environment variables (e.g. `RENOVATE_TOKEN`, `GITHUB_COM_TOKEN`).
+Secrets should be configured using environment variables (e.g. `RENOVATE_TOKEN`, `RENOVATE_GITHUB_COM_TOKEN`).

 [Configure environment variables in CircleCI Project Settings](https://circleci.com/docs/2.0/env-vars/#setting-an-environment-variable-in-a-project).
 To share environment variables across projects, use [CircleCI Contexts](https://circleci.com/docs/2.0/contexts/).
@ -263,7 +263,7 @@ Most people use `cron` to schedule when Renovate runs, usually on an hourly sche
 export PATH="/home/user/.yarn/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH"
 export RENOVATE_CONFIG_FILE="/home/user/renovate-config.js"
 export RENOVATE_TOKEN="**some-token**" # GitHub, GitLab, Azure DevOps
-export GITHUB_COM_TOKEN="**github-token**" # Delete this if using github.com
+export RENOVATE_GITHUB_COM_TOKEN="**github-token**" # Delete this if using github.com

 # Renovate
 renovate
@ -331,7 +331,7 @@ metadata:
  namespace: <namespace>
 type: Opaque
 stringData:
-  GITHUB_COM_TOKEN: 'any-personal-user-token-for-github-com-for-fetching-changelogs'
+  RENOVATE_GITHUB_COM_TOKEN: 'any-personal-user-token-for-github-com-for-fetching-changelogs'
  RENOVATE_AUTODISCOVER: 'false'
  RENOVATE_ENDPOINT: 'https://github.company.com/api/v3'
  RENOVATE_GIT_AUTHOR: 'Renovate Bot <bot@renovateapp.com>'
--- a/docs/usage/getting-started/private-packages.md
+++ b/docs/usage/getting-started/private-packages.md
@ -154,7 +154,11 @@ It can be confusing for people who host their own source code privately to be as
 Currently the preferred way to configure `github.com` credentials for self-hosted Renovate is:

 - Create a read-only Personal Access Token (PAT) for a `github.com` account. This can be any GitHub account, but we recommend you create an "empty" account for this purpose.
- Add the PAT to Renovate using the environment variable `GITHUB_COM_TOKEN`
+- Add the PAT to Renovate using the environment variable `RENOVATE_GITHUB_COM_TOKEN`
+
+<!-- prettier-ignore -->
+!!! note
+    `GITHUB_COM_TOKEN` is still parsed and takes precedence over `RENOVATE_GITHUB_COM_TOKEN`, but is considered deprecated and will be removed in a future major update.

 ## Package Manager Credentials for Artifact Updating

@ -605,7 +609,7 @@ If you need to provide credentials to the Mend Renovate App, please do this:
     "hostRules": [
       {
         "matchHost": "github.com",
-         "token": "{{ secrets.GITHUB_COM_TOKEN }}"
+         "token": "{{ secrets.RENOVATE_GITHUB_COM_TOKEN }}"
       }
     ]
   }
--- a/docs/usage/getting-started/running.md
+++ b/docs/usage/getting-started/running.md
@ -211,7 +211,7 @@ Read the platform-specific docs to learn how to setup authentication on your pla

 ### GitHub.com token for changelogs

-If you are running on any platform except github.com, you should also set the environment variable `GITHUB_COM_TOKEN` and put the Personal Access Token for github.com in it.
+If you are running on any platform except github.com, you should also set the environment variable `RENOVATE_GITHUB_COM_TOKEN` and put the Personal Access Token for github.com in it.
 This account can be _any_ account on GitHub, and needs only `read-only` access.
 It's used when fetching changelogs for repositories in order to increase the hourly API limit.
 It's also OK to configure the same as a host rule instead, if you prefer that.
--- a/docs/usage/self-hosted-configuration.md
+++ b/docs/usage/self-hosted-configuration.md
@ -501,6 +501,7 @@ If found, it will be imported into `config.npmrc` with `config.npmrcMerge` set t

 The format of the environment variables must follow:

+- `RENOVATE_` prefix (at the moment this prefix optional, but usage of prefix will be required in the future)
 - Datasource name (e.g. `NPM`, `PYPI`) or Platform name (only `GITHUB`)
 - Underscore (`_`)
 - `matchHost` (note: only domains or subdomains are supported - not `https://` URLs or anything with forward slashes)
@ -777,7 +778,7 @@ Possible values:

 ## githubTokenWarn

-By default, Renovate logs and displays a warning when the `GITHUB_COM_TOKEN` is not set.
+By default, Renovate logs and displays a warning when the `RENOVATE_GITHUB_COM_TOKEN` is not set.
 By setting `githubTokenWarn` to `false`, Renovate suppresses these warnings on Pull Requests, etc.
 Disabling the warning is helpful for self-hosted environments that can't access the `github.com` domain, because the warning is useless in these environments.

--- a/lib/modules/platform/azure/readme.md
+++ b/lib/modules/platform/azure/readme.md
@ -108,7 +108,7 @@ module.exports = {
    },
    {
      matchHost: 'github.com',
-      token: process.env.GITHUB_COM_TOKEN,
+      token: process.env.RENOVATE_GITHUB_COM_TOKEN,
    },
  ],
  repositories: ['YOUR-PROJECT/YOUR-REPO'],
--- a/lib/workers/global/config/parse/env.spec.ts
+++ b/lib/workers/global/config/parse/env.spec.ts
@ -179,6 +179,41 @@ describe('workers/global/config/parse/env', () => {
      });
    });

+    it('supports RENOVATE_ prefixed github com token', async () => {
+      const envParam: NodeJS.ProcessEnv = {
+        RENOVATE_GITHUB_COM_TOKEN: 'github_pat_XXXXXX',
+        RENOVATE_TOKEN: 'a github.com token',
+      };
+      expect(await env.getConfig(envParam)).toEqual({
+        token: 'a github.com token',
+        hostRules: [
+          {
+            hostType: 'github',
+            matchHost: 'github.com',
+            token: 'github_pat_XXXXXX',
+          },
+        ],
+      });
+    });
+
+    it('GITHUB_COM_TOKEN takes precedence over RENOVATE_GITHUB_COM_TOKEN', async () => {
+      const envParam: NodeJS.ProcessEnv = {
+        GITHUB_COM_TOKEN: 'github_pat_XXXXXX',
+        RENOVATE_GITHUB_COM_TOKEN: 'github_pat_YYYYYY',
+        RENOVATE_TOKEN: 'a github.com token',
+      };
+      expect(await env.getConfig(envParam)).toEqual({
+        token: 'a github.com token',
+        hostRules: [
+          {
+            hostType: 'github',
+            matchHost: 'github.com',
+            token: 'github_pat_XXXXXX',
+          },
+        ],
+      });
+    });
+
    it('supports GitHub custom endpoint and gitlab.com', async () => {
      const envParam: NodeJS.ProcessEnv = {
        RENOVATE_ENDPOINT: 'a ghe endpoint',
--- a/lib/workers/global/config/parse/env.ts
+++ b/lib/workers/global/config/parse/env.ts
@ -202,12 +202,13 @@ export async function getConfig(
    }
  }

-  if (env.GITHUB_COM_TOKEN) {
+  const githubComToken = env.GITHUB_COM_TOKEN ?? env.RENOVATE_GITHUB_COM_TOKEN;
+  if (githubComToken) {
    logger.debug(`Converting GITHUB_COM_TOKEN into a global host rule`);
    config.hostRules.push({
      hostType: 'github',
      matchHost: 'github.com',
-      token: env.GITHUB_COM_TOKEN,
+      token: githubComToken,
    });
  }

--- a/lib/workers/global/config/parse/host-rules-from-env.spec.ts
+++ b/lib/workers/global/config/parse/host-rules-from-env.spec.ts
@ -52,6 +52,28 @@ describe('workers/global/config/parse/host-rules-from-env', () => {
    ]);
  });

+  it('support RENOVATE_ prefixed host rules', () => {
+    const envParam: NodeJS.ProcessEnv = {
+      RENOVATE_GITHUB__TAGS_GITHUB_COM_TOKEN: 'some-token',
+    };
+
+    expect(hostRulesFromEnv(envParam)).toMatchObject([
+      { matchHost: 'github.com', token: 'some-token' },
+    ]);
+  });
+
+  it('supports renovate in the env variable', () => {
+    const envParam: NodeJS.ProcessEnv = {
+      PYPI_MY_RENOVATE_HOST_PASSWORD: 'some-password',
+      RENOVATE_DOCKER_MY_RENOVATE_HOST_PASSWORD: 'docker-password',
+    };
+
+    expect(hostRulesFromEnv(envParam)).toMatchObject([
+      { matchHost: 'my.renovate.host', password: 'some-password' },
+      { matchHost: 'my.renovate.host', password: 'docker-password' },
+    ]);
+  });
+
  it('support https authentication options', () => {
    const envParam: NodeJS.ProcessEnv = {
      GITHUB_SOME_GITHUB__ENTERPRISE_HOST_HTTPSPRIVATEKEY: 'private-key',
--- a/lib/workers/global/config/parse/host-rules-from-env.ts
+++ b/lib/workers/global/config/parse/host-rules-from-env.ts
@ -61,7 +61,7 @@ export function hostRulesFromEnv(env: NodeJS.ProcessEnv): HostRule[] {
  const npmEnvPrefixes = ['npm_config_', 'npm_lifecycle_', 'npm_package_'];

  for (const envName of Object.keys(env).sort()) {
-    if (envName === 'GITHUB_COM_TOKEN') {
+    if (['GITHUB_COM_TOKEN', 'RENOVATE_GITHUB_COM_TOKEN'].includes(envName)) {
      continue;
    }
    if (npmEnvPrefixes.some((prefix) => envName.startsWith(prefix))) {
@ -69,7 +69,11 @@ export function hostRulesFromEnv(env: NodeJS.ProcessEnv): HostRule[] {
      continue;
    }
    // Double underscore __ is used in place of hyphen -
-    const splitEnv = envName.toLowerCase().replace(/__/g, '-').split('_');
+    const splitEnv = envName
+      .replace(/^RENOVATE_/, '')
+      .toLowerCase()
+      .replace(/__/g, '-')
+      .split('_');
    const hostType = splitEnv.shift()!;
    if (
      datasources.has(hostType) ||