Properly support base64 encoding of SSH keys in gitPrivateKey

[ldobbelsteen]

Tell us more.

Currently, encoding your GPG key in base64 is supported both in both the privateKey and gitPrivateKey settings. Consider this snippet from the linked documentation of privateKey:

Base64 Encoding Support
Renovate supports base64-encoded private keys for easier handling in environment variables or configuration files. Simply provide the base64-encoded version of your private key, and Renovate will automatically detect and decode it. This works for both GPG and SSH private keys.

This is a very nice feature! However, I was having trouble earlier loading an SSH key that is encoded in base64 in its entirety (and not just the contents between the header and footer, which in the OpenSSH format is always encoded in base64) into gitPrivateKey. After looking at the code responsible for gitPrivateKey (not sure about privateKey), I could conclude that base64 encoded SSH keys are not supported by gitPrivateKey at this moment. This is because the type of the key (either SSH or GPG) is determined using the sshKeyRegex regular expression BEFORE decoding the key from base64. Thus this regex will currently never match for SSH keys, causing them to be interpreted as GPG keys. Then AFTER being determined to be a GPG key, it would be decoded from base64. This caused errors in our Renovate runs that the GPG key was incorrect (which makes sense since it's actually a decoded SSH key).

A simple solution without affecting current behavior in my eyes would be to move the decoding logic to BEFORE the regex is run on the key. Not sure what the desired behavior or support is, but the documentation and code currently are a bit ambiguous.