Fetching gitlab submodules now fails with 403. oauth2 is stripped from URL.

[uncycler]

How are you running Renovate?

Self-hosted

Please select which platform you are using if self-hosting.

No response

If you're self-hosting Renovate, tell us what version of Renovate you run.

27.5.0

Describe the bug

Since this PR was merged: #11615, fetching submodule fails with 403 errors on gitlab.

The debug logs looks ok, but right after, renovate is asking for a password showing the token in cleartext.

DEBUG: Found hostRules token for url https://oauth2:**redacted**@gitlab.example.com/myrepo.git
Password for 'https://Jy-5rWxLGyPRisfs9ZNt@gitlab.example.com': 

Reverting #11615 fix this issue.

Relevant debug logs

Logs

Copy/paste any log here, between the starting and ending backticks

Have you created a minimal reproduction repository?

No reproduction repository

[anthonyroussel]

Hello
Thanks! I am also affected by this issue unfortunately.
A short-term resolution was to rollback Renovate to v26.21.2.

[github-actions]

Hi there,

Help us by making a minimal reproduction repository.

Before we can start work on your issue we first need to know exactly what's causing the current behavior. A minimal reproduction helps us with this.

To get started, please read our guide on creating a minimal reproduction to understand what is needed.

We may close the issue if you (or someone else) have not provided a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment.

Good luck,

The Renovate team

[rarkins]

There's not enough information in this bug report so far to identify why the problem is occurring or if it was a scenario we planned to support in the first place or just supported accidentally. Rolling back #11615 may cause other problems.

[uncycler]

I've setup a test repository to trigger this issue. Just replace with a gitlab.com access token.

git clone git@gitlab.com:uncycler/renovate-11710.git
cd renovate-11710
docker run -it -e RENOVATE_TOKEN=<PAT> -e RENOVATE_CONFIG_FILE=config.js -v $(pwd):/renovate renovate/renovate:27.6.1 /bin/bash
cd /renovate && renovate

You should get a password prompt:

 INFO: Repository started (repository=uncycler/renovate-11710)
       "renovateVersion": "27.6.1"
 INFO: Fallback to renovate.json file as a preset is deprecated, please use a default.json file instead. (repository=uncycler/renovate-11710)
Password for 'https://<PAT>@gitlab.com':

Regarding #11615, pushing typedPlatformRule before platformRule fix the issue.. :

  returnConfig.hostRules = returnConfig.hostRules || [];
  const typedPlatformRule = {
    ...platformRule,
    hostType: returnConfig.platform,
  };
  returnConfig.hostRules.push(typedPlatformRule);
  hostRules.add(typedPlatformRule);
  returnConfig.hostRules.push(platformRule);
  hostRules.add(platformRule);

[renovate-release]

🎉 This issue has been resolved in version 27.6.3 🎉

The release is available on:

• GitHub release
• 27.6.3

Your semantic-release bot 📦🚀

[renovate-release]

🎉 This issue has been resolved in version 27.9.1 🎉

The release is available on:

• GitHub release
• 27.9.1

Your semantic-release bot 📦🚀