feat(config): replace secrets in global config

lib/config/secrets.spec.ts

@@ -65,7 +65,9 @@ describe('config/secrets', () => {
         npmToken: '{{ secrets.ARTIFACTORY_TOKEN }}',
       };
       const res = applySecretsToConfig(config);
-      expect(res).toMatchSnapshot();
+      expect(res).toStrictEqual({
+        npmToken: '123test==',
+      });
       expect(Object.keys(res)).not.toContain('secrets');
     });
     it('replaces secrets in a subobject', () => {
@@ -74,7 +76,11 @@ describe('config/secrets', () => {
         npm: { npmToken: '{{ secrets.ARTIFACTORY_TOKEN }}' },
       };
       const res = applySecretsToConfig(config);
-      expect(res).toMatchSnapshot();
+      expect(res).toStrictEqual({
+        npm: {
+          npmToken: '123test==',
+        },
+      });
       expect(Object.keys(res)).not.toContain('secrets');
     });
     it('replaces secrets in a array of objects', () => {
@@ -85,7 +91,9 @@ describe('config/secrets', () => {
         ],
       };
       const res = applySecretsToConfig(config);
-      expect(res).toMatchSnapshot();
+      expect(res).toStrictEqual({
+        hostRules: [{ hostType: 'npm', token: '123test==' }],
+      });
       expect(Object.keys(res)).not.toContain('secrets');
     });
     it('replaces secrets in a array of strings', () => {
@@ -94,8 +102,36 @@ describe('config/secrets', () => {
         allowedManagers: ['{{ secrets.SECRET_MANAGER }}'],
       };
       const res = applySecretsToConfig(config);
-      expect(res).toMatchSnapshot();
+      expect(res).toStrictEqual({
+        allowedManagers: ['npm'],
+      });
       expect(Object.keys(res)).not.toContain('secrets');
     });
+    it('replaces secrets in a array of objects without deleting them', () => {
+      const config = {
+        secrets: { ARTIFACTORY_TOKEN: '123test==' },
+        hostRules: [
+          { hostType: 'npm', token: '{{ secrets.ARTIFACTORY_TOKEN }}' },
+        ],
+      };
+      const res = applySecretsToConfig(config, config.secrets, false);
+      expect(res).toStrictEqual({
+        secrets: { ARTIFACTORY_TOKEN: '123test==' },
+        hostRules: [{ hostType: 'npm', token: '123test==' }],
+      });
+      expect(Object.keys(res)).toContain('secrets');
+    });
+    it('replaces secrets in a array of strings without deleting them', () => {
+      const config = {
+        secrets: { SECRET_MANAGER: 'npm' },
+        allowedManagers: ['{{ secrets.SECRET_MANAGER }}'],
+      };
+      const res = applySecretsToConfig(config, config.secrets, false);
+      expect(res).toStrictEqual({
+        secrets: { SECRET_MANAGER: 'npm' },
+        allowedManagers: ['npm'],
+      });
+      expect(Object.keys(res)).toContain('secrets');
+    });
   });
 });

lib/config/secrets.ts

@@ -70,7 +70,7 @@ function replaceSecretsInString(
     throw error;
   }
   return value.replace(secretTemplateRegex, (_, secretName) => {
-    if (secrets[secretName]) {
+    if (secrets?.[secretName]) {
       return secrets[secretName];
     }
     const error = new Error(CONFIG_VALIDATION);
@@ -85,21 +85,28 @@ function replaceSecretsInString(
 
 function replaceSecretsinObject(
   config_: RenovateConfig,
-  secrets: Record<string, string> = {}
+  secrets: Record<string, string>,
+  deleteSecrets: boolean
 ): RenovateConfig {
   const config = { ...config_ };
-  delete config.secrets;
+  if (deleteSecrets) {
+    delete config.secrets;
+  }
   for (const [key, value] of Object.entries(config)) {
     if (is.plainObject(value)) {
-      config[key] = replaceSecretsinObject(value, secrets);
+      config[key] = replaceSecretsinObject(value, secrets, deleteSecrets);
     }
     if (is.string(value)) {
       config[key] = replaceSecretsInString(key, value, secrets);
     }
     if (is.array(value)) {
       for (const [arrayIndex, arrayItem] of value.entries()) {
         if (is.plainObject(arrayItem)) {
-          config[key][arrayIndex] = replaceSecretsinObject(arrayItem, secrets);
+          config[key][arrayIndex] = replaceSecretsinObject(
+            arrayItem,
+            secrets,
+            deleteSecrets
+          );
         } else if (is.string(arrayItem)) {
           config[key][arrayIndex] = replaceSecretsInString(
             key,
@@ -115,13 +122,14 @@ function replaceSecretsinObject(
 
 export function applySecretsToConfig(
   config: RenovateConfig,
-  secrets = config.secrets
+  secrets = config.secrets,
+  deleteSecrets = true
 ): RenovateConfig {
   // Add all secrets to be sanitized
   if (is.plainObject(secrets)) {
     for (const secret of Object.values(secrets)) {
       addSecretForSanitizing(String(secret));
     }
   }
-  return replaceSecretsinObject(config, secrets);
+  return replaceSecretsinObject(config, secrets, deleteSecrets);
 }

lib/workers/repository/index.ts

@@ -1,5 +1,6 @@
 import fs from 'fs-extra';
 import { GlobalConfig } from '../../config/global';
+import { applySecretsToConfig } from '../../config/secrets';
 import type { RenovateConfig } from '../../config/types';
 import { pkg } from '../../expose.cjs';
 import { logger, setMeta } from '../../logger';
@@ -23,7 +24,7 @@ export async function renovateRepository(
   canRetry = true
 ): Promise<ProcessResult> {
   splitInit();
-  let config = GlobalConfig.set(repoConfig);
+  let config = GlobalConfig.set(applySecretsToConfig(repoConfig, {}, false));
   await removeDanglingContainers();
   setMeta({ repository: config.repository });
   logger.info({ renovateVersion: pkg.version }, 'Repository started');