Alert users to migrate deprecated secrets to Portal UI

[justo-mend]

Tell us more.

Several months ago, we began the process of deprecating Renovate-encrypted secrets in Renovate config for Mend-hosted Apps.

• The deprecation was documented in the Mend-hosted Apps section of the RenovateBot docs, and included specific documentation to migrate encrypted secrets to the Developer Portal via the web UI.
• We also provided warnings in the job logs, and in the dependency dashboard for repos that still contain encrypted secrets in their config files.

Despite this, we have identified over 8,000 repos that are still running with encrypted secrets in Renovate file config.
If we stop using encrypted secrets, all of these repos will be negatively affected.
Therefore, we are looking for ways to help alert users who will be affected, and to encourage them to actively migrate their secrets before we fully discontinue the ability to use secrets inside Renovate config.

I'd like to discuss the best ways to help inform those users that they must migrate their secrets if they want to continue running Renovate without failures.

Suggestion: Create an Issue alerting users that encrypted secrets must be migrated
One idea is to create an Issue in each repo that is running with encrypted secrets. Note: this will include repos where the secret is being inherited - ie. through org-level config.
The issue can explain to the user that encrypted secrets can no longer be stored in file-based Renovate config, and that secrets must be migrated to the Developer Portal using the Credentials UI in the portal settings. It can link to the documentation to help provide clear instructions for migrating the secrets.

Along with this, we could add a header to every PR created by Renovate in repos that have encrypted secrets. The header could simply state that there is a problem with the secrets in their config, and provide a link to the Issue that we created for them in their repo.

Does this sound like a good idea?
Are there better suggestions, or additional suggestions?

[HonkingGoose]

I like the special issue as way to alert repository owners.

A special header, plus explanation text in the PR's body text for each PR in the affected repositories is good too.

Make sure to keep the PR title as normal, as the PR title is used in things like Semantic Release bot.

[rarkins]

I suggest:

• Ability for admin to opt into a dedicated "Action Required" secrets migration Issue. The issue should ideally identify if you're using secrets directly (in repo config) or via a preset. It should also have a link to the relevant docs
• Each PR should have an appropriate level of warning in it, linking to the issue. I don't think that the PRs need detail if the issue has it

[rarkins]

I noticed something while prototyping some code for this: decryptConfig() isn't called if the config cache is valid. In other words, the log warning so far only shows on runs after the default branch has received a new commit and then disappears for runs after that.

[Gabriel-Ladzaretti]

I suggest an alternative, generic approach that could be useful in the future, regardless of the specific scenario above. we could implement a feature that creates issues based on a configuration option passed to the cli, acting upon it using a JSONata config query at the repo finalize phase.

For example:

{
  "raiseRepoIssues": [
    {
      "matchJSONata": "",
      "title": "",
      "body": "",
      "autocloseDate": "<TIMESTAMP>"
    }
  ]
}

[rarkins]

I noticed something while prototyping some code for this: decryptConfig() isn't called if the config cache is valid. In other words, the log warning so far only shows on runs after the default branch has received a new commit and then disappears for runs after that.

I cannot reproduce this today, so I'm going to assume I was mistaken when I wrote this.

I took a few random public repos with encrypted secrets and found they all had warnings in their dashboard.

Using https://github.com/dpc-sdp/ripple-lib-starter as an example, and a recent job log

DEBUG: Checking cached config file name
DEBUG: http cache: Using cached response: https://api.github.com/repos/dpc-sdp/ripple-lib-starter/contents/renovate.json from 2024-12-02T16:47:04.974Z
DEBUG: Existing config file confirmed

...

WARN: Encrypted secrets were detected in the repository config. This feature has been deprecated. Please migrate them to this portal. See the guide at http://docs.renovatebot.com/mend-hosted/migrating-secrets/
DEBUG: Trying to decrypt token