Skip to content

Using secrets with Mend cloud Apps

The information on this page is for the Mend-hosted cloud apps:

  • Renovate App on GitHub
  • Mend App on Bitbucket
  • Mend App on Azure DevOps

If you self-host, you can skip reading this page.

⚠ Migrate secrets in your Renovate config file ⚠

Use of encrypted secrets in the Mend Renovate cloud apps has been deprecated and soon the apps will stop reading secrets from the Renovate config file in your repository. You must migrate any secrets you currently keep in the Renovate config file, and put them in the app settings page on developer.mend.io. To add secrets you must have admin-level rights.

Read Migrating encrypted secrets from Repo Config to App Settings to learn more.

Managing secrets for the Mend-hosted cloud apps

This section explains how you manage secrets for the Mend-hosted cloud apps. If you self-host you do not need this section.

Adding a secret

To add a secret for the Mend cloud app:

  1. Go to the web UI at developer.mend.io.
  2. Open your organization/repository settings.
  3. Put the secret in the Credentials section:

Credentials settings page

  1. Reference the secret from Renovate config files inside the repo. Alternatively, you can use the Host Rules UI (see below).
{
  "hostRules": [
    {
      "matchHost": "github.com",
      "token": "{{ secrets.MY_ORG_SECRET }}"
    }
  ]
}

Adding a host rule through the UI

You can centrally add/configure Host Rules through the Mend UI as an alternative to including them in Renovate presets.

  1. Open the Credentials section of the settings page for the relevant Org or Repo.
  2. Select ADD HOST RULE to open the "Add a Host Rule" dialog box.

Add Host Rule

  1. Fill out the details for your host rule.

As an example, if you are a Bitbucket or Azure DevOps user, and you want to specify a github.com token to fetch release notes and enable github-based datasources, you could create a host rule like this:

Host Rules dialog box

Organization secrets vs repository secrets

Secret scope

Secrets can be scoped to your organization or to your repository:

Secret scoped to your What will happen?
Organization Secrets are inherited by all repositories in your organization
Repository Secrets are referenced by that repository only

Make changes on the right page

The web UI has two settings pages. One page is for the organization, and the other page is for the repository.

Make sure you're making the changes on the right page!

Example

Credentials from the repository settings page

The screenshot shows inherited organization secrets and specific repository secrets.

Managing organization-level secrets

The Installed Repositories table means you are on your organization's page. Select the Settings button to manage your organization secrets:

organization settings button

Managing repository-level secrets

The Recent jobs table means you are on your repository's page. Select the Settings button to manage your repository secrets:

repository settings button