Migrating Secrets from Repo Config to App Settings¶
Use of encrypted secrets in the Mend Renovate cloud apps has been deprecated and soon the apps will stop reading any encrypted secrets from the Renovate configuration file on your repository. Previously, you could encrypt a secret with the Renovate encryption tool and then put it in your Renovate config file.
Going forward, all secrets must be stored in the App settings on the cloud.
They can be referenced from the Renovate config files inside the repo using {{ secrets.SECRET_NAME }}
notation.
Old method¶
This method will stop working on 01-Oct-2024:
{
"hostRules": [
{
"matchHost": "github.com",
"encrypted": {
"token": "drsMDVf6M2hTZCN......+gQm/0Rpw"
}
}
]
}
New method¶
This is the new method, that you should start using:
{
"hostRules": [
{
"matchHost": "github.com",
"token": "{{ secrets.GITHUB_COM_TOKEN }}"
}
]
}
Tips¶
Migrate your secrets in encrypted form¶
Mend recommends that you copy your secrets in their encrypted form when you migrate. The web UI will decrypt and store the value securely.
Do not change the secret during migration¶
Mend also recommends that you do not change the secret during the migration, as this introduces an extra point of failure. After the migration you can of course change/rotate the secret.
Two ways to migrate¶
There are two ways to migrate your secrets:
- Migrate encrypted secrets using the encrypted value
- Migrate encrypted secrets using the plain text value
Mend recommends the first way.
Migrate encrypted secrets using the encrypted value¶
- Copy the encrypted secret from your Renovate config file.
- Go to the correct settings page for your organization or repository in the web UI at developer.mend.io.
- On the Credentials page, select
ADD SECRET
to add the encrypted secret. - Give a value for
Secret name
, paste the encrypted secret into theSecret Value
field, and selectSAVE
. - When you migrate a secret from a repository, make sure you are adding the secret to the same organization or repository for which you generated the secret!
- A secret generated for a specific repository can only be added to that same repository.
- A secret generated for a specific repository can only be added to the repository settings for the matching repository. This secret can not be added to the organization's settings.
- A secret generated without a specific repository can be added into the organization or into the repository settings under that organization.
- If you see the confirmation box with the text: “Successfully migrated secret”, your secret is now stored in the correct organization or repository.
Migrate encrypted secrets using the plain text value¶
- Go to the settings for the correct organization or repository in the web UI at developer.mend.io.
- On the Credentials page, select
ADD SECRET
to add the plaintext secret. - Give a value for
Secret name
, paste the plaintext secret into theSecret Value
field, and selectSAVE
. - Wait for the confirmation dialog: “Successfully stored secret”.
Troubleshooting¶
Are you trying to add the secret to the wrong place?¶
If you accidentally end up in the wrong place, the settings UI will help you:
The confirmation box says "Successfully store secret", what does this mean?¶
If the confirmation box says: “Successfully stored secret” then the secret was not detected as a Renovate encrypted secret. This means the value was treated as plaintext.
If you were expecting to import a secret originally encrypted by Renovate:
- Make sure you are pasting the secret into the correct organization or repository
- Check that you copied the encrypted secret correctly, and try again.