Skip to main content
Skip table of contents

Renovate Enteprise - Encrypting Credentials for Private Registry Dependency Resolution

Introduction

Renovate Enterprise, as it is self-hosted, requires the generation of a public/private GPG keypair to use for storing encrypted credentials in repositories. This allows Renovate to decrypt those credentials, and then use them for accessing private registries. Below are instruction on how to complete this process.

Generating a GPG key

  1. Use GPG to generate a key with the command gpg --full-generate-key and follow the prompts. Mend Renovate does not support using a passphrase in this key, name and email are not important.

    1. Copy the Key ID from the output or run gpg --list-secret-keys if you forgot to copy the output. This is the ID for your public key.

    2. Run the following command to export your public key to a file: gpg --armor --export <public_key_id> > renovate_public_key.asc

    3. Run the following command to export your private key to a file: gpg --armor --export-secret-keys <public_key_id> > renovate_private_key.asc

  2. Add your private key to the RENOVATES_PRIVATE_KEY environment variable in the renovate worker configuration. To store this in the environment variable properly, make sure all newlines are replaced with \n.

  3. Generate a secret using: https://github.com/mend-toolkit/mend-examples/tree/main/Repo-Integration/Encryption.

    1. ORGANIZATION: Your GitHub organization / Bitbucket Group / Azure DevOps Organization etc.

    2. REPOSITORY: This is required only if the encrypted credentials will be stored directly on the repository being scanned by Renovate.

    3. SECRET_VALUE: Your credentials

    4. PUBLIC_KEY_FILE: The file where you exported your public key.

  4. Add a hostRule in your renovate.json or config.js file with the encrypted secret. What is provided in the hostRule matters depending on the type of secret that was encrypted:

    1. Password - this should include username, and then password under the encrypted block.

    2. Token (i.e. Personal Access Token) - no username should be included, the token should be under the encrypted block.

Password example:

JSON 
{
  "hostRules": [
    {
      "matchHost": "<your registry URL>",
      "username": "<your username>",
      "encrypted": {
        "password": "<your encrypted secret>"
      }
    }
  ]
}

Token example:

JSON 
{
  "hostRules": [
    {
      "matchHost": "<your registry URL>",
      "encrypted": {
        "token": "<your encrypted secret>"
      }
    }
  ]
}

Verify that these are working by initiating a Renovate Scan and ensuring that the dependencies are pulled from the proper location. A good way of doing this is to confirm the URL where the package is being pulled in the “HTTP Statistics” log output.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close