renovate 40.0.0-next.16 → 40.0.0-next.18

package/dist/config/decrypt.d.ts

@@ -1,3 +1,5 @@
 import type { RenovateConfig } from './types';
 export declare function tryDecrypt(privateKey: string, encryptedStr: string, repository: string, keyName: string): Promise<string | null>;
-export declare function decryptConfig(config: RenovateConfig, repository: string): Promise<RenovateConfig>;
+export declare function validateDecryptedValue(decryptedObjStr: string, repository: string): string | null;
+export declare function decryptConfig(config: RenovateConfig, repository: string, existingPath?: string): Promise<RenovateConfig>;
+export declare function getAzureCollection(): string | undefined;

package/dist/config/decrypt.js

@@ -1,7 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.tryDecrypt = tryDecrypt;
+exports.validateDecryptedValue = validateDecryptedValue;
 exports.decryptConfig = decryptConfig;
+exports.getAzureCollection = getAzureCollection;
 const tslib_1 = require("tslib");
 const is_1 = tslib_1.__importDefault(require("@sindresorhus/is"));
 const error_messages_1 = require("../constants/error-messages");
@@ -59,6 +61,14 @@ function validateDecryptedValue(decryptedObjStr, repository) {
             error.validationError = `Encrypted value in config is missing a scope.`;
             throw error;
         }
+        const repositories = [repository.toUpperCase()];
+        const azureCollection = getAzureCollection();
+        if (is_1.default.nonEmptyString(azureCollection)) {
+            // used for full 'org/project/repo' matching
+            repositories.push(`${azureCollection}/${repository}`.toUpperCase());
+            // used for org prefix matching without repo
+            repositories.push(`${azureCollection}/*/`.toUpperCase());
+        }
         const orgPrefixes = org
             .split(',')
             .map((o) => o.trim())
@@ -66,8 +76,10 @@ function validateDecryptedValue(decryptedObjStr, repository) {
             .map((o) => (0, url_1.ensureTrailingSlash)(o));
         if (is_1.default.nonEmptyString(repo)) {
             const scopedRepos = orgPrefixes.map((orgPrefix) => `${orgPrefix}${repo}`.toUpperCase());
-            if (scopedRepos.some((r) => r === repository.toUpperCase())) {
-                return value;
+            for (const rp of repositories) {
+                if (scopedRepos.some((r) => r === rp)) {
+                    return value;
+                }
             }
             logger_1.logger.debug({ scopedRepos }, 'Secret is scoped to a different repository');
             const error = new Error('config-validation');
@@ -76,8 +88,13 @@ function validateDecryptedValue(decryptedObjStr, repository) {
             throw error;
         }
         // no scoped repos, only org
-        if (orgPrefixes.some((orgPrefix) => repository.toUpperCase().startsWith(orgPrefix))) {
-            return value;
+        const azcol = azureCollection === undefined
+            ? undefined
+            : (0, url_1.ensureTrailingSlash)(azureCollection).toUpperCase();
+        for (const rp of repositories) {
+            if (orgPrefixes.some((orgPrefix) => rp.startsWith(orgPrefix) && orgPrefix !== azcol)) {
+                return value;
+            }
         }
         logger_1.logger.debug({ orgPrefixes }, 'Secret is scoped to a different org');
         const error = new Error('config-validation');
@@ -90,21 +107,22 @@ function validateDecryptedValue(decryptedObjStr, repository) {
     }
     return null;
 }
-async function decryptConfig(config, repository) {
+async function decryptConfig(config, repository, existingPath = '$') {
     logger_1.logger.trace({ config }, 'decryptConfig()');
     const decryptedConfig = { ...config };
     const privateKey = global_1.GlobalConfig.get('privateKey');
     const privateKeyOld = global_1.GlobalConfig.get('privateKeyOld');
     for (const [key, val] of Object.entries(config)) {
         if (key === 'encrypted' && is_1.default.object(val)) {
-            logger_1.logger.debug({ config: val }, 'Found encrypted config');
+            const path = `${existingPath}.${key}`;
+            logger_1.logger.debug({ config: val }, `Found encrypted config in ${path}`);
             const encryptedWarning = global_1.GlobalConfig.get('encryptedWarning');
             if (is_1.default.string(encryptedWarning)) {
                 logger_1.logger.once.warn(encryptedWarning);
             }
             if (privateKey) {
                 for (const [eKey, eVal] of Object.entries(val)) {
-                    logger_1.logger.debug('Trying to decrypt ' + eKey);
+                    logger_1.logger.debug(`Trying to decrypt ${eKey} in ${path}`);
                     let decryptedStr = await tryDecrypt(privateKey, eVal, repository, eKey);
                     if (privateKeyOld && !is_1.default.nonEmptyString(decryptedStr)) {
                         logger_1.logger.debug(`Trying to decrypt with old private key`);
@@ -115,7 +133,7 @@ async function decryptConfig(config, repository) {
                         error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;
                         throw error;
                     }
-                    logger_1.logger.debug(`Decrypted ${eKey}`);
+                    logger_1.logger.debug(`Decrypted ${eKey} in ${path}`);
                     if (eKey === 'npmToken') {
                         const token = decryptedStr.replace((0, regex_1.regEx)(/\n$/), '');
                         decryptedConfig[eKey] = token;
@@ -149,9 +167,10 @@ Refer to migration documents here: https://docs.renovatebot.com/mend-hosted/migr
         }
         else if (is_1.default.array(val)) {
             decryptedConfig[key] = [];
-            for (const item of val) {
+            for (const [index, item] of val.entries()) {
                 if (is_1.default.object(item) && !is_1.default.array(item)) {
-                    decryptedConfig[key].push(await decryptConfig(item, repository));
+                    const path = `${existingPath}.${key}[${index}]`;
+                    decryptedConfig[key].push(await decryptConfig(item, repository, path));
                 }
                 else {
                     decryptedConfig[key].push(item);
@@ -159,11 +178,35 @@ Refer to migration documents here: https://docs.renovatebot.com/mend-hosted/migr
             }
         }
         else if (is_1.default.object(val) && key !== 'content') {
-            decryptedConfig[key] = await decryptConfig(val, repository);
+            const path = `${existingPath}.${key}`;
+            decryptedConfig[key] = await decryptConfig(val, repository, path);
         }
     }
     delete decryptedConfig.encrypted;
     logger_1.logger.trace({ config: decryptedConfig }, 'decryptedConfig');
     return decryptedConfig;
 }
+function getAzureCollection() {
+    const platform = global_1.GlobalConfig.get('platform');
+    if (platform !== 'azure') {
+        return undefined;
+    }
+    const endpoint = global_1.GlobalConfig.get('endpoint');
+    const endpointUrl = (0, url_1.parseUrl)(endpoint);
+    if (endpointUrl === null) {
+        // should not happen
+        logger_1.logger.warn({ endpoint }, 'Unable to parse endpoint for token decryption');
+        return undefined;
+    }
+    const azureCollection = (0, url_1.trimSlashes)(endpointUrl.pathname);
+    if (!is_1.default.nonEmptyString(azureCollection)) {
+        logger_1.logger.debug({ endpoint }, 'Unable to find azure collection name from URL');
+        return undefined;
+    }
+    if (azureCollection.startsWith('tfs/')) {
+        // Azure DevOps Server
+        return azureCollection.substring(4);
+    }
+    return azureCollection;
+}
 //# sourceMappingURL=decrypt.js.map

package/dist/config/decrypt.js.map

@@ -1 +1 @@
-{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../../lib/config/decrypt.ts"],"names":[],"mappings":";;AAgBA,gCAmCC;AAsED,sCAyFC;;AAlND,kEAAkC;AAClC,gEAAgE;AAChE,sCAAmC;AACnC,yCAAsC;AACtC,+CAA0D;AAC1D,qCAAkD;AAClD,2CAAkD;AAClD,6CAG0B;AAC1B,+CAAsD;AACtD,qCAAwC;AACxC,qCAA2C;AAGpC,KAAK,UAAU,UAAU,CAC9B,UAAkB,EAClB,YAAoB,EACpB,UAAkB,EAClB,OAAe;IAEf,IAAI,YAAY,GAAkB,IAAI,CAAC;IACvC,IAAI,UAAU,EAAE,UAAU,CAAC,uCAAuC,CAAC,EAAE,CAAC;QACpE,MAAM,eAAe,GACnB,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,MAAM;YAC3C,CAAC,CAAC,MAAM,IAAA,2BAAiB,EAAC,UAAU,EAAE,YAAY,CAAC;YACnD,CAAC,CAAC,MAAM,IAAA,uBAAe,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QACtD,IAAI,eAAe,EAAE,CAAC;YACpB,YAAY,GAAG,sBAAsB,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;SAAM,CAAC;QACN,YAAY,GAAG,IAAA,mCAA0B,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QACpE,IAAI,YAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;YAC5B,eAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,EACX,6FAA6F,CAC9F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,YAAY,GAAG,IAAA,iCAAwB,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;YAClE,mCAAmC;YACnC,IAAI,YAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC5B,eAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,EACX,2FAA2F,CAC5F,CAAC;YACJ,CAAC;YACD,oBAAoB;QACtB,CAAC;IACH,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,sBAAsB,CAC7B,eAAuB,EACvB,UAAkB;IAElB,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,wBAAe,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAChE,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,mCAAmC,CAAC;YAC5D,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC;QAExD,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,+CAA+C,CAAC;YACxE,MAAM,KAAK,CAAC;QACd,CAAC;QAED,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,+CAA+C,CAAC;YACxE,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,WAAW,GAAG,GAAG;aACpB,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;aAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAA,yBAAmB,EAAC,CAAC,CAAC,CAAC,CAAC;QAEtC,IAAI,YAAE,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAChD,GAAG,SAAS,GAAG,IAAI,EAAE,CAAC,WAAW,EAAE,CACpC,CAAC;YACF,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,UAAU,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBAC5D,OAAO,KAAK,CAAC;YACf,CAAC;YACD,eAAM,CAAC,KAAK,CACV,EAAE,WAAW,EAAE,EACf,4CAA4C,CAC7C,CAAC;YACF,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1C,KAAK,CAAC,eAAe,GAAG,0DAA0D,WAAW,IAAI,CAAC;YAClG,MAAM,KAAK,CAAC;QACd,CAAC;QAED,4BAA4B;QAC5B,IACE,WAAW,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAC7B,UAAU,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,CAC/C,EACD,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,eAAM,CAAC,KAAK,CAAC,EAAE,WAAW,EAAE,EAAE,qCAAqC,CAAC,CAAC;QACrE,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1C,KAAK,CAAC,eAAe,GAAG,mDAAmD,WAAW,IAAI,CAAC;QAC3F,MAAM,KAAK,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,eAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,kCAAkC,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAEM,KAAK,UAAU,aAAa,CACjC,MAAsB,EACtB,UAAkB;IAElB,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC;IAC5C,MAAM,eAAe,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;IACtC,MAAM,UAAU,GAAG,qBAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,aAAa,GAAG,qBAAY,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACxD,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,IAAI,GAAG,KAAK,WAAW,IAAI,YAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,wBAAwB,CAAC,CAAC;YAExD,MAAM,gBAAgB,GAAG,qBAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YAC9D,IAAI,YAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAChC,eAAM,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YACrC,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/C,eAAM,CAAC,KAAK,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAAC;oBAC1C,IAAI,YAAY,GAAG,MAAM,UAAU,CACjC,UAAU,EACV,IAAI,EACJ,UAAU,EACV,IAAI,CACL,CAAC;oBACF,IAAI,aAAa,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;wBACtD,eAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;wBACvD,YAAY,GAAG,MAAM,UAAU,CAC7B,aAAa,EACb,IAAI,EACJ,UAAU,EACV,IAAI,CACL,CAAC;oBACJ,CAAC;oBACD,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;wBACrC,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;wBAC7C,KAAK,CAAC,eAAe,GAAG,2BAA2B,IAAI,oCAAoC,CAAC;wBAC5F,MAAM,KAAK,CAAC;oBACd,CAAC;oBACD,eAAM,CAAC,KAAK,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC;oBAClC,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;wBACxB,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;wBACrD,eAAe,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;wBAC9B,IAAA,iCAAsB,EAAC,KAAK,CAAC,CAAC;oBAChC,CAAC;yBAAM,CAAC;wBACN,eAAe,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC;wBACrC,IAAA,iCAAsB,EAAC,YAAY,CAAC,CAAC;oBACvC,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,MAAM,EAAE,CAAC;oBACvD,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,kCAAiB,CAAC,CAAC;oBAC3C,KAAK,CAAC,gBAAgB,GAAG,QAAQ,CAAC;oBAClC,KAAK,CAAC,eAAe,GAAG,8BAA8B,CAAC;oBACvD,KAAK,CAAC,iBAAiB,GAAG,4DAA4D,GAAG,sJAAsJ,CAAC;oBAChP,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;wBACvC,KAAK,CAAC,iBAAiB,GAAG;;;+FAGyD,CAAC;oBACtF,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;qBAAM,CAAC;oBACN,eAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YACD,OAAO,eAAe,CAAC,SAAS,CAAC;QACnC,CAAC;aAAM,IAAI,YAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YAC1B,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;gBACvB,IAAI,YAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;oBACtC,eAAe,CAAC,GAAG,CAAsB,CAAC,IAAI,CAC7C,MAAM,aAAa,CAAC,IAAsB,EAAE,UAAU,CAAC,CACxD,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACL,eAAe,CAAC,GAAG,CAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,YAAE,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC/C,eAAe,CAAC,GAAG,CAAC,GAAG,MAAM,aAAa,CACxC,GAAqB,EACrB,UAAU,CACX,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,eAAe,CAAC,SAAS,CAAC;IACjC,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,EAAE,iBAAiB,CAAC,CAAC;IAC7D,OAAO,eAAe,CAAC;AACzB,CAAC","sourcesContent":["import is from '@sindresorhus/is';\nimport { CONFIG_VALIDATION } from '../constants/error-messages';\nimport { logger } from '../logger';\nimport { regEx } from '../util/regex';\nimport { addSecretForSanitizing } from '../util/sanitize';\nimport { ensureTrailingSlash } from '../util/url';\nimport { tryDecryptKbPgp } from './decrypt/kbpgp';\nimport {\n  tryDecryptPublicKeyDefault,\n  tryDecryptPublicKeyPKCS1,\n} from './decrypt/legacy';\nimport { tryDecryptOpenPgp } from './decrypt/openpgp';\nimport { GlobalConfig } from './global';\nimport { DecryptedObject } from './schema';\nimport type { RenovateConfig } from './types';\n\nexport async function tryDecrypt(\n  privateKey: string,\n  encryptedStr: string,\n  repository: string,\n  keyName: string,\n): Promise<string | null> {\n  let decryptedStr: string | null = null;\n  if (privateKey?.startsWith('-----BEGIN PGP PRIVATE KEY BLOCK-----')) {\n    const decryptedObjStr =\n      process.env.RENOVATE_X_USE_OPENPGP === 'true'\n        ? await tryDecryptOpenPgp(privateKey, encryptedStr)\n        : await tryDecryptKbPgp(privateKey, encryptedStr);\n    if (decryptedObjStr) {\n      decryptedStr = validateDecryptedValue(decryptedObjStr, repository);\n    }\n  } else {\n    decryptedStr = tryDecryptPublicKeyDefault(privateKey, encryptedStr);\n    if (is.string(decryptedStr)) {\n      logger.warn(\n        { keyName },\n        'Encrypted value is using deprecated default padding, please change to using PGP encryption.',\n      );\n    } else {\n      decryptedStr = tryDecryptPublicKeyPKCS1(privateKey, encryptedStr);\n      /* v8 ignore start: not testable */\n      if (is.string(decryptedStr)) {\n        logger.warn(\n          { keyName },\n          'Encrypted value is using deprecated PKCS1 padding, please change to using PGP encryption.',\n        );\n      }\n      /* v8 ignore stop */\n    }\n  }\n  return decryptedStr;\n}\n\nfunction validateDecryptedValue(\n  decryptedObjStr: string,\n  repository: string,\n): string | null {\n  try {\n    const decryptedObj = DecryptedObject.safeParse(decryptedObjStr);\n    if (!decryptedObj.success) {\n      const error = new Error('config-validation');\n      error.validationError = `Could not parse decrypted config.`;\n      throw error;\n    }\n\n    const { o: org, r: repo, v: value } = decryptedObj.data;\n\n    if (!is.nonEmptyString(value)) {\n      const error = new Error('config-validation');\n      error.validationError = `Encrypted value in config is missing a value.`;\n      throw error;\n    }\n\n    if (!is.nonEmptyString(org)) {\n      const error = new Error('config-validation');\n      error.validationError = `Encrypted value in config is missing a scope.`;\n      throw error;\n    }\n\n    const orgPrefixes = org\n      .split(',')\n      .map((o) => o.trim())\n      .map((o) => o.toUpperCase())\n      .map((o) => ensureTrailingSlash(o));\n\n    if (is.nonEmptyString(repo)) {\n      const scopedRepos = orgPrefixes.map((orgPrefix) =>\n        `${orgPrefix}${repo}`.toUpperCase(),\n      );\n      if (scopedRepos.some((r) => r === repository.toUpperCase())) {\n        return value;\n      }\n      logger.debug(\n        { scopedRepos },\n        'Secret is scoped to a different repository',\n      );\n      const error = new Error('config-validation');\n      const scopeString = scopedRepos.join(',');\n      error.validationError = `Encrypted secret is scoped to a different repository: \"${scopeString}\".`;\n      throw error;\n    }\n\n    // no scoped repos, only org\n    if (\n      orgPrefixes.some((orgPrefix) =>\n        repository.toUpperCase().startsWith(orgPrefix),\n      )\n    ) {\n      return value;\n    }\n    logger.debug({ orgPrefixes }, 'Secret is scoped to a different org');\n    const error = new Error('config-validation');\n    const scopeString = orgPrefixes.join(',');\n    error.validationError = `Encrypted secret is scoped to a different org: \"${scopeString}\".`;\n    throw error;\n  } catch (err) {\n    logger.warn({ err }, 'Could not parse decrypted string');\n  }\n  return null;\n}\n\nexport async function decryptConfig(\n  config: RenovateConfig,\n  repository: string,\n): Promise<RenovateConfig> {\n  logger.trace({ config }, 'decryptConfig()');\n  const decryptedConfig = { ...config };\n  const privateKey = GlobalConfig.get('privateKey');\n  const privateKeyOld = GlobalConfig.get('privateKeyOld');\n  for (const [key, val] of Object.entries(config)) {\n    if (key === 'encrypted' && is.object(val)) {\n      logger.debug({ config: val }, 'Found encrypted config');\n\n      const encryptedWarning = GlobalConfig.get('encryptedWarning');\n      if (is.string(encryptedWarning)) {\n        logger.once.warn(encryptedWarning);\n      }\n\n      if (privateKey) {\n        for (const [eKey, eVal] of Object.entries(val)) {\n          logger.debug('Trying to decrypt ' + eKey);\n          let decryptedStr = await tryDecrypt(\n            privateKey,\n            eVal,\n            repository,\n            eKey,\n          );\n          if (privateKeyOld && !is.nonEmptyString(decryptedStr)) {\n            logger.debug(`Trying to decrypt with old private key`);\n            decryptedStr = await tryDecrypt(\n              privateKeyOld,\n              eVal,\n              repository,\n              eKey,\n            );\n          }\n          if (!is.nonEmptyString(decryptedStr)) {\n            const error = new Error('config-validation');\n            error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;\n            throw error;\n          }\n          logger.debug(`Decrypted ${eKey}`);\n          if (eKey === 'npmToken') {\n            const token = decryptedStr.replace(regEx(/\\n$/), '');\n            decryptedConfig[eKey] = token;\n            addSecretForSanitizing(token);\n          } else {\n            decryptedConfig[eKey] = decryptedStr;\n            addSecretForSanitizing(decryptedStr);\n          }\n        }\n      } else {\n        if (process.env.RENOVATE_X_ENCRYPTED_STRICT === 'true') {\n          const error = new Error(CONFIG_VALIDATION);\n          error.validationSource = 'config';\n          error.validationError = 'Encrypted config unsupported';\n          error.validationMessage = `This config contains an encrypted object at location \\`$.${key}\\` but no privateKey is configured. To support encrypted config, the Renovate administrator must configure a \\`privateKey\\` in Global Configuration.`;\n          if (process.env.MEND_HOSTED === 'true') {\n            error.validationMessage = `Mend-hosted Renovate Apps no longer support the use of encrypted secrets in Renovate file config (e.g. renovate.json).\nPlease migrate all secrets to the Developer Portal using the web UI available at https://developer.mend.io/\n\nRefer to migration documents here: https://docs.renovatebot.com/mend-hosted/migrating-secrets/`;\n          }\n          throw error;\n        } else {\n          logger.error('Found encrypted data but no privateKey');\n        }\n      }\n      delete decryptedConfig.encrypted;\n    } else if (is.array(val)) {\n      decryptedConfig[key] = [];\n      for (const item of val) {\n        if (is.object(item) && !is.array(item)) {\n          (decryptedConfig[key] as RenovateConfig[]).push(\n            await decryptConfig(item as RenovateConfig, repository),\n          );\n        } else {\n          (decryptedConfig[key] as unknown[]).push(item);\n        }\n      }\n    } else if (is.object(val) && key !== 'content') {\n      decryptedConfig[key] = await decryptConfig(\n        val as RenovateConfig,\n        repository,\n      );\n    }\n  }\n  delete decryptedConfig.encrypted;\n  logger.trace({ config: decryptedConfig }, 'decryptedConfig');\n  return decryptedConfig;\n}\n"]}
+{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../../lib/config/decrypt.ts"],"names":[],"mappings":";;AAgBA,gCAmCC;AAED,wDAqFC;AAED,sCA8FC;AAED,gDAyBC;;AArQD,kEAAkC;AAClC,gEAAgE;AAChE,sCAAmC;AACnC,yCAAsC;AACtC,+CAA0D;AAC1D,qCAAyE;AACzE,2CAAkD;AAClD,6CAG0B;AAC1B,+CAAsD;AACtD,qCAAwC;AACxC,qCAA2C;AAGpC,KAAK,UAAU,UAAU,CAC9B,UAAkB,EAClB,YAAoB,EACpB,UAAkB,EAClB,OAAe;IAEf,IAAI,YAAY,GAAkB,IAAI,CAAC;IACvC,IAAI,UAAU,EAAE,UAAU,CAAC,uCAAuC,CAAC,EAAE,CAAC;QACpE,MAAM,eAAe,GACnB,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,MAAM;YAC3C,CAAC,CAAC,MAAM,IAAA,2BAAiB,EAAC,UAAU,EAAE,YAAY,CAAC;YACnD,CAAC,CAAC,MAAM,IAAA,uBAAe,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QACtD,IAAI,eAAe,EAAE,CAAC;YACpB,YAAY,GAAG,sBAAsB,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;SAAM,CAAC;QACN,YAAY,GAAG,IAAA,mCAA0B,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QACpE,IAAI,YAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;YAC5B,eAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,EACX,6FAA6F,CAC9F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,YAAY,GAAG,IAAA,iCAAwB,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;YAClE,mCAAmC;YACnC,IAAI,YAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC5B,eAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,EACX,2FAA2F,CAC5F,CAAC;YACJ,CAAC;YACD,oBAAoB;QACtB,CAAC;IACH,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAgB,sBAAsB,CACpC,eAAuB,EACvB,UAAkB;IAElB,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,wBAAe,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAChE,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,mCAAmC,CAAC;YAC5D,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC;QAExD,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,+CAA+C,CAAC;YACxE,MAAM,KAAK,CAAC;QACd,CAAC;QAED,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,+CAA+C,CAAC;YACxE,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,YAAY,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAC;QAEhD,MAAM,eAAe,GAAG,kBAAkB,EAAE,CAAC;QAC7C,IAAI,YAAE,CAAC,cAAc,CAAC,eAAe,CAAC,EAAE,CAAC;YACvC,4CAA4C;YAC5C,YAAY,CAAC,IAAI,CAAC,GAAG,eAAe,IAAI,UAAU,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;YACpE,4CAA4C;YAC5C,YAAY,CAAC,IAAI,CAAC,GAAG,eAAe,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,WAAW,GAAG,GAAG;aACpB,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;aAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAA,yBAAmB,EAAC,CAAC,CAAC,CAAC,CAAC;QAEtC,IAAI,YAAE,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAChD,GAAG,SAAS,GAAG,IAAI,EAAE,CAAC,WAAW,EAAE,CACpC,CAAC;YACF,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;gBAC9B,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;oBACtC,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,eAAM,CAAC,KAAK,CACV,EAAE,WAAW,EAAE,EACf,4CAA4C,CAC7C,CAAC;YACF,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1C,KAAK,CAAC,eAAe,GAAG,0DAA0D,WAAW,IAAI,CAAC;YAClG,MAAM,KAAK,CAAC;QACd,CAAC;QAED,4BAA4B;QAC5B,MAAM,KAAK,GACT,eAAe,KAAK,SAAS;YAC3B,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,IAAA,yBAAmB,EAAC,eAAe,CAAC,CAAC,WAAW,EAAE,CAAC;QACzD,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;YAC9B,IACE,WAAW,CAAC,IAAI,CACd,CAAC,SAAS,EAAE,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,SAAS,KAAK,KAAK,CAC/D,EACD,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,eAAM,CAAC,KAAK,CAAC,EAAE,WAAW,EAAE,EAAE,qCAAqC,CAAC,CAAC;QACrE,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1C,KAAK,CAAC,eAAe,GAAG,mDAAmD,WAAW,IAAI,CAAC;QAC3F,MAAM,KAAK,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,eAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,kCAAkC,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAEM,KAAK,UAAU,aAAa,CACjC,MAAsB,EACtB,UAAkB,EAClB,YAAY,GAAG,GAAG;IAElB,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC;IAC5C,MAAM,eAAe,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;IACtC,MAAM,UAAU,GAAG,qBAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,aAAa,GAAG,qBAAY,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACxD,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,IAAI,GAAG,KAAK,WAAW,IAAI,YAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,GAAG,GAAG,YAAY,IAAI,GAAG,EAAE,CAAC;YACtC,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,6BAA6B,IAAI,EAAE,CAAC,CAAC;YAEnE,MAAM,gBAAgB,GAAG,qBAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YAC9D,IAAI,YAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAChC,eAAM,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YACrC,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/C,eAAM,CAAC,KAAK,CAAC,qBAAqB,IAAI,OAAO,IAAI,EAAE,CAAC,CAAC;oBACrD,IAAI,YAAY,GAAG,MAAM,UAAU,CACjC,UAAU,EACV,IAAI,EACJ,UAAU,EACV,IAAI,CACL,CAAC;oBACF,IAAI,aAAa,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;wBACtD,eAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;wBACvD,YAAY,GAAG,MAAM,UAAU,CAC7B,aAAa,EACb,IAAI,EACJ,UAAU,EACV,IAAI,CACL,CAAC;oBACJ,CAAC;oBACD,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;wBACrC,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;wBAC7C,KAAK,CAAC,eAAe,GAAG,2BAA2B,IAAI,oCAAoC,CAAC;wBAC5F,MAAM,KAAK,CAAC;oBACd,CAAC;oBACD,eAAM,CAAC,KAAK,CAAC,aAAa,IAAI,OAAO,IAAI,EAAE,CAAC,CAAC;oBAC7C,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;wBACxB,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;wBACrD,eAAe,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;wBAC9B,IAAA,iCAAsB,EAAC,KAAK,CAAC,CAAC;oBAChC,CAAC;yBAAM,CAAC;wBACN,eAAe,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC;wBACrC,IAAA,iCAAsB,EAAC,YAAY,CAAC,CAAC;oBACvC,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,MAAM,EAAE,CAAC;oBACvD,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,kCAAiB,CAAC,CAAC;oBAC3C,KAAK,CAAC,gBAAgB,GAAG,QAAQ,CAAC;oBAClC,KAAK,CAAC,eAAe,GAAG,8BAA8B,CAAC;oBACvD,KAAK,CAAC,iBAAiB,GAAG,4DAA4D,GAAG,sJAAsJ,CAAC;oBAChP,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;wBACvC,KAAK,CAAC,iBAAiB,GAAG;;;+FAGyD,CAAC;oBACtF,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;qBAAM,CAAC;oBACN,eAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YACD,OAAO,eAAe,CAAC,SAAS,CAAC;QACnC,CAAC;aAAM,IAAI,YAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YAC1B,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC1C,IAAI,YAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvC,MAAM,IAAI,GAAG,GAAG,YAAY,IAAI,GAAG,IAAI,KAAK,GAAG,CAAC;oBAC/C,eAAe,CAAC,GAAG,CAAsB,CAAC,IAAI,CAC7C,MAAM,aAAa,CAAC,IAAsB,EAAE,UAAU,EAAE,IAAI,CAAC,CAC9D,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACL,eAAe,CAAC,GAAG,CAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,YAAE,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC/C,MAAM,IAAI,GAAG,GAAG,YAAY,IAAI,GAAG,EAAE,CAAC;YACtC,eAAe,CAAC,GAAG,CAAC,GAAG,MAAM,aAAa,CACxC,GAAqB,EACrB,UAAU,EACV,IAAI,CACL,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,eAAe,CAAC,SAAS,CAAC;IACjC,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,EAAE,iBAAiB,CAAC,CAAC;IAC7D,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,SAAgB,kBAAkB;IAChC,MAAM,QAAQ,GAAG,qBAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC9C,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,QAAQ,GAAG,qBAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC9C,MAAM,WAAW,GAAG,IAAA,cAAQ,EAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,oBAAoB;QACpB,eAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,+CAA+C,CAAC,CAAC;QAC3E,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,eAAe,GAAG,IAAA,iBAAW,EAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAC1D,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,eAAe,CAAC,EAAE,CAAC;QACxC,eAAM,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,EAAE,+CAA+C,CAAC,CAAC;QAC5E,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,eAAe,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACvC,sBAAsB;QACtB,OAAO,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,eAAe,CAAC;AACzB,CAAC","sourcesContent":["import is from '@sindresorhus/is';\nimport { CONFIG_VALIDATION } from '../constants/error-messages';\nimport { logger } from '../logger';\nimport { regEx } from '../util/regex';\nimport { addSecretForSanitizing } from '../util/sanitize';\nimport { ensureTrailingSlash, parseUrl, trimSlashes } from '../util/url';\nimport { tryDecryptKbPgp } from './decrypt/kbpgp';\nimport {\n  tryDecryptPublicKeyDefault,\n  tryDecryptPublicKeyPKCS1,\n} from './decrypt/legacy';\nimport { tryDecryptOpenPgp } from './decrypt/openpgp';\nimport { GlobalConfig } from './global';\nimport { DecryptedObject } from './schema';\nimport type { RenovateConfig } from './types';\n\nexport async function tryDecrypt(\n  privateKey: string,\n  encryptedStr: string,\n  repository: string,\n  keyName: string,\n): Promise<string | null> {\n  let decryptedStr: string | null = null;\n  if (privateKey?.startsWith('-----BEGIN PGP PRIVATE KEY BLOCK-----')) {\n    const decryptedObjStr =\n      process.env.RENOVATE_X_USE_OPENPGP === 'true'\n        ? await tryDecryptOpenPgp(privateKey, encryptedStr)\n        : await tryDecryptKbPgp(privateKey, encryptedStr);\n    if (decryptedObjStr) {\n      decryptedStr = validateDecryptedValue(decryptedObjStr, repository);\n    }\n  } else {\n    decryptedStr = tryDecryptPublicKeyDefault(privateKey, encryptedStr);\n    if (is.string(decryptedStr)) {\n      logger.warn(\n        { keyName },\n        'Encrypted value is using deprecated default padding, please change to using PGP encryption.',\n      );\n    } else {\n      decryptedStr = tryDecryptPublicKeyPKCS1(privateKey, encryptedStr);\n      /* v8 ignore start: not testable */\n      if (is.string(decryptedStr)) {\n        logger.warn(\n          { keyName },\n          'Encrypted value is using deprecated PKCS1 padding, please change to using PGP encryption.',\n        );\n      }\n      /* v8 ignore stop */\n    }\n  }\n  return decryptedStr;\n}\n\nexport function validateDecryptedValue(\n  decryptedObjStr: string,\n  repository: string,\n): string | null {\n  try {\n    const decryptedObj = DecryptedObject.safeParse(decryptedObjStr);\n    if (!decryptedObj.success) {\n      const error = new Error('config-validation');\n      error.validationError = `Could not parse decrypted config.`;\n      throw error;\n    }\n\n    const { o: org, r: repo, v: value } = decryptedObj.data;\n\n    if (!is.nonEmptyString(value)) {\n      const error = new Error('config-validation');\n      error.validationError = `Encrypted value in config is missing a value.`;\n      throw error;\n    }\n\n    if (!is.nonEmptyString(org)) {\n      const error = new Error('config-validation');\n      error.validationError = `Encrypted value in config is missing a scope.`;\n      throw error;\n    }\n\n    const repositories = [repository.toUpperCase()];\n\n    const azureCollection = getAzureCollection();\n    if (is.nonEmptyString(azureCollection)) {\n      // used for full 'org/project/repo' matching\n      repositories.push(`${azureCollection}/${repository}`.toUpperCase());\n      // used for org prefix matching without repo\n      repositories.push(`${azureCollection}/*/`.toUpperCase());\n    }\n\n    const orgPrefixes = org\n      .split(',')\n      .map((o) => o.trim())\n      .map((o) => o.toUpperCase())\n      .map((o) => ensureTrailingSlash(o));\n\n    if (is.nonEmptyString(repo)) {\n      const scopedRepos = orgPrefixes.map((orgPrefix) =>\n        `${orgPrefix}${repo}`.toUpperCase(),\n      );\n      for (const rp of repositories) {\n        if (scopedRepos.some((r) => r === rp)) {\n          return value;\n        }\n      }\n\n      logger.debug(\n        { scopedRepos },\n        'Secret is scoped to a different repository',\n      );\n      const error = new Error('config-validation');\n      const scopeString = scopedRepos.join(',');\n      error.validationError = `Encrypted secret is scoped to a different repository: \"${scopeString}\".`;\n      throw error;\n    }\n\n    // no scoped repos, only org\n    const azcol =\n      azureCollection === undefined\n        ? undefined\n        : ensureTrailingSlash(azureCollection).toUpperCase();\n    for (const rp of repositories) {\n      if (\n        orgPrefixes.some(\n          (orgPrefix) => rp.startsWith(orgPrefix) && orgPrefix !== azcol,\n        )\n      ) {\n        return value;\n      }\n    }\n    logger.debug({ orgPrefixes }, 'Secret is scoped to a different org');\n    const error = new Error('config-validation');\n    const scopeString = orgPrefixes.join(',');\n    error.validationError = `Encrypted secret is scoped to a different org: \"${scopeString}\".`;\n    throw error;\n  } catch (err) {\n    logger.warn({ err }, 'Could not parse decrypted string');\n  }\n  return null;\n}\n\nexport async function decryptConfig(\n  config: RenovateConfig,\n  repository: string,\n  existingPath = '$',\n): Promise<RenovateConfig> {\n  logger.trace({ config }, 'decryptConfig()');\n  const decryptedConfig = { ...config };\n  const privateKey = GlobalConfig.get('privateKey');\n  const privateKeyOld = GlobalConfig.get('privateKeyOld');\n  for (const [key, val] of Object.entries(config)) {\n    if (key === 'encrypted' && is.object(val)) {\n      const path = `${existingPath}.${key}`;\n      logger.debug({ config: val }, `Found encrypted config in ${path}`);\n\n      const encryptedWarning = GlobalConfig.get('encryptedWarning');\n      if (is.string(encryptedWarning)) {\n        logger.once.warn(encryptedWarning);\n      }\n\n      if (privateKey) {\n        for (const [eKey, eVal] of Object.entries(val)) {\n          logger.debug(`Trying to decrypt ${eKey} in ${path}`);\n          let decryptedStr = await tryDecrypt(\n            privateKey,\n            eVal,\n            repository,\n            eKey,\n          );\n          if (privateKeyOld && !is.nonEmptyString(decryptedStr)) {\n            logger.debug(`Trying to decrypt with old private key`);\n            decryptedStr = await tryDecrypt(\n              privateKeyOld,\n              eVal,\n              repository,\n              eKey,\n            );\n          }\n          if (!is.nonEmptyString(decryptedStr)) {\n            const error = new Error('config-validation');\n            error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;\n            throw error;\n          }\n          logger.debug(`Decrypted ${eKey} in ${path}`);\n          if (eKey === 'npmToken') {\n            const token = decryptedStr.replace(regEx(/\\n$/), '');\n            decryptedConfig[eKey] = token;\n            addSecretForSanitizing(token);\n          } else {\n            decryptedConfig[eKey] = decryptedStr;\n            addSecretForSanitizing(decryptedStr);\n          }\n        }\n      } else {\n        if (process.env.RENOVATE_X_ENCRYPTED_STRICT === 'true') {\n          const error = new Error(CONFIG_VALIDATION);\n          error.validationSource = 'config';\n          error.validationError = 'Encrypted config unsupported';\n          error.validationMessage = `This config contains an encrypted object at location \\`$.${key}\\` but no privateKey is configured. To support encrypted config, the Renovate administrator must configure a \\`privateKey\\` in Global Configuration.`;\n          if (process.env.MEND_HOSTED === 'true') {\n            error.validationMessage = `Mend-hosted Renovate Apps no longer support the use of encrypted secrets in Renovate file config (e.g. renovate.json).\nPlease migrate all secrets to the Developer Portal using the web UI available at https://developer.mend.io/\n\nRefer to migration documents here: https://docs.renovatebot.com/mend-hosted/migrating-secrets/`;\n          }\n          throw error;\n        } else {\n          logger.error('Found encrypted data but no privateKey');\n        }\n      }\n      delete decryptedConfig.encrypted;\n    } else if (is.array(val)) {\n      decryptedConfig[key] = [];\n      for (const [index, item] of val.entries()) {\n        if (is.object(item) && !is.array(item)) {\n          const path = `${existingPath}.${key}[${index}]`;\n          (decryptedConfig[key] as RenovateConfig[]).push(\n            await decryptConfig(item as RenovateConfig, repository, path),\n          );\n        } else {\n          (decryptedConfig[key] as unknown[]).push(item);\n        }\n      }\n    } else if (is.object(val) && key !== 'content') {\n      const path = `${existingPath}.${key}`;\n      decryptedConfig[key] = await decryptConfig(\n        val as RenovateConfig,\n        repository,\n        path,\n      );\n    }\n  }\n  delete decryptedConfig.encrypted;\n  logger.trace({ config: decryptedConfig }, 'decryptedConfig');\n  return decryptedConfig;\n}\n\nexport function getAzureCollection(): string | undefined {\n  const platform = GlobalConfig.get('platform');\n  if (platform !== 'azure') {\n    return undefined;\n  }\n\n  const endpoint = GlobalConfig.get('endpoint');\n  const endpointUrl = parseUrl(endpoint);\n  if (endpointUrl === null) {\n    // should not happen\n    logger.warn({ endpoint }, 'Unable to parse endpoint for token decryption');\n    return undefined;\n  }\n\n  const azureCollection = trimSlashes(endpointUrl.pathname);\n  if (!is.nonEmptyString(azureCollection)) {\n    logger.debug({ endpoint }, 'Unable to find azure collection name from URL');\n    return undefined;\n  }\n\n  if (azureCollection.startsWith('tfs/')) {\n    // Azure DevOps Server\n    return azureCollection.substring(4);\n  }\n  return azureCollection;\n}\n"]}

package/dist/config/options/index.js

@@ -1874,7 +1874,7 @@ const options = [
         type: 'string',
         allowedValues: ['auto', 'fast-forward', 'merge-commit', 'rebase', 'squash'],
         default: 'auto',
-        supportedPlatforms: ['azure', 'bitbucket', 'gitea'],
+        supportedPlatforms: ['azure', 'bitbucket', 'gitea', 'github'],
     },
     {
         name: 'automergeComment',