Renovate: Renovate picks wrong / default(?) repo path for shared config if configured with encrypted npmToken and npmrc

It's failing, because you override the default npm registry. So renovate will try to resolve all npm packages from GitHub registry.

So the solution would be to scope your GitHub org and only forward those packages to GitHub registry.

Eg: publish presets as @ourOrgName/renovate-config, reference as @ourOrgName:preset-name.

Configure scoped registry: https://docs.npmjs.com/using-npm/scope.html

@viceice
The shared config is not published as a package, but as a repository; it's not loaded from a registry.

The repo with the working renovate.json has the same .npmrc file as the failing one. The npmrc config in the failing renovate.json is the also the same (besides the token variable which is NPM_TOKEN there). So, both are pointing to the same registry.

This line in your .npmrc tells Renovate to use GitHub for all packages:

registry=https://npm.pkg.github.com/ourOrgName

If Renovate does exactly that, then it's behaving per design/per configuration and there is no mistake.

If it's not using that registry when it's defined within a preset, it could be because the .npmrc value is only getting loaded after Renovate has already checked the normal presets. Neither is a mistake and @viceice is right - you should be using scoped package names.

@rarkins thanks. I don't get it. Do you mean, that the shared config has to be provided and referenced as a package instead of a repo, if the renovate.json contains the npmrc property?

The documentation advises to use the repo approach: "An additional benefit of using source code hosting is that the same token/authentication can be reused by Renovate in case you want to make your config private."

If it's not using that registry when it's defined within a preset, it could be because the .npmrc value is only getting loaded after Renovate has already checked the normal presets.

Since the extends points to a repo, not to a package, why does Renovate try to load a package?

Your npmrc is wrong because the registry= line is too general. The failure happens as soon as Renovate attempts to retrieve an npm package not hosted on GitHub. I’m guessing you reference at least one in your custom preset.

Yes, the preset references config:base and :semanticCommitTypeAll(chore) where config:base is loaded from the package renovate-config-config (right?).

The failure happens as soon as Renovate attempts to retrieve an npm package not hosted on GitHub.

GitHub Packages registry routes/caches requests to npm automatically. With exactly the same npmrc I can npm i renovate-config-config without a problem. It's fetched from/through the GitHub registry.

Can the problem be reproduced using purely public repos? If we uncover a bug in Renovate then we can move this issue back to the main repo

If only can be reproduced using private then that’s a useful data point too, just makes it a little harder to troubleshoot

I created a shared config in a public repo and referenced it in renovate.json in the private repo.
With npmrc in renovate.json, it fails (job id #148002695).
Without npmrc it works (job id #148002786).

So, same behaviour. No difference, if the shared config is private or public.

Can you describe how you generate the GitHub Packages token?

One more thing : please try running the Renovate CLI against this same repo using a personal access token for auth. Does it fail when the npmrc is defined in renovate.json?

Can you describe how you generate the GitHub Packages token?

It's a "normal" Personal Access Token with the scopes "read:packages, repo" which is crypted via https://renovatebot.com/encrypt

I installed the Renovate CLI, but didn't get this to work in any way. This is a different behaviour from running the Renovate GitHub App where the renovate.json with just the "extends" property works and Renovate loads the config source code from the private repo.

To make sure, the basic private access works, I issued the command RENOVATE_TOKEN=*** npm i @orgName/private-package with the following .npmrc:

//npm.pkg.github.com/:_authToken=${RENOVATE_TOKEN}
registry=https://npm.pkg.github.com/orgName

This works; package gets installed from GitHub registry.

Whatever combination I tried with the CLI, does not work. With/without .npmrc file, with/without npmToken and/or npmrc properties in renovate.json. I also tried passing the token via ENV variables and directly (uncrypted) in npmToken.

Further observation:
I set "--log-level trace" but the first log line is "INFO: Throwing preset error" which is IMO thrown here. But the traces from L151, L166 or L105 are not printed. If a non-existing RENOVATE_CONFIG_FILE is passed, a lot of info is printed (and a default config is loaded; no error, that the passed config does not exist).

@maplesteve if you run with LOG_LEVEL=trace in env then the trace logging will kick in much earlier. When it's run via CLI it only starts once the CLI and other config parsing is complete, whereas LOG_LEVEL in env gets checked during logger initialization.

@rarkins The CLI fails while it tries to fetch the shared config; I think it doesnt' do the auth with the GitHub API correctly (or at all).
So the CLI approach won't help us here. Do you have any other idea how to make this work with the Renovate GitHub App?

You would need a PAT with access to both repos. With reproduction I cant fix it. I actually think we might have an incompatibility with GitHub Packages but that would be independent of App vs CLI

In the CLI tests is no private package (GitHub registry) involved. Just the shared config, which is not a package but a private repo. The PAT has access to all repos (and the registry).

So, we're basically back to square one. As soon as the encrypted npmToken and the npmrc are part of the renovate.json file, the GitHub App it tries to load "renovate-config-config" from the wrong path and fails. As far as I can see from the logs, this happens even before the shared config is loaded (Job-ID #148531502).

I actually think we might have an incompatibility with GitHub Packages

Yes, this seems to be the conclusion. Means, that Renovate can't be used to "watch" for updated packages which are in the private GitHub Packages registry for the time being.

So what’s the simplest reproduction that can be tested against to verify that?

• no presets
• package.json with one outdated package
• npmrc with PAT pointing to GitHub packages?

@rarkins I thin i have an idea whats wrong. setting up a test case to check.

https://github.com/viceice/renovate-gh-npm-test/pull/1

Possibly the app is applying its app token to the lookup, which doesn’t have permissions currently for packages

I've got it working now: https://github.com/viceice/renovate-gh-npm-test/pull/1

Was the earlier config a valid/desired one?

conclusion
we need different npmrc settings for each manager.

renovate

//npm.pkg.github.com/viceice/:_authToken=XXXX
registry=https://npm.pkg.github.com/viceice

yarn

//npm.pkg.github.com/:_authToken=XXXX
registry=https://npm.pkg.github.com/viceice
always-auth=true

npm

//npm.pkg.github.com/viceice/:_authToken=XXXX
registry=https://npm.pkg.github.com/viceice

Was the earlier config a valid/desired one?

yes, but he couldn't fetch preset after validation

Is it just yarn that’s different? And why? They normally strive for compatibility

https://github.com/viceice/renovate-gh-npm-test/pull/4 now the npm auth problem is visible

npm and yarn can fallback to _authToken=XXXX but renovate always require //npm.pkg.github.com/viceice/:_authToken=XXXX

Moving this back to the main repo, although unsure yet of the best fix

@rarkins Do you have an estimate when a fix will be available?
A lot of our repos are currently not "renovated" because of this issue. As a workaround we could remove the npmrc property from all the "renovate.json" files but would leave it, if a fix is near. Thanks!

@maplesteve You should configure your npmrc as follows:

{
  "npmrc": "//npm.pkg.github.com/orgName/:_authToken=${NPM_TOKEN}\nregistry=https://npm.pkg.github.com/orgName"
}

if you are using npm lockfile you need to use following npmrc (encrypt it)

//npm.pkg.github.com/orgName/:_authToken=XXXX
_authToken=XXXX
registry=https://npm.pkg.github.com/orgName

This still doesn't work correctly. Renovate tries to fetch a GitHub Package from the npmjs registry though the registry is configured as per @viceice last comment above.
BTW: The package-lock.json has the correct URL for the private package; it points to GitHub.

Please see #158961503 for an example of "Dependency lookup failure: not found"

if you are using npm lockfile you need to use following npmrc (encrypt it)

//npm.pkg.github.com/orgName/:_authToken=XXXX
_authToken=XXXX
registry=https://npm.pkg.github.com/orgName

@viceice Can you please check, if the above is correct? Esp. the second line with just "_authToken" seems off.
I still can't get it to work with the GitHub Package Registry. Renovate keeps looking at npmjs, not github. Pls see the "Dependency lookup failure: not found" errors, e.g. in #178750304
Thanks!

@maplesteve please share the debug logs where it fails, as i can't view your app dashboard

@viceice Ah, sorry. I assumed, that you have access..

DEBUG: Dependency lookup failure: not found
{
  "packageName": "@orgName/foo-sdk"
}
DEBUG: Response code 404 (Not Found)
{
  "err": {
    "name": "HTTPError",
    "host": "registry.npmjs.org",
    "hostname": "registry.npmjs.org",
    "method": "GET",
    "path": "/@orgName%2Ffoo-sdk",
    "protocol": "https:",
    "url": "https://registry.npmjs.org/@orgName%2Ffoo-sdk",
    "gotOptions": {
      "path": "/@orgName%2Ffoo-sdk",
      "protocol": "https:",
      "slashes": true,
      "auth": null,
      "host": "registry.npmjs.org",
      "port": null,
      "hostname": "registry.npmjs.org",
      "hash": null,
      "search": null,
      "query": null,
      "pathname": "/@orgName%2Ffoo-sdk",
      "href": "https://registry.npmjs.org/@orgName%2Ffoo-sdk",
      "headers": {
        "user-agent": "Renovate Bot (GitHub App 2740)",
        "cache-control": "no-cache",
        "accept": "application/json",
        "accept-encoding": "gzip, deflate"
      },
...
    },
    "statusCode": 404,
    "statusMessage": "Not Found",
    "headers": {
...
    },
    "body": {
      "error": "Not found"
    },
    "message": "Response code 404 (Not Found)",
    "stack": "HTTPError: Response code 404 (Not Found)\n    at EventEmitter..."
  },
  "token": "***********"
}
DEBUG: Failed to look up dependency @orgName/foo-sdk (@orgName/foo-sdk)(packageFile="package.json", dependency="@orgName/foo-sdk")

can you please also share your renovate config

{
  "extends": ["github>orgName/foo-renovate-presets"],
  "encrypted": {
    "npmrc": "IBEU/...=="
  }
}

ok, can you share your shared preset? maybe there is something wrong

What is @orgName/foo-sdk is it a normal npm dependency?

The default renovate presets are now embedded in renovate., so it looks like your github>orgName/foo-renovate-presets is wrong.

What is @orgName/foo-sdk is it a normal npm dependency?

Yes. Points to a private package on the GitHub Package Registry.

"default.json" from the shared presets:

{
    "extends": [
        "config:base",
        ":semanticCommitTypeAll(chore)"
    ],
    "rebaseStalePrs": true,
    "packageRules": [{
            "automerge": true,
            "automergeType": "pr",
            "depTypeList": ["devDependencies"],
            "excludePackagePatterns": ["^serverless$"],
            "schedule": ["before 2am on tuesday"]
        },
        {
            "automerge": true,
            "automergeType": "pr",
            "groupName": "aws-sdk",
            "packagePatterns": [ "aws-sdk" ],
            "schedule": ["before 2am on monday"]
        },
        {
            "automerge": true,
            "automergeType": "pr",
            "groupName": "types",
            "packagePatterns": [ "@types" ],
            "schedule": ["before 2am on monday"]
        }
    ],
    "labels": [
        "dependencies"
    ]
}

so i think your npmrc renovate config should be:

@orgName:registry=https://npm.pkg.github.com/orgName/
//npm.pkg.github.com/orgName/:_authToken=XXXX

@viceice Thanks for your help! We're getting closer. I changed the config as you proposed and Renovate now detects the private packages in the GitHub Package Registry. So far so good.

Renovate also detects updates of private packages, but then fails with an "artifact error" in the npm install --package-lock-only --no-audit step with a 404:

404 Not Found - GET https://redacted@orgName/package-name

The artifact error comment in the PR says:

404 Not Found - GET https://npm.pkg.github.com/orgName/n/npm.pkg.github.com/orgName/:_authToken=**redacted**/@orgName/package-name

@viceice Maybe, the Docker container doesn't use the provided npmrc config?

From the log, where the error occurs:

docker run --rm --name=renovate_node --label=renovate_child -v "/mnt/renovate/gh/orgName/package-name":"/mnt/renovate/gh/orgName/package-name" -v "/tmp/renovate-cache":"/tmp/renovate-cache" -v "/home/ubuntu/.npmrc":"/home/ubuntu/.npmrc" -e NPM_CONFIG_CACHE -e npm_config_store -w "/mnt/renovate/gh/orgName/package-name" renovate/node bash -l -c "npm i -g npm && npm install --package-lock-only --no-audit"

It points to /home/ubuntu/.npmrc. Or does the "real" npmrc config get provided via the ENV vars NPM_CONFIG_CACHE, npm_config_store?

@maplesteve you should see a debug message for when the .npmrc is written to disk prior: https://github.com/renovatebot/renovate/blob/6c798e5fcdfd7958a1fe2e7a519e9dbd222e96af/lib/manager/npm/post-update/index.ts#L118-L120

OK, i've traced the current code and you need some more changes to get it working.

.npmrc in git repo root

@orgName:registry=https://npm.pkg.github.com/orgName/

renovate.json in git repo root

{
  ...
  "hostRules": [
    {
      "baseUrl": "https://npm.pkg.github.com/orgName/",
      "hostType": "npm",
      "encrypted": {
        "token": "XXXX-encrypted-TOKEN"
      }
    }
  ],
  "npmrc": "@orgName:registry=https://npm.pkg.github.com/orgName/"
  ...
}

@rarkins It seems we no longer use configured npmrc renovate config, if the package extract find a repo .npmrc, so the values are not written to disk for post-update. But we write npmhost rules to .npmrc file

Here .npmrc from config gets overwritten by packageFile.npmrc.
https://github.com/renovatebot/renovate/blob/6c798e5fcdfd7958a1fe2e7a519e9dbd222e96af/lib/manager/npm/post-update/index.ts#L142-L145

After above the hostrules are added
https://github.com/renovatebot/renovate/blob/6c798e5fcdfd7958a1fe2e7a519e9dbd222e96af/lib/manager/npm/post-update/index.ts#L351-L370

@viceice Thanks.

you need some more changes to get it working

Would that be the workaround for the bug/change you mentioned regarding .npmrc getting overwritten? Then I'll rather wait for a fix, than changing the config on 30+ repos again.

If not: npmrc is now a property of the encrypted object in renovate.json (as per your comment above). The config would then have two differing npmrc entries. Is that intended?

.npmrc in git repo root

Additonally? Renovate already gets a dedicated npmrc for its purpose and everything npm-related works with the current setup.

@viceice, @rarkins This still leads to a lot of failed Renovate-PRs. Could you please provide an update regarding a bug fix or the questions in my last comment? Thanks!

🤔 I think we need a public repo to reproduce the issue. We only need the npmrc files, we can remove the credentials and use npmjs and yarnpkg as test sources

@maplesteve can you create a sample repo, which has the structure of your repo? So we can debug this with the local renovate CLI

@viceice Thanks for getting back so quickly!

I thought, we tracked it down to the problem, that Docker doesn't use the provided .npmrc (see here)

The authorization and other problems where solved by using the "correct" encrypted npmrc in "renovate.json". The Docker problem is left.

I created a repo with .npmrc and renovate.json. I also provided the shared Renovate config which is extended. It's in the folder "renovate-presets".

Please let me know, if you need additional info.

@viceice , @rarkins do you need any further info? We're stuck with a lot of failing Renovate-PRs on a lot of repos - this get's a little messy and we need a way to move forward, please.

@maplesteve Sorry for our delay, but we are very busy, so this got out of focus. Can you add @rarkins and @viceice as contributor to your repo and fully configure the sample, add a package.json with on dep and fix the renovate.json preset to point to the test repo. Then enable renovate on that repo. Maybe you need to add some correctly enrcrypted npmrc to the config

@viceice , @rarkins My co-worker @mzl-md prepared three private repos (config, package, service). You'll get the collaborator invitations shortly.
Right now, we're stuck again at the point where Renovate can't find the package, though the encrypted npmrc has the contents from your comments above. Please feel free to play around with the configs.

Please let us know, if you need additional info or setup.

Do you have a space in your preset name as in the comment above, or was it just a copy/paste typo?

No space.
I just looked at the logs again. We're now at the "right" point where the lockfile-error occurs during the Docker operation.

Right, I see @mzl-md/[email protected]' is not in the npm registry in job 222577470

I see "Writing repo .npmrc (/mnt/renovate/gh/mzl-md/renovate-5646-service)" which is what I'd expect.

I notice you also have a .npmrc file in the repo itself. If you configure one in npmrc file then our expected behavior is to overwrite it. Is that also what you expect?

Also does your encrypted npmrc include this full contents like the following?

@mzl-md:registry=https://npm.pkg.github.com/mzl-md/
//npm.pkg.github.com/mzl-md/:_authToken=abc123

Yes that's what we got from your documentation. The encrypted npmrc's content is

@mzl-md:registry=https://npm.pkg.github.com/mzl-md/\n//npm.pkg.github.com/mzl-md/:_authToken=xxxxx

I notice you also have a .npmrc file in the repo itself. If you configure one in npmrc file then our expected behavior is to overwrite it. Is that also what you expect?

But, isn't that the problem, which was pointed out by @viceice in the last part of this comment?

It seems we no longer use configured npmrc renovate config, if the package extract find a repo .npmrc, so the values are not written to disk for post-update. But we write npmhost rules to .npmrc file

If the Docker process doesn't use the encrypted npmrc, it will/does fail because it won't have the necessary credentials (which are in the encrypted npmrc only).

OK, so current working thesis is that the decrypted npmrc content is not overwriting what's in the repo.

@viceice do you think we need to have a .npmrc file in the repo, or was that just part of troubleshooting?

I think i have an idea whats going on wrong here.

• first we add configured npmrc auth to hostRules
• then we read repo .npmrc and add to packageFile
• then we write configured npmrc to repo
• after that we write the packageFile npmrc to disk
• finaly we write all npm hostRules to repo .npmrc

Because the repo .npmrc contains an env var, that would silently passed back. I'll check the code to verify. Should be reproducable by cli, but needs unencrypted npmrc config

verified and updated

here we read .npmrc to packageFile
https://github.com/renovatebot/renovate/blob/d6559f6357e308daac1a593ea6e968f84c7443fd/lib/manager/npm/extract/index.ts#L104

here we write config npmrc
https://github.com/renovatebot/renovate/blob/60b101d22cc06a7c3b3f1bfa97d37c295f3a89ca/lib/manager/npm/post-update/index.ts#L128

and here we write original .npmrc back to disk and overwrite config npmrc
https://github.com/renovatebot/renovate/blob/60b101d22cc06a7c3b3f1bfa97d37c295f3a89ca/lib/manager/npm/post-update/index.ts#L150-L158

ok strange, now i can reproduce here https://github.com/viceice/renovate-gh-npm-test/pull/7/files

yarn succeeds, but npm fails

@maplesteve @mzl-md I think you've had a bad encrypted npmrc config:

npm ERR! code E404\nnpm ERR! 404 Not Found - GET https://npm.pkg.github.com/mzl-md/n/npm.pkg.github.com/mzl-md/:_authToken=**redacted**/@mzl-md/renovate-5646-package\nnpm

see see encoding of newline:

• wrong: https://npm.pkg.github.com/mzl-md/n/npm.pkg.github.com/mzl-md/:_authToken=**redacted**
• right: https://npm.pkg.github.com/mzl-md\n//pm.pkg.github.com/mzl-md/:_authToken=**redacted**

@viceice the content of the encrypted npmrc has been posted here

IMO the newline is escaped correctly...?

ok, as you can see in the log, the package ulr build by npm seems to be wrong.
@rarkins maybe we do some wrong encryption?

const newContent = newNpmrc.join('\n'); <-- Does that line do what we intend it to do, or does it need to be \\n somehow?

const newContent = newNpmrc.join('\n'); <-- Does that line do what we intend it to do, or does it need to be \\n somehow?

Looks good, and works, tested locally.

@mzl-md Can you please add a trailing newline to npmrc: @mzl-md:registry=https://npm.pkg.github.com/mzl-md/\n//npm.pkg.github.com/mzl-md/:_authToken=xxxxx\n

ok, verified, we need a trailing newline, otherwise the npm ini parser fails on last line. sending a fix in a few minutes

_conclusion_
we need different npmrc settings for each manager.

_renovate_

//npm.pkg.github.com/viceice/:_authToken=XXXX
registry=https://npm.pkg.github.com/viceice

_yarn_

//npm.pkg.github.com/:_authToken=XXXX
registry=https://npm.pkg.github.com/viceice
always-auth=true

_npm_

//npm.pkg.github.com/viceice/:_authToken=XXXX
registry=https://npm.pkg.github.com/viceice

Annoying, yarn and npm needs different _authToken config.

.npmrc config needs trailing newline!

:tada: This issue has been resolved in version 23.6.1 :tada:

The release is available on:

• GitHub release
• 23.6.1

Your semantic-release bot :package::rocket:

@viceice I still get the artifact error. What was your final solution for the encrypted npmrc?

//npm.pkg.github.com/mzl-md/:_authToken=xxxxx\nregistry=https://npm.pkg.github.com/mzl-md

or

//npm.pkg.github.com/mzl-md/:_authToken=xxxxx\\nregistry=https://npm.pkg.github.com/mzl-md

or something else?

In https://github.com/renovatebot/renovate/pull/7124: Shouldn't you check if there already is a trailing newline before adding one?

@mzl-md first one is right

Adding multiple newlines is no problem at all, only missing newline is a problem

@mzl-md Can you configure this: //npm.pkg.github.com/mzl-md/:_authToken=xxxxx\n@mzl-md:registry=https://npm.pkg.github.com/mzl-md/

trailing registry slash required

//npm.pkg.github.com/mzl-md/:_authToken=xxxxx
@mzl-md:registry=https://npm.pkg.github.com/mzl-md/

Done

🤔 Strange, failed again. No idea what's going wrong now. must be something with the npmrc file written to disk

It uses the wrong registry:

https://registry.npmjs.org/@mzl-md/frenovate-5646-package

should be

https://npm.pkg.github.com/mzl-md/@mzl-md/renovate-5646-package

🤔 @rarkins is doing a manual debug run later and will check the npmrc and the logs.

@viceice, are you sure that the parameters for this command point to the correct npmrc with the appropriate npm config?
docker run --rm --name=renovate_node --label=renovate_child -v \"/mnt/renovate/gh/mzl-md/renovate-5646-service\":\"/mnt/renovate/gh/mzl-md/renovate-5646-service\" -v \"/tmp/renovate-cache\":\"/tmp/renovate-cache\" -v \"/home/ubuntu/.npmrc\":\"/home/ubuntu/.npmrc\" -e NPM_CONFIG_CACHE -e npm_config_store -w \"/mnt/renovate/gh/mzl-md/renovate-5646-service\" renovate/node bash -l -c \"npm i -g npm && npm install --package-lock-only --ignore-scripts --no-audit\"

Is the correct config really in

• /home/ubuntu/.npmrc and
• NPM_CONFIG_CACHE and
• npm_config_store
  ?

Where does the app write the npmrc to?

The app should write it to /mnt/renovate/gh/mzl-md/renovate-5646-service

I have not been able to reproduce the problem locally. What are the arguments for renovate in Github? I used

yarn start --dry-run true --log-level trace --binary-source docker --docker-map-dotfiles true

@rarkins any new results from your debug run?

Unfortunately I'm not able to do a proper run because it requires the privateKey to decrypt the npmrc and that is not something I can/should copy out of production systems to my local. It's loaded into memory from an encrypted enclave system at run time, not intended to be used from CLI.

Could you generate a new key pair to use on your machine and replace the encrypted npmrc in the repository with one encrypted with your key?

Good idea, I'd need to send the public key to you to do the encrypting though as I don't have access to the raw unencrypted string either (for same reason..)

I added the token to the README so you can encrypt it yourself.

@rarkins Any progress on this? Did you find out, what corrupts the npmrc file (which leads to the wrong npm URLs)?

Sorry, I haven't had time to work on this debugging yet.

@rarkins, @viceice How can we get to a solution here? This one is now open for 7 months. #7354 seems related.

@maplesteve sorry, but you'll need to use the self-hosted version for now as we don't know what's causing the problem in the app. And if it turns out that the problem applies to the self-hosted version as well and can. be reproduced, then it would be much easier to debug.

@rarkins I'm trying configure the self-hosted version for mzl-md/renovate-5646-service
by using renovatebot/github-action but renovate throws the following error:

 INFO: Throwing preset error
       "validationError": "Cannot find preset's package (github>mzl-md/renovate-5646-config)"
FATAL: Fatal error: config-validation
       "err": {
         "validationError": "Cannot find preset's package (github>mzl-md/renovate-5646-config)",
         "message": "config-validation",
         "stack": "Error: config-validation\n    at Object.resolveConfigPresets (/usr/src/app/node_modules/renovate/lib/config/presets/index.ts:221:25)\n    at processTicksAndRejections (internal/process/task_queues.js:97:5)"
       }
(node:7) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'redisUrl' of undefined
    at Object.cleanup (/usr/src/app/node_modules/renovate/lib/util/cache/package/index.ts:55:14)
    at Object.globalFinalize (/usr/src/app/node_modules/renovate/lib/workers/global/initialize.ts:44:16)
    at Object.start (/usr/src/app/node_modules/renovate/lib/workers/global/index.ts:77:5)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)

I have set the log level to debug with env param LOG_LEVEL, but that doesn't seem to be applied. Could you please have a look at the workflow- and config-file?

Is this correct: When using a self-hosted version with the github action, we don't have to use an encrypted npmrc, because the renovate instance running inside the github action has access to the repository secrets?

Can you change node from 14 to 12 and run again, in case that's causing any problems?

@viceice do you know why the LOG_LEVEL env is not being applied to the action?

Also @mzl-md the config file is meant to be a "bot admin" config and not a regular repo renovate.json. Example: https://github.com/renovatebot/github-action/blob/master/example/renovate-config.js

sure, the action is runing the renovate slim docker image, soo the env var is not passed to the container, see renovatebot/github-action#136

What is the intended way to authorize the self-hosted bot for the private npm packages? I tried:

1. setting testLevel=high (required for npmrc with variables) and using the npmrc from services repo. I had to use RENOVATE_TOKEN as variable since only that is forwarded from the action to the container.
   
   
   
   • fails in second docker container (which performs npm i to update package-lock.json) with an artifact error, because RENOVATE_TOKEN isn't set
   
   
2. let renovate create a new npmrc from renovate-config npmrc (for github npm repo url) and hostRules
   
   
   
   • fails in first container with 401 response from https://npm.pkg.github.com
   
   
3. configure privateKey and use encrypted npmrc with token
   
   
   
   • had to remove hostRules to avoid "failed to replace variable"-error
   
   
   • fails in second container with artifact error 404 (GET https://**redacted**@mzl-md%2frenovate-5646-package)
   
   

• fails in second container with artifact error 404 (GET https://redacted@mzl-md%2frenovate-5646-package)

IMO this exactly resembles the error / behaviour of the GitHub App. The URL which is used by npm in the Docker container is constructed wrong because the code somehow mixes up the infos from the npmrc.

IMO this exactly resembles the error / behaviour of the GitHub App. The URL which is used by npm in the Docker container is constructed wrong because the code somehow mixes up the infos from the npmrc.

Meaning that the problem is not related to encrypting/decrypting the token?

Meaning that the problem is not related to encrypting/decrypting the token?

Three possible problems with the "2nd container"

• if the token/npmrc is re-encrypted before handed over to the container and this encryption is broken, then this would lead to a broken npmrc used by npm
• the decryption is broken, which would lead to a broken npmrc used by npm
• the URL which is used for the npm i call is constructed in a wrong way

It's obvious, that the URL used by npm is incorrect. This can IMO either happen because of wrongly formatted npmrc info or because if an incorrect URL passed to npm.

The first container does not have this problem, so I would conclude, that something gets mixed up in the context of the 2nd container.

@rarkins @viceice Any progress on this? Any conclusioin from the issue I linked above for this one here?
Maybe it helps, if I frame the overall problem again: Which config is necessary, to have Renovate work with private packages hosted on the GitHub Registry?

I've made some progress, see renovatebot/renovate#7354

I set "ignoreNpmrcFile": true in the renovate.json in our example repo but still receive the artifact error.

One problem is here:
https://github.com/renovatebot/renovate/blob/9f6c193557175753661c3135a8c123d9b6ff1d61/lib%2Fconfig%2Fmassage.ts#L25

We always overwrite npmrc if we found a npmToken regardless if npmrc already has a value.

But we don't have a npmToken, there is only the encrypted npmrc including the token in the renovate.json.

🤔 @mzl-md I'll debug this now, forked the repo to my private name and used the pub/priv key from you repo

ok, using cli with enncryption works: https://github.com/viceice/renovate-5646-service/pull/2

@rarkins Any idea why it works if i use the cli with encryption but fails on the app? There must be a bug in app code. Maybe something is overwriting the npmrc?