How to migrate npmToken?

[hankadev]

What would you like help with?

I would like help with my configuration

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

I have this in my configuration:

 "encrypted": {
    "npmToken": "...."
  },
  "npmrc": "@fortawesome:registry=https://npm.fontawesome.com\n//npm.fontawesome.com/:_authToken=${NPM_TOKEN}",

Now I was warned that I need to migrate my secret. I created a repository secret on https://developer.mend.io/, but I am not sure how to include it in my renovate config.

I tried:

"encrypted": {
    "npmToken": "{{ secrets.NPM_TOKEN }}"
  },
  "npmrc": "@fortawesome:registry=https://npm.fontawesome.com\n//npm.fontawesome.com/:_authToken=${NPM_TOKEN}",

and also

"npmrc": "@fortawesome:registry=https://npm.fontawesome.com\n//npm.fontawesome.com/:_authToken=${{ secrets.NPM_TOKEN }}",

but none of these approaches works and I cannot find an example in the documentation.

The first one threw this error: Failed to decrypt field npm Token. Please re-encrypt and try again and the second one Package lookup failures.

Logs (if relevant)

Logs

Replace this text with your logs, between the starting and ending triple backticks

[rarkins]

1. Upload it as a secret
2. This:

  "npmToken": "{{ secrets.NPM_TOKEN }}",
  "npmrc": "@fortawesome:registry=https://npm.fontawesome.com\n//npm.fontawesome.com/:_authToken=${NPM_TOKEN}",

i.e. no more "encrypted": { }

[hankadev]

unfortunately this did not solved my issue, but really appreciate your help

[terrymun]

For context, my original setup—which needed migration—looks like this:

"encrypted": {
  "npmToken": "wcFMA/xDdHCJBTolAQ/........."
}
"npmrc": "@<ORG_NAME>:registry=https://npm.pkg.github.com/\n//npm.pkg.github.com/:_authToken=${NPM_TOKEN}",

Note

<ORG_NAME> is replaced with the actual organization name that contains private NPM packages

I couldn't get npmToken to work again after migrating to secret and unwrapping it from the encrypted object. Renovatebot complains that it has no access to the private packages, indicating it has issues accessing the secret.

I've tried:

• Copying the old encrypted token and pasting it as a secret ("migrate" secret)
• Copying the unencrypted token and pasting it

Neither worked.

// WARNING: This does not work
"npmToken": "{{ secrets.NPM_TOKEN }}",
"npmrc": "@<ORG_NAME>:registry=https://npm.pkg.github.com/\n//npm.pkg.github.com/:_authToken=${NPM_TOKEN}",

What worked for me is to introduce it as a hostType entry:

"hostRules": [
  {
    "matchHost": "https://npm.pkg.github.com/",
    "hostType": "npm",
    "token": "{{ secrets.NPM_TOKEN }}"
  }
],
"npmrc": "@<ORG_NAME>:registry=https://npm.pkg.github.com/\n//npm.pkg.github.com/:_authToken=${NPM_TOKEN}",

[hankadev]

Thanks a lot for your help, this approach solved the issue I had 🙏 You are a life savior 😊

[btimo]

Quick question around this solution:
We are using the secrets object to define the hostRules.*.token.
But then we are using the env var NPM_TOKEN in the npmrc.
What's the relation between the token and the env var NPM_TOKEN?
What do we write in the npmrc property if the secret is not named NPM_TOKEN?

Should we use the same name in both properties, as in the example below?

"hostRules": [
  {
    "matchHost": "https://npm.pkg.github.com/",
    "hostType": "npm",
    "token": "{{ secrets.RANDOM_SECRET_NAME }}"
  }
],
"npmrc": "@<ORG_NAME>:registry=https://npm.pkg.github.com/\n//npm.pkg.github.com/:_authToken=${RANDOM_SECRET_NAME}",

[hankadev]

I used NPM_TOKEN because that is how I named the secret I created at https://developer.mend.io/. So yes, you need to use the same name in all places, but you can choose the name.

[zharinov]

Regarding this string:

"npmrc": "@fortawesome:registry=https://npm.fontawesome.com\n//npm.fontawesome.com/:_authToken=${{ secrets.NPM_TOKEN }}",

I think it should be like this (note the absense of $):

"npmrc": "@fortawesome:registry=https://npm.fontawesome.com\n//npm.fontawesome.com/:_authToken={{ secrets.NPM_TOKEN }}",