renovatebot
Allow passing any environment variable to `docker run`
Say I have a Renovate config that requires an environment variable to be set in order to access a private repository:
module.exports = {
hostRules: [
{
matchHost: "https://pypi.example.com/simple",
username: "foo",
password: process.env.PYPI_SECRET,
},
],
};
Using the Docker slim image, I would be able to pass the environment variable like so:
$ docker run --rm -e PYPI_SECRET=$PYPI_SECRET ... renovate/renovate:slim
On Renovate GitHub action, support for environment variables has been added in https://github.com/renovatebot/github-action/pull/534, but as of today, it's only possible to pass environment variables starting with RENOVATE_, or being exactly LOG_LEVEL and GITHUB_COM_TOKEN, as per this regex.
This makes it not possible to pass an arbitrary environment variable, like PYPI_SECRET in the example.
For the example to work, I believe that the expected environment variable could be renamed to RENOVATE_PYPI_SECRET, but doing that, depending on the environment variable name, we may risk colliding with a renovate configuration option being passed as an environment variable.
Alternatively, a stringified RENOVATE_CONFIG environment variable containing the secret could be passed, but if I'm not mistaken, this fully replaces the configuration file being provided, rather than merging the content of both RENOVATE_CONFIG and the configuration file.
Correct me if I'm wrong, but I believe that we limit the environment variables that are retrieved because technically, environment variables in GitHub Actions workflows can be defined in different parts of the workflows (specific steps, jobs, or for the whole workflow), so by accepting everything, we would risk passing environment variables the user may not want to.
Are there any other way we could pass environment variables we explicitly want to docker run?
One thing in mind that may be ugly could be to add an optional environmentVariables field in the accepted inputs, where the user would be able to pass a stringified version of the environment variables keys and values.
Otherwise, maybe an optional allowedEnvironmentVariables where a user would write down the environment variables to retrieve from the step/job/workflow, additionally to the ones already in the regex?
This would also allow HTTP proxy variables to be passed, for those of us running this action in self-hosted runners behind corporate HTTP proxy.
I have discovered that if you prefix your environment variable with RENOVATE_ it will be passed through to the docker run.
For example in your workflow.yml:
name: Renovate
on:
schedule:
# The "*" (#42, asterisk) character has special semantics in YAML, so this
# string has to be quoted.
- cron: '0/15 * * * *'
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}
env:
RENOVATE_PYPI_SECRET = "my super secret"
Then in the renovate-config.js you can reference it like so:
module.exports = {
hostRules: [
{
matchHost: "https://pypi.example.com/simple",
username: "foo",
password: process.env.RENOVATE_PYPI_SECRET,
},
],
};
And this should work.
We should add a env key, which allows comma seperated string of environment variable names. Those should then be passed to renovate docker container
Maybe we should allow a regex instead, so .* would match all, so all variables can be passed 🙈