Using GitHub secrets for adding hostRules.token for Private Terraform Cloud Module

[AndersRunningen]

Hi,

I am using the renovatebot/[email protected] and are trying to fetch a GitHub secret and add it to the hostRules configuration during a GitHub actions run. At the moment my workflow looks like this:

name: Renovate-terraform
on:
  schedule:
    - cron: '0 */6 * * *'
  workflow_dispatch:
jobs:
  renovate:
    runs-on: ubuntu-latest
    steps:
      - name: Get token
        id: get_token
        uses: getsentry/action-github-app-token@v3
        with:
          app_id: ${{ secrets.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: Checkout
        uses: actions/[email protected]

      - name: Self-hosted Renovate
        uses: renovatebot/[email protected]
        with:
          configurationFile: terraform-renovate.json
          token: '${{ steps.get_token.outputs.token }}'
        env:
          LOG_LEVEL: 'debug'
          RENOVATE_DETECT_HOST_RULES_FROM_ENV: true
          TERRAFORM_CLOUD_TOKEN: ${{ secrets.TERRAFORM_CLOUD_TOKEN }}

My renovate.json looks like this:

{
  "repositories": [
    "XXXX/ent-app-aks-infrastructure"
  ],
  "printConfig": false,
  "allowCustomCrateRegistries": true,
  "allowScripts": true,
  "exposeAllEnv": true,
  "assignAutomerge": false,
  "automerge": false,
  "branchPrefix": "renovate/",
  "platform": "github",
  "forkProcessing": "disabled",
  "assigneesFromCodeOwners": true,
  "prHourlyLimit": 0,
  "timezone": "Europe/Oslo",
  "dependencyDashboard": false,
  "extends": ["config:recommended", ":disableDependencyDashboard"],
  "kubernetes": {"enabled": true, "fileMatch": ["\\.ya?ml$"]},
  "packageRules": [
    {"matchManagers": ["terraform"], "groupName": "terraform"},
    {"matchManagers": ["kubernetes"], "groupName": "kubernetes"}
  ],
  "vulnerabilityAlerts": {"addLabels": ["security"]},
  "username": "Renovate-bot-XXXXXX[bot]",
  "gitAuthor": "Renovate-bot-XXXXXX <136432898+renovate-bot-XXXXXX[bot]@users.noreply.github.com>",
  "hostRules": [
    {
        "hostType": "terraform-module",
        "matchHost": "app.terraform.io",
        "token": "{{ env.TERRAFORM_CLOUD_TOKEN }}"
    }
  ]
}

When I run the above config, it seems like the token is added to the setup, but it fails when it is trying to fetch the module:

 DEBUG: Combined config
       "config": {
         "repositories": ["XXXXXX/ent-app-aks-infrastructure"],
         "printConfig": false,
         "allowCustomCrateRegistries": true,
         "allowScripts": true,
         "exposeAllEnv": true,
         "assignAutomerge": false,
         "automerge": false,
         "branchPrefix": "renovate/",
         "platform": "github",
         "forkProcessing": "disabled",
         "assigneesFromCodeOwners": true,
         "prHourlyLimit": 0,
         "timezone": "Europe/Oslo",
         "dependencyDashboard": false,
         "extends": ["config:recommended", ":disableDependencyDashboard"],
         "kubernetes": {"enabled": true, "fileMatch": ["\\.ya?ml$"]},
         "packageRules": [
           {"matchManagers": ["terraform"], "groupName": "terraform"},
           {"matchManagers": ["kubernetes"], "groupName": "kubernetes"}
         ],
         "vulnerabilityAlerts": {"addLabels": ["security"]},
         "username": "Renovate-bot-spv[bot]",
         "gitAuthor": "Renovate-bot-spv <136432898+renovate-bot-XXXXXX[bot]@users.noreply.github.com>",
         "hostRules": [
           {
             "hostType": "terraform-module",
             "matchHost": "app.terraform.io",
             "token": "***********"
           }
         ],
         "detectHostRulesFromEnv": true,
         "token": "***********"
       }

DEBUG: hostRules: applying *** for app.terraform.io (repository=XXXXXX/ent-app-aks-infrastructure)
DEBUG: hostRules: no authentication for registry.terraform.io (repository=XXXXXX/ent-app-aks-infrastructure)
DEBUG: GET https://app.terraform.io/api/registry/v1/modules/XXXXXX/spoke-subnet/module = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=401 retryCount=0, duration=49) (repository=XXXXXX/ent-app-aks-infrastructure)
DEBUG: Datasource unauthorized (repository=XXXXXX/ent-app-aks-infrastructure)
       "datasource": "terraform-module",
       "packageName": "app.terraform.io/XXXXXX/spoke-subnet/module",
       "url": "https://app.terraform.io/api/registry/v1/modules/XXXXXX/spoke-subnet/module"
DEBUG: Failed to look up terraform-module package app.terraform.io/XXXXXX/spoke-subnet/module (repository=XXXXXX/ent-app-aks-infrastructure, packageFile=01-subnet/main.tf, dependency=app.terraform.io/XXXXXX/spoke-subnet/module)

When I add the token value directly in the config like

"token": "xxxxxxx"

it works perfectly.

I wonder if there is a way for me to fetch the token for Terraform Cloud from a GitHub secret? It could be something I don't really understand here and would love some pointers in the right direction if possible.

[rarkins]

Renovate does not automatically populate the contents of env for renovate.json as this would be a security risk. You'd be better to create your hostRules in a config.js file which is admin-controlled and allowed to read env using process.env.X

[viceice]

https://github.com/renovatebot/github-action?tab=readme-ov-file#environment-variables
☝️

[AndersRunningen]

Thank you for the pointer!