lockFileMaintenance with private inputs on a flake

[Rider128]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

Gitlab

Please tell us more about your question or problem

Hello,

I have a flake with multiple private inputs, but my Renovate bot cannot perform flake.lock maintenance because it fails to fetch the private input via Git. The issue seems to be that the SSH key is not properly referenced.

The Renovate bot runs on a NixOS VM.

How can I configure Renovate to use an SSH key or make it use the SSH key available in the VM?

For GitLab CI, I worked around a similar issue by using a token with the following configuration:

git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.address".insteadOf "ssh://git@gitlab-address"

Is there a way to apply a similar workaround for Renovate, or another method to resolve this issue?

Thanks in advance!

Logs (if relevant)

Logs

WARN: Error updating flake.lock (repository=team1/mdanielthomas/machine1, branch=renovate/lock-file-maintenance)
        "err": {
          "cmd": "/bin/sh -c nix     --extra-experimental-features nix-command     --extra-experimental-features flakes --extra-access-tokens github.com=**redacted** flake update",
          "stderr": "GC Warning: Could not open /proc/stat\nHost key verification failed.\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\nwarning: could not update mtime for file '/var/lib/renovate/.cache/nix/gitv3/1fcdsifb5niqq4r57ll917l8j1h4rnmqk97fx1ipbx4mxj63frk7/refs/heads/nixos-24.11': changing modification time of '\"/var/lib/renovate/.cache/nix/gitv3/1fcdsifb5niqq4r57ll917l8j1h4rnmqk97fx1ipbx4mxj63frk7/refs/heads/nixos-24.11\"' (using `utimensat`): No such file or directory\nerror:\n       … while updating the lock file of flake 'git+file:///var/lib/private/renovate/repos/gitlab/team1/mdanielthomas/machine1?ref=refs/heads/master&rev=e9bae700e23a123d79c57268221f77623ecc781c'\n\n       … while updating the flake input 'team1-common'\n\n       … while fetching the input 'git+ssh://**redacted**@**redacted**/team1/nixos-configs/common.git?ref=nixos-24.11'\n\n       error: resolving Git reference 'nixos-24.11': revspec 'nixos-24.11' not found\n",
"stdout": "",
"options": {
  "cwd": "/var/lib/renovate/repos/gitlab/team1/mdanielthomas/machine1",
  "encoding": "utf-8",
  "env": {
    "HOME": "/var/lib/renovate",
    "PATH": "/nix/store/bl5dgjbbr9y4wpdw6k959mkq4ig0jwyg-systemd-256.10/bin:/nix/store/h2zihm0hb2n4ha5g96prrmgi71ixxvlr-git-2.47.1/bin:/nix/store/p81jxh5zc6q97cxkfx81r7988nblrwzl-nix-2.24.11/bin:/nix/store/wi7sndvja4lf7lr0wz822cnq5dm575yv-openssh-9.9p1/bin:/nix/store/6wgd8c9vq93mqxzc7jhkl86mv6qbc360-coreutils-9.5/bin:/nix/store/r99d2m4swgmrv9jvm4l9di40hvanq1aq-findutils-4.10.0/bin:/nix/store/vniy1y5n8g28c55y7788npwc4h09fh7c-gnugrep-3.11/bin:/nix/store/yq39xdwm4z0fhx7dsm8mlpgvcz3vbfg3-gnused-4.9/bin:/nix/store/bl5dgjbbr9y4wpdw6k959mkq4ig0jwyg-systemd-256.10/bin:/nix/store/bl5dgjbbr9y4wpdw6k959mkq4ig0jwyg-systemd-256.10/sbin:/nix/store/h2zihm0hb2n4ha5g96prrmgi71ixxvlr-git-2.47.1/sbin:/nix/store/p81jxh5zc6q97cxkfx81r7988nblrwzl-nix-2.24.11/sbin:/nix/store/wi7sndvja4lf7lr0wz822cnq5dm575yv-openssh-9.9p1/sbin:/nix/store/6wgd8c9vq93mqxzc7jhkl86mv6qbc360-coreutils-9.5/sbin:/nix/store/r99d2m4swgmrv9jvm4l9di40hvanq1aq-findutils-4.10.0/sbin:/nix/store/vniy1y5n8g28c55y7788npwc4h09fh7c-gnugrep-3.11/sbin:/nix/store/yq39xdwm4z0fhx7dsm8mlpgvcz3vbfg3-gnused-4.9/sbin:/nix/store/bl5dgjbbr9y4wpdw6k959mkq4ig0jwyg-systemd-256.10/sbin",
    "LANG": "en_US.UTF-8",
    "CONTAINERBASE_CACHE_DIR": "/var/cache/renovate/containerbase"
  },
  "maxBuffer": 10485760,
  "timeout": 900000
},
"exitCode": 1,
"name": "ExecError",
"message": "Command failed: nix     --extra-experimental-features nix-command     --extra-experimental-features flakes --extra-access-tokens github.com=**redacted** flake update\nGC Warning: Could not open /proc/stat\nHost key verification failed.\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\nwarning: could not update mtime for file '/var/lib/renovate/.cache/nix/gitv3/1fcdsifb5niqq4r57ll917l8j1h4rnmqk97fx1ipbx4mxj63frk7/refs/heads/nixos-24.11': changing modification time of '\"/var/lib/renovate/.cache/nix/gitv3/1fcdsifb5niqq4r57ll917l8j1h4rnmqk97fx1ipbx4mxj63frk7/refs/heads/nixos-24.11\"' (using `utimensat`): No such file or directory\nerror:\n       … while updating the lock file of flake 'git+file:///var/lib/private/renovate/repos/gitlab/mdanielthomas/machine1?ref=refs/heads/master&rev=e9bae700e23a123d79c57268221f77623ecc781c'\n\n       … while updating the flake input 'team1-common'\n\n       … while fetching the input 'git+ssh://**redacted**@**redacted**/team1/nixos-configs/common.git?ref=nixos-24.11'\n\n       error: resolving Git reference 'nixos-24.11': revspec 'nixos-24.11' not found\n",
"stack": "ExecError: Command failed: nix     --extra-experimental-features nix-command     --extra-experimental-features flakes --extra-access-tokens github.com=**redacted** flake update\nGC Warning: Could not open /proc/stat\nHost key verification failed.\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\nwarning: could not update mtime for file '/var/lib/renovate/.cache/nix/gitv3/1fcdsifb5niqq4r57ll917l8j1h4rnmqk97fx1ipbx4mxj63frk7/refs/heads/nixos-24.11': changing modification time of '\"/var/lib/renovate/.cache/nix/gitv3/1fcdsifb5niqq4r57ll917l8j1h4rnmqk97fx1ipbx4mxj63frk7/refs/heads/nixos-24.11\"' (using `utimensat`): No such file or directory\nerror:\n       … while updating the lock file of flake 'git+file:///var/lib/private/renovate/repos/gitlab/mdanielthomas/machine1?ref=refs/heads/master&rev=e9bae700e23a123d79c57268221f77623ecc781c'\n\n       … while updating the flake input 'team1-common'\n\n       … while fetching the input 'git+ssh://**redacted**@**redacted**/team1/nixos-configs/common.git?ref=nixos-24.11'\n\n       error: resolving Git reference 'nixos-24.11': revspec 'nixos-24.11' not found\n\n    at ChildProcess.<anonymous> (/nix/store/r6lnln9gydc0dir01hxz21g97m3s1wqp-renovate-38.105.2/lib/node_modules/renovate/lib/util/exec/common.ts:101:11)\n    at ChildProcess.emit (node:even/ts:530:35)\n    at ChildProcess.emit (node:domain:489:12)\n    at Process.ChildProcess._handle.onexit (node:internal/child_process:293:12)"

[voruti]

I solved this, giving Renovate access to the Git server by setting:

      RENOVATE_HOST_RULES: |
        [
          {
            "matchHost": "gitea.${BASE_DOMAIN:?}",
            "token": "${RENOVATE_TOKEN}"
          }
        ]

and giving the nix command access to the Git server by setting:

  git-config: # file .gitconfig
    content: |
      [credential]
        helper = "store"
  git-credentials: # file .git-credentials
    content: "https://renovate:${RENOVATE_TOKEN:?}@gitea.${BASE_DOMAIN:?}"