feat(vendir): convert Host Rules to Git authentication (renovatebot#41458)

jamietanna · Claude Sonnet 4.5 · web-flow · commit fdde07c09d9c · 2026-02-24T16:37:07.000Z
When using Vendir with Git repositories, we do not currently provide
authentication via Host Rules, which means we cannot access private
repositories.

Instead, we should set these, so they can be used by `vendir sync` to
authenticate to private repos.

Co-authored-by: Claude Sonnet 4.5 &lt;jamie.tanna+github-copilot@mend.io&gt;
diff --git a/lib/modules/manager/vendir/artifacts.spec.ts b/lib/modules/manager/vendir/artifacts.spec.ts
@@ -8,6 +8,7 @@ import type { RepoGlobalConfig } from '../../../config/types.ts';
 import { TEMPORARY_ERROR } from '../../../constants/error-messages.ts';
 import { ExecError } from '../../../util/exec/exec-error.ts';
 import type { StatusResult } from '../../../util/git/types.ts';
+import * as hostRules from '../../../util/host-rules.ts';
 import type { UpdateArtifactsConfig } from '../types.ts';
 import * as vendir from './index.ts';
 
@@ -37,6 +38,10 @@ describe('modules/manager/vendir/artifacts', () => {
     GlobalConfig.set(adminConfig);
   });
 
+  afterEach(() => {
+    hostRules.clear();
+  });
+
   it('returns null if no vendir.lock.yml found', async () => {
     const updatedDeps = [{ depName: 'dep1' }];
     expect(
@@ -341,6 +346,88 @@ describe('modules/manager/vendir/artifacts', () => {
     ]);
   });
 
+  it('sets GIT_CONFIG variables when Host Rules are configured', async () => {
+    fs.readLocalFile.mockResolvedValueOnce(vendirLockFile1);
+    fs.getSiblingFileName.mockReturnValueOnce('vendir.lock.yml');
+    fs.readLocalFile.mockResolvedValueOnce(vendirLockFile2);
+    const execSnapshots = mockExecAll();
+    fs.privateCacheDir.mockReturnValue(
+      '/tmp/renovate/cache/__renovate-private-cache',
+    );
+    fs.getParentDir.mockReturnValue('');
+
+    hostRules.add({
+      hostType: 'github',
+      matchHost: 'api.github.com',
+      token: 'some-token',
+    });
+    hostRules.add({
+      hostType: 'github',
+      matchHost: 'github.enterprise.com',
+      token: 'some-enterprise-token',
+    });
+    hostRules.add({
+      hostType: 'gitlab',
+      matchHost: 'gitlab.enterprise.com',
+      token: 'some-gitlab-token',
+    });
+
+    // artifacts
+    fs.getSiblingFileName.mockReturnValueOnce('vendor');
+    git.getRepoStatus.mockResolvedValueOnce(
+      partial<StatusResult>({
+        not_added: ['vendor/Chart.yaml'],
+      }),
+    );
+    const updatedDeps = [{ depName: 'dep1' }];
+
+    await vendir.updateArtifacts({
+      packageFileName: 'vendir.yml',
+      updatedDeps,
+      newPackageFileContent: vendirFile,
+      config: {
+        ...config,
+      },
+    });
+
+    expect(execSnapshots).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({
+          options: expect.objectContaining({
+            env: expect.objectContaining({
+              GIT_CONFIG_COUNT: '9',
+              GIT_CONFIG_KEY_0:
+                'url.https://ssh:some-token@github.com/.insteadOf',
+              GIT_CONFIG_KEY_1:
+                'url.https://git:some-token@github.com/.insteadOf',
+              GIT_CONFIG_KEY_2: 'url.https://some-token@github.com/.insteadOf',
+              GIT_CONFIG_KEY_3:
+                'url.https://ssh:some-enterprise-token@github.enterprise.com/.insteadOf',
+              GIT_CONFIG_KEY_4:
+                'url.https://git:some-enterprise-token@github.enterprise.com/.insteadOf',
+              GIT_CONFIG_KEY_5:
+                'url.https://some-enterprise-token@github.enterprise.com/.insteadOf',
+              GIT_CONFIG_KEY_6:
+                'url.https://gitlab-ci-token:some-gitlab-token@gitlab.enterprise.com/.insteadOf',
+              GIT_CONFIG_KEY_7:
+                'url.https://gitlab-ci-token:some-gitlab-token@gitlab.enterprise.com/.insteadOf',
+              GIT_CONFIG_KEY_8:
+                'url.https://gitlab-ci-token:some-gitlab-token@gitlab.enterprise.com/.insteadOf',
+              GIT_CONFIG_VALUE_0: 'ssh://git@github.com/',
+              GIT_CONFIG_VALUE_1: 'git@github.com:',
+              GIT_CONFIG_VALUE_2: 'https://github.com/',
+              GIT_CONFIG_VALUE_3: 'ssh://git@github.enterprise.com/',
+              GIT_CONFIG_VALUE_4: 'git@github.enterprise.com:',
+              GIT_CONFIG_VALUE_5: 'https://github.enterprise.com/',
+              GIT_CONFIG_VALUE_6: 'ssh://git@gitlab.enterprise.com/',
+              GIT_CONFIG_VALUE_7: 'git@gitlab.enterprise.com:',
+            }),
+          }),
+        }),
+      ]),
+    );
+  });
+
   it('works explicit global binarySource', async () => {
     GlobalConfig.set({ ...adminConfig, binarySource: 'global' });
     fs.readLocalFile.mockResolvedValueOnce(vendirLockFile1);
diff --git a/lib/modules/manager/vendir/artifacts.ts b/lib/modules/manager/vendir/artifacts.ts
@@ -8,6 +8,7 @@ import {
   readLocalFile,
   writeLocalFile,
 } from '../../../util/fs/index.ts';
+import { getGitEnvironmentVariables } from '../../../util/git/auth.ts';
 import { getRepoStatus } from '../../../util/git/index.ts';
 import type { UpdateArtifact, UpdateArtifactsResult } from '../types.ts';
 
@@ -33,6 +34,7 @@ export async function updateArtifacts({
     await writeLocalFile(packageFileName, newPackageFileContent);
     logger.debug('Updating Vendir artifacts');
     const execOptions: ExecOptions = {
+      extraEnv: { ...getGitEnvironmentVariables([]) },
       cwdFile: packageFileName,
       docker: {},
       toolConstraints: [
