[pull] main from renovatebot:main

lib/data/monorepo.json

@@ -625,6 +625,7 @@
     "ngrx": "https://github.com/ngrx/",
     "nx": "https://github.com/nrwl/nx",
     "octokit": "https://github.com/octokit/",
+    "php-enqueue": "https://github.com/php-enqueue/",
     "semantic-release": "https://github.com/semantic-release/",
     "swc": "https://github.com/swc-project/",
     "twig": "https://github.com/twigphp/"

lib/workers/global/config/parse/index.spec.ts

@@ -205,5 +205,27 @@ describe('workers/global/config/parse/index', () => {
       const parsedConfig = await configParser.parseConfigs(env, defaultArgv);
       expect(parsedConfig).toContainEntries([['onboardingNoDeps', 'enabled']]);
     });
+
+    it('apply secrets to global config', async () => {
+      vi.doMock('../../../../../config.js', () => ({
+        default: {},
+      }));
+      const env: NodeJS.ProcessEnv = {
+        ...defaultEnv,
+        RENOVATE_SECRETS: '{"SECRET_TOKEN": "secret_token"}',
+        RENOVATE_CUSTOM_ENV_VARIABLES:
+          '{"TOKEN": "{{ secrets.SECRET_TOKEN }}"}',
+      };
+      const parsedConfig = await configParser.parseConfigs(env, defaultArgv);
+      expect(parsedConfig).toMatchObject({
+        secrets: {
+          SECRET_TOKEN: 'secret_token',
+        },
+
+        customEnvVariables: {
+          TOKEN: 'secret_token',
+        },
+      });
+    });
   });
 });

lib/workers/global/config/parse/index.ts

@@ -1,5 +1,6 @@
 import is from '@sindresorhus/is';
 import * as defaultsParser from '../../../../config/defaults';
+import { applySecretsToConfig } from '../../../../config/secrets';
 import type { AllConfig } from '../../../../config/types';
 import { mergeChildConfig } from '../../../../config/utils';
 import { logger, setContext } from '../../../../logger';
@@ -109,6 +110,16 @@ export async function parseConfigs(
     config.onboardingNoDeps = 'enabled';
   }
 
+  // do not add these secrets to repoSecrets and,
+  //  do not delete the secrets object after applying on global config as it needs to be re-used for repo config
+  if (is.nonEmptyObject(config.secrets)) {
+    config = applySecretsToConfig(config, undefined, false);
+    // adding these secrets to the globalSecrets set so that they can be redacted from logs
+    for (const secret of Object.values(config.secrets!)) {
+      addSecretForSanitizing(secret, 'global');
+    }
+  }
+
   if (is.nonEmptyObject(config.customEnvVariables)) {
     setCustomEnv(config.customEnvVariables);
   }

lib/workers/repository/reconfigure/utils.ts

@@ -1,3 +1,26 @@
+import is from '@sindresorhus/is';
+import { platform } from '../../../modules/platform';
+import type { BranchStatus } from '../../../types';
+
 export function getReconfigureBranchName(prefix: string): string {
   return `${prefix}reconfigure`;
 }
+
+export async function setBranchStatus(
+  branchName: string,
+  description: string,
+  state: BranchStatus,
+  context?: string | null,
+): Promise<void> {
+  if (!is.nonEmptyString(context)) {
+    // already logged this case when validating the status check
+    return;
+  }
+
+  await platform.setBranchStatus({
+    branchName,
+    context,
+    description,
+    state,
+  });
+}

lib/workers/repository/reconfigure/validate.ts

@@ -7,33 +7,13 @@ import { logger } from '../../../logger';
 import { platform } from '../../../modules/platform';
 import { ensureComment } from '../../../modules/platform/comment';
 import { scm } from '../../../modules/platform/scm';
-import type { BranchStatus } from '../../../types';
 import { getCache } from '../../../util/cache/repository';
 import { readLocalFile } from '../../../util/fs';
 import { getBranchCommit } from '../../../util/git';
 import { regEx } from '../../../util/regex';
 import { detectConfigFile } from '../init/merge';
 import { setReconfigureBranchCache } from './reconfigure-cache';
-import { getReconfigureBranchName } from './utils';
-
-async function setBranchStatus(
-  branchName: string,
-  description: string,
-  state: BranchStatus,
-  context?: string | null,
-): Promise<void> {
-  if (!is.nonEmptyString(context)) {
-    // already logged this case when validating the status check
-    return;
-  }
-
-  await platform.setBranchStatus({
-    branchName,
-    context,
-    description,
-    state,
-  });
-}
+import { getReconfigureBranchName, setBranchStatus } from './utils';
 
 export async function validateReconfigureBranch(
   config: RenovateConfig,

tools/docker/Dockerfile

@@ -5,19 +5,19 @@ ARG BASE_IMAGE_TYPE=slim
 # --------------------------------------
 # slim image
 # --------------------------------------
-FROM ghcr.io/renovatebot/base-image:9.60.4@sha256:b3025a0b36c9145ef3b1b77673b9b68af195db6b3fdd3dca141107966f923bab AS slim-base
+FROM ghcr.io/renovatebot/base-image:9.60.6@sha256:8e7b476e6b508ffd08d74632b3f6b64ca4118cc3b457871b00cc5f0069ca44fb AS slim-base
 
 # --------------------------------------
 # full image
 # --------------------------------------
-FROM ghcr.io/renovatebot/base-image:9.60.4-full@sha256:b7da237fee364b0bb3d64ad2eaa4c9627d4b76c17e9db357bb4380384b212037 AS full-base
+FROM ghcr.io/renovatebot/base-image:9.60.6-full@sha256:b97f67869b56b614f015de8bb7adb587b8cbf10d86dcffa5dd04d0213441a682 AS full-base
 
 ENV RENOVATE_BINARY_SOURCE=global
 
 # --------------------------------------
 # build image
 # --------------------------------------
-FROM --platform=$BUILDPLATFORM ghcr.io/renovatebot/base-image:9.60.4@sha256:b3025a0b36c9145ef3b1b77673b9b68af195db6b3fdd3dca141107966f923bab AS build
+FROM --platform=$BUILDPLATFORM ghcr.io/renovatebot/base-image:9.60.6@sha256:8e7b476e6b508ffd08d74632b3f6b64ca4118cc3b457871b00cc5f0069ca44fb AS build
 
 # We want a specific node version here
 # renovate: datasource=github-releases packageName=containerbase/node-prebuild versioning=node