Announcement: Encrypted Secrets will be disabled in Mend-hosted Renovate Apps

[justo-mend]

Tell us more.

Summary

• On Tuesday, 7 Jan 2025 at around 9am CET, the private key required for decrypting secrets will be removed from the Mend-hosted apps for 48 hours.
• On Tuesday, 14 Jan 2025, the private key will be removed permanently.

If you have encrypted secrets in your Renovate config, you must migrate the secrets to the Developer Portal UI, or Renovate will stop running on your repo when using Mend-hosted Renovate Apps. (Renovate App on GitHub.com, Mend App on Bitbucket and Azure Dev Ops)

Background

In July 2024 Mend announced that the ability to use encrypted secrets in Developer Platform is deprecated and will be eliminated by 1-Oct-2024.

• Alerts were created in the Dependency Dashboard, which appeared in the Dashboard Issue on the repo, plus the Developer Portal Repo page.
• Documentation was provided in docs.renovatebot.com to assist users with migrating secrets from the repo config file to the Developer Portal.

After the original date passed, there were over 9,000 repos that were still using encrypted secrets. Because of this, it was decided to delay fully disabling encrypted secrets until more repos had removed the encrypted secrets.

Plan Details

Brown-out Plan

Step 1: Remove private key for 48 hours

On Tuesday, 7 Jan 2025 at around 9am CET, the private key required for decrypting secrets will be removed from the Developer Platform backend (Renovate Cloud).
Renovate jobs that run after this time will fail if the renovate config file (eg. renovate.json) contains encrypted secrets. An issue will be created in the failing repo with subject “Action Required: Configuration Error” and will indicate that the Renovate job failed because the encrypted secret was invalid.
It is hoped that repo users with encrypted secrets will notice this issue and migrate their encrypted secrets from the Renovate config file to the Developer Portal.

Monitoring and Rollback

The Renovate team will monitor jobs, messages and the Renovate GitHub website for indications of widespread mayhem. If it appears that the brown-out is causing too much hardship, the team will immediately restore the private key to Developer Platform.

Step 2: Restore private key

48 hours later, the private key will be restored to the Developer Platform backend, allowing jobs with encrypted secrets to run successfully. The Action Required issue created the day before will be auto-closed.

Fully Disabling Encrypted Secrets

Provided there was no unforeseen mayhem, the Renovate team will remove the private key from Developer Platform on Tuesday, 14 Jan 2025.
This removal is expected to be final. From that point on, repos with encrypted secrets in the Renovate config file will continue to fail.