From 68ce0ed2ad7068a7214bf3a5edf81f54701a75e7 Mon Sep 17 00:00:00 2001
From: RahulGautamSingh <rahultesnik@gmail.com>
Date: Fri, 24 Jan 2025 17:06:13 +0530
Subject: [PATCH] fix(config/inherited): apply secrets (#33779)

---
 lib/workers/repository/init/inherited.spec.ts | 25 +++++++++++++++++++
 lib/workers/repository/init/inherited.ts      |  3 +++
 2 files changed, 28 insertions(+)

diff --git a/lib/workers/repository/init/inherited.spec.ts b/lib/workers/repository/init/inherited.spec.ts
index 5808c82d53..c375edee9c 100644
--- a/lib/workers/repository/init/inherited.spec.ts
+++ b/lib/workers/repository/init/inherited.spec.ts
@@ -25,6 +25,7 @@ describe('workers/repository/init/inherited', () => {
       inheritConfigFileName: 'config.json',
       inheritConfigStrict: false,
     };
+    hostRules.clear();
   });
 
   it('should return the same config if repository or inheritConfig is not defined', async () => {
@@ -112,6 +113,30 @@ describe('workers/repository/init/inherited', () => {
     expect(res.hostRules).toBeUndefined();
   });
 
+  it('should apply secrets to inherited config', async () => {
+    platform.getRawFile.mockResolvedValue(
+      `{
+        "hostRules": [
+          {
+            "matchHost": "some-host-url",
+            "token": "{{ secrets.SECRET_TOKEN }}"
+          }
+        ]
+      }`,
+    );
+    const res = await mergeInheritedConfig({
+      ...config,
+      secrets: { SECRET_TOKEN: 'some-secret-token' },
+    });
+    expect(hostRules.getAll()).toMatchObject([
+      {
+        matchHost: 'some-host-url',
+        token: 'some-secret-token',
+      },
+    ]);
+    expect(res.hostRules).toBeUndefined();
+  });
+
   it('should resolve presets found in inherited config', async () => {
     platform.getRawFile.mockResolvedValue(
       '{"onboarding":false,"labels":["test"],"extends":[":automergeAll"]}',
diff --git a/lib/workers/repository/init/inherited.ts b/lib/workers/repository/init/inherited.ts
index da497ca5ae..aa7266d708 100644
--- a/lib/workers/repository/init/inherited.ts
+++ b/lib/workers/repository/init/inherited.ts
@@ -3,6 +3,7 @@ import { dequal } from 'dequal';
 import { mergeChildConfig, removeGlobalConfig } from '../../../config';
 import { parseFileConfig } from '../../../config/parse';
 import { resolveConfigPresets } from '../../../config/presets';
+import { applySecretsToConfig } from '../../../config/secrets';
 import type { RenovateConfig } from '../../../config/types';
 import { validateConfig } from '../../../config/validation';
 import {
@@ -105,6 +106,7 @@ export async function mergeInheritedConfig(
   }
 
   if (is.nullOrUndefined(filteredConfig.extends)) {
+    filteredConfig = applySecretsToConfig(filteredConfig, config.secrets ?? {});
     setInheritedHostRules(filteredConfig);
     return mergeChildConfig(config, filteredConfig);
   }
@@ -141,6 +143,7 @@ export async function mergeInheritedConfig(
     );
   }
 
+  filteredConfig = applySecretsToConfig(filteredConfig, config.secrets ?? {});
   setInheritedHostRules(filteredConfig);
   return mergeChildConfig(config, filteredConfig);
 }
-- 
GitLab