docs: added docs for migrating encrypted secrets (#30132)

Co-authored-by: Rhys Arkins <rhys@arkins.net>
Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>

docs/usage/getting-started/app-secrets.md

+# Using secrets with Mend cloud Apps
+
+The information on this page is for the Mend-hosted cloud apps:
+
+- Renovate App on GitHub
+- Mend App on Bitbucket
+
+If you self-host, you can skip reading this page.
+
+## Migrate secrets in your Renovate config file!
+
+The Mend-hosted cloud app will stop reading secrets from the Renovate config file in your repository on 01-Oct-2024.
+You must migrate any secrets you currently keep in the Renovate config file, and put them in the app settings page on [developer.mend.io](https://developer.mend.io).
+To add secrets you must have admin-level rights.
+
+Read [Migrating encrypted secrets from Repo Config to App Settings](migrating-secrets.md) to learn more.
+
+## Managing secrets for the Mend-hosted cloud apps
+
+This section explains how you manage secrets for the Mend-hosted cloud apps.
+If you self-host you do not need this section.
+
+### Adding a secret
+
+To add a secret for the Mend cloud app:
+
+1. Go to the web UI at [developer.mend.io](https://developer.mend.io).
+2. Open your organization/repository settings.
+3. Put the secret in the _Credentials_ section:
+
+   ![Credentials settings page](../assets/images/app-settings/app-credentials.png)
+
+4. Reference the secret from Renovate config files inside the repo.
+
+   ```json
+   {
+     "hostRules": [
+       {
+         "matchHost": "github.com",
+         "token": "{{ secrets.MY-ORG-SECRET-1 }}"
+       }
+     ]
+   }
+   ```
+
+## Organization secrets vs repository secrets
+
+### Secret scope
+
+Secrets can be scoped to your organization _or_ to your repository:
+
+| Secret scoped to your | What will happen?                                              |
+| --------------------- | -------------------------------------------------------------- |
+| Organization          | Secrets are inherited by all repositories in your organization |
+| Repository            | Secrets are referenced by that repository only                 |
+
+### Make changes on the right page
+
+The web UI has _two_ settings pages.
+One page is for the organization, and the other page is for the repository.
+
+Make sure you're making the changes on the right page!
+
+### Example
+
+![Credentials from the repository settings page](../assets/images/app-settings/org-and-repo-secrets.png)
+
+The screenshot shows inherited organization secrets and specific repository secrets.
+
+### Managing organization-level secrets
+
+The **Installed Repositories** table means you are on your organization's page.
+Select the _Settings_ button to manage your organization secrets:
+
+![organization settings button](../assets/images/app-settings/org-settings-button.png)
+
+### Managing repository-level secrets
+
+The **Recent jobs** table means you are on your repository's page.
+Select the _Settings_ button to manage your repository secrets:
+
+![repository settings button](../assets/images/app-settings/repo-settings-button.png)

docs/usage/getting-started/migrating-secrets.md

+# Migrating Secrets from Repo Config to App Settings
+
+On 01-Oct-2024 the Mend Renovate cloud apps will stop reading any encrypted secrets from the Renovate configuration file on your repository.
+Previously, you could encrypt a secret with the [Renovate encryption tool](https://app.renovatebot.com/encrypt) and then put it in your Renovate config file.
+Going forward, all secrets must be stored in the App settings on the cloud.
+They can be referenced from the Renovate config files inside the repo using `{{ secrets.SECRET_NAME }}` notation.
+
+```json title "Deprecated: example of encrypted secrets in Renovate config"
+{
+  "hostRules": [
+    {
+      "matchHost": "github.com",
+      "encrypted": {
+        "token": "drsMDVf6M2hTZCN......+gQm/0Rpw"
+      }
+    }
+  ]
+}
+```
+
+```json "Correct method: reference app secrets in the Renovate config"
+{
+  "hostRules": [
+    {
+      "matchHost": "github.com",
+      "token": "{{ secrets.GITHUB_COM_TOKEN }}"
+    }
+  ]
+}
+```
+
+<!-- prettier-ignore -->
+!!! tip "Migrate your secrets in encrypted form"
+    Mend recommends that you copy your secrets in their _encrypted_ form when you migrate.
+    The web UI will decrypt and store the value securely.
+    Do not change the secret during the migration, as this introduces an extra point of failure.
+    After the migration you can of course change/rotate the secret.
+
+## Migrating encrypted secrets using the encrypted value
+
+1. Copy the encrypted secret from your Renovate config file.
+
+2. Go to the correct settings page for your organization or repository in the web UI at [developer.mend.io](https://developer.mend.io).
+
+3. On the **Credentials** page, select `ADD SECRET` to add the encrypted secret.
+
+4. Give a value for `Secret name`, paste the encrypted secret into the `Secret Value` field, and select `SAVE`.
+
+   > [!NOTE]
+   >
+   > When you migrate a secret from a repository, make sure you are adding the secret to the _same_ organization or repository for which you generated the secret!
+   >
+   > - A secret generated for a specific repository can only be added to that _same_ repository.
+   >   - A secret generated for a specific repository can only be added to the repository settings for the matching repository. This secret can _not_ be added to the organization's settings.
+   >   - A secret generated without a specific repository _can_ be added into the organization _or_ into the repository settings under that organization.
+
+   When you try to add a secret in the wrong place, the settings UI will help you:
+
+   ![Migrating secrets error](../assets/images/app-settings/encrypted-secrets-error.png)
+
+5. When you see the confirmation box with the text: **“Successfully migrated secret”**, your secret is now stored in the correct organization or repository.
+
+![Successfully migrated secret](../assets/images/app-settings/stored-secret-encrypted.png)
+
+> [!IMPORTANT]
+>
+> If the confirmation box does _not_ say **“Successfully migrated secret”**, but says: **“Successfully stored secret”** then the secret was not detected as a Renovate encrypted secret, and the value was treated as plaintext.
+> If you were expecting to import a secret originally encrypted by Renovate:
+>
+> - Make sure you are pasting the secret into the correct organization or repository
+> - Check that you copied the encrypted secret correctly, and try again.
+
+## To migrate encrypted secrets using the plain text value
+
+1. Go to the settings for the correct organization or repository in the web UI at [developer.mend.io](https://developer.mend.io).
+
+2. On the **Credentials** page, select `ADD SECRET` to add the plaintext secret.
+
+   ![Add repo secret](../assets/images/app-settings/add-repo-secret.png)
+
+3. Give a value for `Secret name`, paste the plaintext secret into the `Secret Value` field, and select `SAVE`.
+
+   ![Add a Secret dialog box](../assets/images/app-settings/add-a-secret.png)
+
+4. Wait for the confirmation dialog: **“Successfully stored secret”**.
+
+   ![Successfully stored secret](../assets/images/app-settings/stored-secret-plaintext.png)
+
+## Related links
+
+- [Using Secrets with Mend Cloud Apps](app-secrets.md)

docs/usage/getting-started/private-packages.md

@@ -585,30 +585,33 @@ The solution to this is that you should break your presets into public and priva
 It is strongly recommended that you avoid committing secrets to repositories, including private ones, and this includes secrets needed by Renovate to access private modules.
 The preferred approach to secrets is that the bot administrator configures them as `hostRules` which are then applied to all repositories which the bot accesses.
 
+<!-- prettier-ignore -->
+!!! warning "Store secrets for your Mend-hosted app via the web UI"
+    Mend no longer supports putting encrypted secrets in the Renovate config file on your repository.
+    Going forward, all secrets must be stored in the App settings via the web UI.
+    If you have encrypted secrets in your Renovate config, you must migrate them to the web UI.
+    Read [Migrating Secrets from Repo Config to App Settings](migrating-secrets.md) to learn how.
+
 If you need to provide credentials to the Mend Renovate App, please do this:
 
-- Encrypt each secret string using <https://app.renovatebot.com/encrypt>. Note: this encrypts using the app's public key fully in the browser and does not send the original secret to any server. You can download this file and perform the encryption fully offline if you like.
-- Wrap each secret field in an [encrypted](../configuration-options.md#encrypted) object and paste in the encrypted secret value instead. An example is shown below:
+1. Add each secret string in the Credentials section of Organisation or Repository settings in the web UI at [http://developer.mend.io](http://developer.mend.io).
 
-```json
-{
-  "hostRules": [
-    {
-      "matchHost": "registry.npmjs.org",
-      "encrypted": {
-        "token": "3f832f2983yf89hsd98ahadsjfasdfjaslf............"
-      }
-    },
-    {
-      "matchHost": "https://custom.registry.company.com/pypi/",
-      "username": "bot1",
-      "encrypted": {
-        "password": "p278djfdsi9832jnfdshufwji2r389fdskj........."
-      }
-    }
-  ]
-}
-```
+   ![Organization and repository secrets on the credentials settings page](../assets/images/app-settings/org-and-repo-secrets.png)
+
+2. Reference secrets inside your Renovate config files with notation: `{{ secrets.YOUR_SECRET }}`.
+
+   ```json
+   {
+     "hostRules": [
+       {
+         "matchHost": "github.com",
+         "token": "{{ secrets.GITHUB_COM_TOKEN }}"
+       }
+     ]
+   }
+   ```
+
+For more details, see [Using Secrets with Mend Cloud Apps](app-secrets.md).
 
 ### Access to GitHub Actions Secrets