From 91842073ef58bf51ff9f492c8fce24c81f09fb23 Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Wed, 16 Jun 2021 16:02:07 +0200
Subject: [PATCH] fix(secrets): fix host-rules in repo config (#10459)

---
 lib/config/secrets.ts                | 11 +++++++----
 lib/workers/repository/init/merge.ts |  5 +++++
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/lib/config/secrets.ts b/lib/config/secrets.ts
index bb1bfd2481..c9eee725a6 100644
--- a/lib/config/secrets.ts
+++ b/lib/config/secrets.ts
@@ -113,12 +113,15 @@ function replaceSecretsinObject(
   return config;
 }
 
-export function applySecretsToConfig(config: RenovateConfig): RenovateConfig {
+export function applySecretsToConfig(
+  config: RenovateConfig,
+  secrets = config.secrets
+): RenovateConfig {
   // Add all secrets to be sanitized
-  if (is.plainObject(config.secrets)) {
-    for (const secret of Object.values(config.secrets)) {
+  if (is.plainObject(secrets)) {
+    for (const secret of Object.values(secrets)) {
       add(String(secret));
     }
   }
-  return replaceSecretsinObject(config, config.secrets);
+  return replaceSecretsinObject(config, secrets);
 }
diff --git a/lib/workers/repository/init/merge.ts b/lib/workers/repository/init/merge.ts
index aee5befe6b..31d2bbffb0 100644
--- a/lib/workers/repository/init/merge.ts
+++ b/lib/workers/repository/init/merge.ts
@@ -8,6 +8,7 @@ import { decryptConfig } from '../../../config/decrypt';
 import { migrateAndValidate } from '../../../config/migrate-validate';
 import { migrateConfig } from '../../../config/migration';
 import * as presets from '../../../config/presets';
+import { applySecretsToConfig } from '../../../config/secrets';
 import { RenovateConfig } from '../../../config/types';
 import {
   CONFIG_VALIDATION,
@@ -218,6 +219,10 @@ export async function mergeRenovateConfig(
     );
     npmApi.setNpmrc(resolvedConfig.npmrc);
   }
+  resolvedConfig = applySecretsToConfig(
+    resolvedConfig,
+    mergeChildConfig(config.secrets || {}, resolvedConfig.secrets || {})
+  );
   // istanbul ignore if
   if (resolvedConfig.hostRules) {
     logger.debug('Setting hostRules from config');
-- 
GitLab