From 9bd101c6d2ef0f45bd5f414b916750ff1b8525d0 Mon Sep 17 00:00:00 2001
From: ALEXIS CARBILLET <49431201+alexiscarbillet@users.noreply.github.com>
Date: Mon, 14 Oct 2024 03:11:04 -0400
Subject: [PATCH 1/2] chore(docs): remove duplicate sentence (#31757)

Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
Co-authored-by: Rhys Arkins <rhys@arkins.net>
---
 docs/usage/getting-started/use-cases.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/docs/usage/getting-started/use-cases.md b/docs/usage/getting-started/use-cases.md
index 932b0d00b0ced9..19c5439059e4b0 100644
--- a/docs/usage/getting-started/use-cases.md
+++ b/docs/usage/getting-started/use-cases.md
@@ -199,8 +199,6 @@ Here's how it works:
 
 #### Benefits of using Dependency Dashboard Approval
 
-Benefits of using Dependency Dashboard Approval:
-
 - By not raising PRs automatically, it allows you to request updates on-demand when you're ready, and
 - It offers you an alternative to permanently ignoring/disabling certain types of updates, like major updates
 

From 5cb107863a1164e8f8d512361bdcc05039208fb8 Mon Sep 17 00:00:00 2001
From: Mykola Rybak <mykola.rybak@gmail.com>
Date: Mon, 14 Oct 2024 10:43:38 +0300
Subject: [PATCH 2/2] feat(manager/copier): propagate Git auth env vars
 (#31931)

---
 lib/modules/manager/copier/artifacts.spec.ts | 53 +++++++++++++++++++-
 lib/modules/manager/copier/artifacts.ts      |  3 ++
 lib/modules/manager/copier/readme.md         | 17 +++++++
 3 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/lib/modules/manager/copier/artifacts.spec.ts b/lib/modules/manager/copier/artifacts.spec.ts
index 9b892e5ee84039..cd3e7df4c65a1f 100644
--- a/lib/modules/manager/copier/artifacts.spec.ts
+++ b/lib/modules/manager/copier/artifacts.spec.ts
@@ -1,7 +1,7 @@
 import { mockDeep } from 'jest-mock-extended';
 import { join } from 'upath';
 import { mockExecAll } from '../../../../test/exec-util';
-import { fs, git, mocked, partial } from '../../../../test/util';
+import { fs, git, hostRules, mocked, partial } from '../../../../test/util';
 import { GlobalConfig } from '../../../config/global';
 import type { RepoGlobalConfig } from '../../../config/types';
 import { logger } from '../../../logger';
@@ -40,6 +40,7 @@ const adminConfig: RepoGlobalConfig = {
 describe('modules/manager/copier/artifacts', () => {
   beforeEach(() => {
     GlobalConfig.set(adminConfig);
+    hostRules.clear();
 
     // Mock git repo status
     git.getRepoStatus.mockResolvedValue(
@@ -125,6 +126,56 @@ describe('modules/manager/copier/artifacts', () => {
       ]);
     });
 
+    it('propagates Git environment from hostRules', async () => {
+      const execSnapshots = mockExecAll();
+
+      hostRules.add({
+        hostType: 'github',
+        matchHost: 'github.com',
+        token: 'abc123',
+      });
+      hostRules.add({
+        hostType: 'git-tags',
+        matchHost: 'gittags.com',
+        username: 'git-tags-user',
+        password: 'git-tags-password',
+      });
+
+      await updateArtifacts({
+        packageFileName: '.copier-answers.yml',
+        updatedDeps: upgrades,
+        newPackageFileContent: '',
+        config: {},
+      });
+
+      expect(execSnapshots).toMatchObject([
+        {
+          cmd: 'copier update --skip-answered --defaults --answers-file .copier-answers.yml --vcs-ref 1.1.0',
+          options: {
+            cwd: '/tmp/github/some/repo',
+            env: {
+              GIT_CONFIG_COUNT: '6',
+              GIT_CONFIG_KEY_0: 'url.https://ssh:abc123@github.com/.insteadOf',
+              GIT_CONFIG_KEY_1: 'url.https://git:abc123@github.com/.insteadOf',
+              GIT_CONFIG_KEY_2: 'url.https://abc123@github.com/.insteadOf',
+              GIT_CONFIG_KEY_3:
+                'url.https://git-tags-user:git-tags-password@gittags.com/.insteadOf',
+              GIT_CONFIG_KEY_4:
+                'url.https://git-tags-user:git-tags-password@gittags.com/.insteadOf',
+              GIT_CONFIG_KEY_5:
+                'url.https://git-tags-user:git-tags-password@gittags.com/.insteadOf',
+              GIT_CONFIG_VALUE_0: 'ssh://git@github.com/',
+              GIT_CONFIG_VALUE_1: 'git@github.com:',
+              GIT_CONFIG_VALUE_2: 'https://github.com/',
+              GIT_CONFIG_VALUE_3: 'ssh://git@gittags.com/',
+              GIT_CONFIG_VALUE_4: 'git@gittags.com:',
+              GIT_CONFIG_VALUE_5: 'https://gittags.com/',
+            },
+          },
+        },
+      ]);
+    });
+
     it('invokes copier update with nested destination and answer file', async () => {
       const execSnapshots = mockExecAll();
 
diff --git a/lib/modules/manager/copier/artifacts.ts b/lib/modules/manager/copier/artifacts.ts
index a89b6ae7bcac3e..5561bf3122230f 100644
--- a/lib/modules/manager/copier/artifacts.ts
+++ b/lib/modules/manager/copier/artifacts.ts
@@ -6,6 +6,7 @@ import { exec } from '../../../util/exec';
 import type { ExecOptions } from '../../../util/exec/types';
 import { readLocalFile } from '../../../util/fs';
 import { getRepoStatus } from '../../../util/git';
+import { getGitEnvironmentVariables } from '../../../util/git/auth';
 import type {
   UpdateArtifact,
   UpdateArtifactsConfig,
@@ -72,10 +73,12 @@ export async function updateArtifacts({
   }
 
   const command = buildCommand(config, packageFileName, newVersion);
+  const gitEnv = getGitEnvironmentVariables(['git-tags']);
   const execOptions: ExecOptions = {
     cwdFile: packageFileName,
     docker: {},
     userConfiguredEnv: config.env,
+    extraEnv: gitEnv,
     toolConstraints: [
       {
         toolName: 'python',
diff --git a/lib/modules/manager/copier/readme.md b/lib/modules/manager/copier/readme.md
index 53db498735db24..fc123821880486 100644
--- a/lib/modules/manager/copier/readme.md
+++ b/lib/modules/manager/copier/readme.md
@@ -5,3 +5,20 @@ Enabling this behavior must be allowed in the [self-hosted configuration](../../
 Actually enable it in the [configuration](../../../configuration-options.md) by setting `ignoreScripts` to `false`.
 
 If you need to change the versioning format, read the [versioning](../../versioning/index.md) documentation to learn more.
+
+### Private Modules Authentication
+
+Before running the `copier` command to update from the template, Renovate exports `git` [`insteadOf`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf) directives in environment variables.
+
+Renovate uses this logic before it updates the template copy:
+
+The token from the `hostRules` entry matching `hostType=github` and `matchHost=api.github.com` is added as the default authentication for `github.com`.
+For those running against `github.com`, this token will be the default platform token.
+
+Next, all `hostRules` with both a token or username/password and `matchHost` will be fetched, except for any `github.com` one from above.
+
+Rules from this list are converted to environment variable directives if they match _any_ of these characteristics:
+
+- No `hostType` is defined, or
+- `hostType` is `git-tags`, or
+- `hostType` is a platform (`github`, `gitlab`, `azure`, etc.)