Configuring Renovate to fail when it can not authenticate

[thesnapdragon]

What would you like help with?

I would like help with my configuration

How are you running Renovate?

Self-hosted

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

Azure DevOps

Please tell us more about your question or problem

Hello Renovate Team,

we use Renovate in Azure DevOps and recently had a problem. I will describe the incident:

1. Because of an error, the JFrog Artifactory password was not injected correctly in the Renovate Azure DevOps task, so it became empty string.
2. We did not notice the issue, because Renovate ran successfully. It did not even log out any error / warning / info logs. (I attached a log that shows a successful running with no credentials.)
3. Our user account on JFrog Artifactory became banned because of the continuous retries by Renovate.

Our Azure DevOps task is defined like this:

          - bash: |
              git config --global user.email 'bot@renovateapp.com'
              git config --global user.name 'Renovate Bot'
              RENOVATE_CONFIG_FILE=config/renovate/config.js npx renovate
            displayName: "⏳ Run Renovate"
            env:
              RENOVATE_TOKEN: $(System.AccessToken)
              ARTIFACTORY_USER: $(ARTIFACTORY_USER)
              ARTIFACTORY_API_KEY: $(ARTIFACTORY_API_KEY)
              ARTIFACTORY_URL: $(ARTIFACTORY_URL)

Is it possible to make Renovate fail when it can not authenticate against the repositories? This way the authentication issue could be spotted sooner and could be avoided to ban repository users.

Logs (if relevant)

Logs

2024-08-13T12:40:01.6707180Z ##[section]Starting: ⏳ Run Renovate
2024-08-13T12:40:01.6713123Z ==============================================================================
2024-08-13T12:40:01.6713311Z Task         : Bash
2024-08-13T12:40:01.6713370Z Description  : Run a Bash script on macOS, Linux, or Windows
2024-08-13T12:40:01.6713462Z Version      : 3.241.1
2024-08-13T12:40:01.6713521Z Author       : Microsoft Corporation
2024-08-13T12:40:01.6713611Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/bash
2024-08-13T12:40:01.6713700Z ==============================================================================
2024-08-13T12:40:01.8568333Z Generating script.
2024-08-13T12:40:01.8605077Z ========================== Starting Command Output ===========================
2024-08-13T12:40:01.8638523Z [command]/usr/bin/bash /home/vsts/work/_temp/ae63e406-e806-4c31-9b51-e59745ddfaca.sh
2024-08-13T12:40:04.3770670Z npm warn exec The following package was not found and will be installed: renovate@38.26.1
2024-08-13T12:40:47.6240219Z npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
2024-08-13T12:40:49.1577927Z npm warn deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported
2024-08-13T12:40:52.7851335Z npm warn deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported
2024-08-13T12:41:07.9960772Z DEBUG: Using RE2 regex engine
2024-08-13T12:41:07.9961263Z DEBUG: Parsing configs
2024-08-13T12:41:07.9961417Z DEBUG: Checking for config file in config/renovate/config.js
2024-08-13T12:41:08.0313606Z DEBUG: File config
2024-08-13T12:41:08.0313955Z        "config": {
2024-08-13T12:41:08.0314114Z          "platform": "azure",
2024-08-13T12:41:08.0314246Z          "endpoint": "https://dev.azure.com/<COMPANY_NAME>/",
2024-08-13T12:41:08.0315198Z          "repositories": ["<COMPANY_NAME>.uapc-adint/sales-prediction-services"],
2024-08-13T12:41:08.0315388Z          "token": "***********",
2024-08-13T12:41:08.0315804Z          "onboarding": false,
2024-08-13T12:41:08.0315975Z          "requireConfig": "optional",
2024-08-13T12:41:08.0316286Z          "hostRules": [
2024-08-13T12:41:08.0316488Z            {
2024-08-13T12:41:08.0317159Z              "matchHost": "<COMPANY_NAME>.jfrog.io",
2024-08-13T12:41:08.0317472Z              "hostType": "pypi",
2024-08-13T12:41:08.0317612Z              "username": "",
2024-08-13T12:41:08.0317744Z              "password": "***********"
2024-08-13T12:41:08.0317880Z            }
2024-08-13T12:41:08.0318143Z          ],
2024-08-13T12:41:08.0318274Z          "packageRules": [
2024-08-13T12:41:08.0318383Z            {
2024-08-13T12:41:08.0318502Z              "matchDatasources": ["pypi"],
2024-08-13T12:41:08.0318719Z              "registryUrls": [
2024-08-13T12:41:08.0318909Z                "https://**redacted**@<COMPANY_NAME>.jfrog.io/artifactory/api/pypi/pypi/simple"
2024-08-13T12:41:08.0319279Z              ]
2024-08-13T12:41:08.0319563Z            },
2024-08-13T12:41:08.0319668Z            {
2024-08-13T12:41:08.0319916Z              "matchDepTypes": ["dev-dependencies"],
2024-08-13T12:41:08.0320146Z              "autoApprove": true,
2024-08-13T12:41:08.0320294Z              "automerge": true,
2024-08-13T12:41:08.0320425Z              "platformAutomerge": true
2024-08-13T12:41:08.0320558Z            }
2024-08-13T12:41:08.0320656Z          ],
2024-08-13T12:41:08.0320788Z          "enabledManagers": ["poetry"],
2024-08-13T12:41:08.0320920Z          "prConcurrentLimit": 2,
2024-08-13T12:41:08.0321053Z          "updatePinnedDependencies": false
2024-08-13T12:41:08.0321154Z        }
2024-08-13T12:41:08.0322820Z DEBUG: CLI config
2024-08-13T12:41:08.0322949Z        "config": {}
2024-08-13T12:41:08.0330212Z DEBUG: Env config
2024-08-13T12:41:08.0330534Z        "config": {"hostRules": [], "token": "***********"}
2024-08-13T12:41:08.0341581Z DEBUG: Combined config
2024-08-13T12:41:08.0341973Z        "config": {
2024-08-13T12:41:08.0342662Z          "platform": "azure",
2024-08-13T12:41:08.0342796Z          "endpoint": "https://dev.azure.com/<COMPANY_NAME>/",
2024-08-13T12:41:08.0343309Z          "repositories": ["<COMPANY_NAME>.uapc-adint/sales-prediction-services"],
2024-08-13T12:41:08.0343459Z          "token": "***********",
2024-08-13T12:41:08.0343595Z          "onboarding": false,
2024-08-13T12:41:08.0343711Z          "requireConfig": "optional",
2024-08-13T12:41:08.0343839Z          "hostRules": [
2024-08-13T12:41:08.0344109Z            {
2024-08-13T12:41:08.0344242Z              "matchHost": "<COMPANY_NAME>.jfrog.io",
2024-08-13T12:41:08.0344518Z              "hostType": "pypi",
2024-08-13T12:41:08.0344643Z              "username": "",
2024-08-13T12:41:08.0345070Z              "password": "***********"
2024-08-13T12:41:08.0345190Z            }
2024-08-13T12:41:08.0346258Z          ],
2024-08-13T12:41:08.0346380Z          "packageRules": [
2024-08-13T12:41:08.0346506Z            {
2024-08-13T12:41:08.0346644Z              "matchDatasources": ["pypi"],
2024-08-13T12:41:08.0346988Z              "registryUrls": [
2024-08-13T12:41:08.0347359Z                "https://**redacted**@<COMPANY_NAME>.jfrog.io/artifactory/api/pypi/pypi/simple"
2024-08-13T12:41:08.0347505Z              ]
2024-08-13T12:41:08.0347612Z            },
2024-08-13T12:41:08.0347709Z            {
2024-08-13T12:41:08.0348210Z              "matchDepTypes": ["dev-dependencies"],
2024-08-13T12:41:08.0440851Z              "autoApprove": true,
2024-08-13T12:41:08.0441014Z              "automerge": true,
2024-08-13T12:41:08.0441124Z              "platformAutomerge": true
2024-08-13T12:41:08.0441237Z            }
2024-08-13T12:41:08.0441319Z          ],
2024-08-13T12:41:08.0441435Z          "enabledManagers": ["poetry"],
2024-08-13T12:41:08.0441548Z          "prConcurrentLimit": 2,
2024-08-13T12:41:08.0441663Z          "updatePinnedDependencies": false
2024-08-13T12:41:08.0441781Z        }
<SHORTENED ...>
2024-08-13T12:41:13.2910854Z DEBUG: hostRules: applying Basic authentication for <COMPANY_NAME>.jfrog.io (repository=<COMPANY_NAME>.uapc-adint/sales-prediction-services)
2024-08-13T12:41:13.2923521Z DEBUG: Using queue: host=<COMPANY_NAME>.jfrog.io, concurrency=16 (repository=<COMPANY_NAME>.uapc-adint/sales-prediction-services)
2024-08-13T12:41:13.4318795Z DEBUG: GET https://**redacted**@<COMPANY_NAME>.jfrog.io/artifactory/api/pypi/pypi/simple/more-itertools/ = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=401 retryCount=0, duration=129) (repository=<COMPANY_NAME>.uapc-adint/sales-prediction-services)
2024-08-13T12:41:13.4319883Z DEBUG: Datasource unauthorized (repository=<COMPANY_NAME>.uapc-adint/sales-prediction-services)
2024-08-13T12:41:13.4320275Z        "datasource": "pypi",
2024-08-13T12:41:13.4320748Z        "packageName": "more-itertools",
2024-08-13T12:41:13.4321626Z        "url": "https://**redacted**@<COMPANY_NAME>.jfrog.io/artifactory/api/pypi/pypi/simple/more-itertools/"
2024-08-13T12:41:13.4322173Z DEBUG: Failed to look up pypi package more-itertools (repository=<COMPANY_NAME>.uapc-adint/sales-prediction-services, packageFile=pyproject.toml, dependency=more-itertools)
<SHORTENED ...>
2024-08-13T12:41:13.9106969Z DEBUG: packageFiles with updates (repository=<COMPANY_NAME>.uapc-adint/sales-prediction-services, baseBranch=master)
2024-08-13T12:41:13.9107386Z        "config": {
2024-08-13T12:41:13.9107765Z          "poetry": [
2024-08-13T12:41:13.9107955Z            {
2024-08-13T12:41:13.9108128Z              "deps": [
2024-08-13T12:41:13.9108310Z                {
2024-08-13T12:41:13.9108587Z                  "datasource": "github-releases",
2024-08-13T12:41:13.9108842Z                  "currentValue": ">=3.10.12,<3.11",
2024-08-13T12:41:13.9109213Z                  "managerData": {"nestedVersion": false},
2024-08-13T12:41:13.9109427Z                  "versioning": "pep440",
2024-08-13T12:41:13.9109610Z                  "depName": "python",
2024-08-13T12:41:13.9110079Z                  "depType": "dependencies",
2024-08-13T12:41:13.9110412Z                  "packageName": "containerbase/python-prebuild",
2024-08-13T12:41:13.9110659Z                  "commitMessageTopic": "Python",
2024-08-13T12:41:13.9110849Z                  "registryUrls": null,
2024-08-13T12:41:13.9111154Z                  "skipReason": "github-token-required",
2024-08-13T12:41:13.9111354Z                  "updates": []
2024-08-13T12:41:13.9111541Z                },
2024-08-13T12:41:13.9111715Z                {
2024-08-13T12:41:13.9111911Z                  "datasource": "pypi",
2024-08-13T12:41:13.9112112Z                  "currentValue": "*",
2024-08-13T12:41:13.9112318Z                  "managerData": {"nestedVersion": false},
2024-08-13T12:41:13.9112530Z                  "versioning": "poetry",
2024-08-13T12:41:13.9112796Z                  "depName": "more-itertools",
2024-08-13T12:41:13.9113015Z                  "depType": "dependencies",
2024-08-13T12:41:13.9113218Z                  "lockedVersion": "10.4.0",
2024-08-13T12:41:13.9113414Z                  "updates": [],
2024-08-13T12:41:13.9113673Z                  "packageName": "more-itertools",
2024-08-13T12:41:13.9113886Z                  "warnings": [
2024-08-13T12:41:13.9114054Z                    {
2024-08-13T12:41:13.9114318Z                      "topic": "more-itertools",
2024-08-13T12:41:13.9114633Z                      "message": "Failed to look up pypi package more-itertools"
2024-08-13T12:41:13.9114852Z                    }
2024-08-13T12:41:13.9115009Z                  ]
2024-08-13T12:41:13.9115186Z                },
2024-08-13T12:41:13.9118734Z                <SHORTENED ...>
2024-08-13T12:41:13.9317204Z              ],
2024-08-13T12:41:13.9317317Z              "packageFileVersion": "0.1.0",
2024-08-13T12:41:13.9317457Z              "registryUrls": [
2024-08-13T12:41:13.9317604Z                "https://<COMPANY_NAME>.jfrog.io/artifactory/api/pypi/pypi/simple"
2024-08-13T12:41:13.9317754Z              ],
2024-08-13T12:41:13.9317882Z              "extractedConstraints": {"python": ">=3.10.12,<3.11"},
2024-08-13T12:41:13.9318043Z              "lockFiles": ["poetry.lock"],
2024-08-13T12:41:13.9318174Z              "packageFile": "pyproject.toml"
2024-08-13T12:41:13.9318300Z            }
2024-08-13T12:41:13.9318392Z          ]
2024-08-13T12:41:13.9320532Z        }
<SHORTENED ....>
2024-08-13T12:41:23.9204126Z ##[section]Finishing: ⏳ Run Renovate

[HonkingGoose]

Limit request rate and wait time manually

These config options allow you to limit the requests per second, and wait time after a failed request:

• Renovate docs, maxRequestsPerSecond
• Renovate docs, maxRetryAfter

Set hard limits for JFrog Artifactory?

Maybe we should add JFrog Artifactory to this issue, and put in some hard limits on the number of requests Renovate is allowed to fire at it?

• Apply default rate limits for hosts/registries with known rate limit needs #27802

Let Renovate error out on empty password field?

Because of an error, the JFrog Artifactory password were not injected correctly in the Renovate Azure DevOps task, so they became empty strings.

I don't know if Renovate can (or even should) check if the password field is empty?

[thesnapdragon]

Thank you for your answer, with these configs one can implement a workaround to not get banned in case of authentication issues. However this does not solve the underlying issue nor makes it visible.

My main problem is, that

• Renovate did not log any warning / error message, so the authentication problem remained hidden.
• The command npx renovate ran successfully, however it could not even check the package versions because of the authentication issue. I could imagine in this case an other return value than 0.

I am searching for solution to be notified about authentication issues / failing Renovate runs. Is there a way to spot erroneous Renovate configs easier?