gitNoVerify not being used for branch deletion

[rarkins]

Discussed in #29468

^{Originally posted by re-source-tech June 6, 2024}

What would you like help with?

I would like help with my configuration

How are you running Renovate?

Self-hosted

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

platform: 'azure', renovate@37.392.0

Please tell us more about your question or problem

I placed the global configuration file config.js in a devops repository and placed the repository configuration file renovate.json5 in the application repository. I want to disable pre-push hook.

config.js

module.exports = {
    platform: 'azure',
    endpoint: 'https://dev.azure.com/my-org/',
    token: process.env.AZURE_REPO_TOKEN,
    repositories: [ // list of repos that should be watched by renovate bot
        'my-project/my-apps'
    ],
    gitNoVerify: ["commit", "push"] // passes the `--no-verify` flag to `git commit` and `git push`
};

renovate.json5

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "enabledManagers": ["npm", "nodenv", "nvm", "bun", "meteor"], // Most managers are enabled by default. We currently only enable JavaScript and Node.js
  "azureWorkItemId": 3022, // used in the pull request
  "packageRules": [
    {
      "matchManagers": ["npm", "nodenv", "nvm", "bun", "meteor"],
      "groupName": "Package dependencies update" // All updates sharing the same groupName will be placed into the same branch/PR.
    }
  ],
  "labels":["renovate", "dependencies"],
  "reviewers": [
    "required:Dev Team",
    "required:DevOps Team"
  ],
  "azure-pipelines": { // enable Azure Pipelines support
    "enabled": true
  },
  "baseBranches": [ // the target branch of the PR
    "feature/3022-renovate-pipeline"
  ],
  "extends": [
    "config:best-practices"
  ],
  "prConcurrentLimit": 5, // Limit to a maximum of 5 concurrent branches/PRs
  "prHourlyLimit": 5,     // Rate limit PRs to maximum 5 created per hour
  "commitMessagePrefix": "3022 feature: ", // Prefix to add to start of commit messages and PR titles
  "semanticCommits": "disabled", // Renovate autodetects if your repository is already using semantic commits or not and follows suit, disable it to have customized commit prefix
  "osvVulnerabilityAlerts": true, // Use vulnerability alerts from https://osv.dev/
  "vulnerabilityAlerts": {
    "groupName": "vulnerabilityAlerts",
    "addLabels": ["renovate", "security", "vulnerability"]
  }
}

Logs (if relevant)

Logs

 INFO: Deleting orphan branch (repository=my-project/my-apps, branch=renovate/babel-eslint-replacement)
DEBUG: Git function thrown (repository=my-project/my-apps)
       "err": {
         "task": {
           "commands": [
             "push",
             "--delete",
             "origin",
             "renovate/babel-eslint-replacement"
           ],
           "format": "utf-8",
           "parser": "[function]"
         },
         "message": "husky - pre-push hook exited with code 1 (error)\n\nnode:internal/process/esm_loader:40\n      internalBinding('errors').triggerUncaughtException(\n                                ^\nError: Required package missing from disk. If you keep your packages inside your repository then restarting the Node process may be enough. Otherwise, try to run an install first.\n\nMissing package: lint-staged@npm:13.2.0\nExpected package location: /tmp/renovate/repos/azure/my-project/my-apps/.yarn/cache/lint-staged-npm-13.2.0-204330f6dc-dcaa8fbbde.zip/node_modules/lint-staged/\n\n    at makeError (/tmp/renovate/repos/azure/my-project/my-apps/.pnp.cjs:50643:34)\n    at resolveUnqualified (/tmp/renovate/repos/azure/my-project/my-apps/.pnp.cjs:52157:17)\n    at resolveRequest (/tmp/renovate/repos/azure/my-project/my-apps/.pnp.cjs:52209:14)\n    at Object.resolveRequest (/tmp/renovate/repos/azure/my-project/my-apps/.pnp.cjs:52265:26)\n    at resolve$1 (file:///tmp/renovate/repos/azure/my-project/my-apps/.pnp.loader.mjs:1991:25)\n    at nextResolve (node:internal/modules/esm/hooks:864:28)\n    at Hooks.resolve (node:internal/modules/esm/hooks:302:30)\n    at MessagePort.handleMessage (node:internal/modules/esm/worker:196:24)\n    at [nodejs.internal.kHybridDispatch] (node:internal/event_target:786:20)\n    at exports.emitMessage (node:internal/per_context/messageport:23:28)\n\nNode.js v18.20.3\nerror: failed to push some refs to 'https://dev.azure.com/my-org/my-project/_git/my-apps'\n",
         "stack": "Error: husky - pre-push hook exited with code 1 (error)\n\nnode:internal/process/esm_loader:40\n      internalBinding('errors').triggerUncaughtException(\n                                ^\nError: Required package missing from disk. If you keep your packages inside your repository then restarting the Node process may be enough. Otherwise, try to run an install first.\n\nMissing package: lint-staged@npm:13.2.0\nExpected package location: /tmp/renovate/repos/azure/my-project/my-apps/.yarn/cache/lint-staged-npm-13.2.0-204330f6dc-dcaa8fbbde.zip/node_modules/lint-staged/\n\n    at makeError (/tmp/renovate/repos/azure/my-project/my-apps/.pnp.cjs:50643:34)\n    at resolveUnqualified (/tmp/renovate/repos/azure/my-project/my-apps/.pnp.cjs:52157:17)\n    at resolveRequest (/tmp/renovate/repos/azure/my-project/my-apps/.pnp.cjs:52209:14)\n    at Object.resolveRequest (/tmp/renovate/repos/azure/my-project/my-apps/.pnp.cjs:52265:26)\n    at resolve$1 (file:///tmp/renovate/repos/azure/my-project/my-apps/.pnp.loader.mjs:1991:25)\n    at nextResolve (node:internal/modules/esm/hooks:864:28)\n    at Hooks.resolve (node:internal/modules/esm/hooks:302:30)\n    at MessagePort.handleMessage (node:internal/modules/esm/worker:196:24)\n    at [nodejs.internal.kHybridDispatch] (node:internal/event_target:786:20)\n    at exports.emitMessage (node:internal/per_context/messageport:23:28)\n\nNode.js v18.20.3\nerror: failed to push some refs to 'https://dev.azure.com/my-org/my-project/_git/my-apps'\n\n    at Object.action (/home/vsts/.npm/_npx/05eeecd92f4e18e0/node_modules/simple-git/src/lib/plugins/error-detection.plugin.ts:42:29)\n    at PluginStore.exec (/home/vsts/.npm/_npx/05eeecd92f4e18e0/node_modules/simple-git/src/lib/plugins/plugin-store.ts:54:29)\n    at /home/vsts/.npm/_npx/05eeecd92f4e18e0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:124:42\n    at new Promise (<anonymous>)\n    at GitExecutorChain.handleTaskData (/home/vsts/.npm/_npx/05eeecd92f4e18e0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:121:14)\n    at GitExecutorChain.<anonymous> (/home/vsts/.npm/_npx/05eeecd92f4e18e0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:97:40)\n    at Generator.next (<anonymous>)\n    at fulfilled (/home/vsts/.npm/_npx/05eeecd92f4e18e0/node_modules/simple-git/dist/cjs/index.js:52:24)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)"
       }

[rarkins]

I have not reproduced this, and don't have time to fix, but based on code review I suspect this to be the case.

Example of normal git push checking getNoVerify():

renovate/lib/util/git/index.ts

Lines 1092 to 1107 in 36091fd

	export async function pushCommit({
	sourceRef,
	targetRef,
	files,
	}: PushFilesConfig): Promise<boolean> {
	await syncGit();
	logger.debug(`Pushing refSpec ${sourceRef}:${targetRef ?? sourceRef}`);
	let result = false;
	try {
	const pushOptions: TaskOptions = {
	'--force-with-lease': null,
	'-u': null,
	};
	if (getNoVerify().includes('push')) {
	pushOptions['--no-verify'] = null;
	}

deleteBranch() not checking it:

renovate/lib/util/git/index.ts

Lines 767 to 770 in 36091fd

	export async function deleteBranch(branchName: string): Promise<void> {
	await syncGit();
	try {
	await gitRetry(() => git.raw(['push', '--delete', 'origin', branchName]));