fix(config): move trustLevel to admin config (#8555)

lib/config/admin.ts

@@ -5,8 +5,8 @@ let adminConfig: RepoAdminConfig = {};
 const derivedAdminOptions = ['localDir'];
 
 export function setAdminConfig(
-  config: RenovateConfig,
-  adminOptions: string[]
+  config: RenovateConfig = {},
+  adminOptions = Object.keys(config)
 ): void {
   adminConfig = {};
   const repoAdminOptions = adminOptions.concat(derivedAdminOptions);

lib/config/common.ts

@@ -72,7 +72,6 @@ export interface GlobalAdminConfig {
   logLevel?: LogLevel;
   redisUrl?: string;
   repositories?: RenovateRepository[];
-  trustLevel?: 'low' | 'high';
 }
 
 // Config options used within the repository worker, but non-user configurable
@@ -81,6 +80,7 @@ export interface RepoAdminConfig {
   allowedPostUpgradeCommands?: string[];
   dockerImagePrefix?: string;
   dockerUser?: string;
+  trustLevel?: 'low' | 'high';
 }
 
 export interface RenovateAdminConfig {

lib/config/definitions.ts

@@ -537,7 +537,7 @@ const options: RenovateOptions[] = [
     name: 'trustLevel',
     description:
       'Set this to "high" if the bot should trust the repository owners/contents.',
-    stage: 'global',
+    admin: true,
     type: 'string',
     default: 'low',
   },

lib/config/index.ts

@@ -129,11 +129,6 @@ export async function parseConfigs(
   delete config.logFile;
   delete config.logFileLevel;
 
-  // Move global variables that we need to use later
-  global.trustLevel =
-    config.trustLevel || /* istanbul ignore next: never happen? */ 'low';
-  delete config.trustLevel;
-
   return config;
 }
 

lib/config/presets/npm/index.spec.ts

@@ -1,4 +1,5 @@
 import nock from 'nock';
+import { setAdminConfig } from '../../admin';
 import * as npm from '.';
 
 jest.mock('registry-auth-token');
@@ -8,7 +9,7 @@ describe('config/presets/npm', () => {
   delete process.env.NPM_TOKEN;
   beforeEach(() => {
     jest.resetAllMocks();
-    global.trustLevel = 'low';
+    setAdminConfig();
     nock.cleanAll();
   });
   afterEach(() => {

lib/datasource/crate/index.spec.ts

@@ -4,6 +4,7 @@ import { DirectoryResult, dir } from 'tmp-promise';
 import { dirname, join } from 'upath';
 import { getPkgReleases } from '..';
 import * as httpMock from '../../../test/http-mock';
+import { setAdminConfig } from '../../config/admin';
 import * as memCache from '../../util/cache/memory';
 import { setFsConfig } from '../../util/fs';
 import {
@@ -71,11 +72,12 @@ describe('datasource/crate', () => {
       });
       simpleGit.mockReset();
       memCache.init();
+      setAdminConfig();
     });
     afterEach(() => {
       fs.rmdirSync(tmpDir.path, { recursive: true });
       tmpDir = null;
-      delete global.trustLevel;
+      setAdminConfig();
     });
     it('returns null for missing registry url', async () => {
       expect(
@@ -208,9 +210,8 @@ describe('datasource/crate', () => {
     });
     it('clones cloudsmith private registry', async () => {
       const { mockClone } = setupGitMocks();
-
+      setAdminConfig({ trustLevel: 'high' });
       const url = 'https://dl.cloudsmith.io/basic/myorg/myrepo/cargo/index.git';
-      global.trustLevel = 'high';
       const res = await getPkgReleases({
         datasource,
         depName: 'mypkg',
@@ -223,9 +224,8 @@ describe('datasource/crate', () => {
     });
     it('clones other private registry', async () => {
       const { mockClone } = setupGitMocks();
-
+      setAdminConfig({ trustLevel: 'high' });
       const url = 'https://github.com/mcorbin/testregistry';
-      global.trustLevel = 'high';
       const res = await getPkgReleases({
         datasource,
         depName: 'mypkg',
@@ -238,9 +238,8 @@ describe('datasource/crate', () => {
     });
     it('clones once then reuses the cache', async () => {
       const { mockClone } = setupGitMocks();
-
+      setAdminConfig({ trustLevel: 'high' });
       const url = 'https://github.com/mcorbin/othertestregistry';
-      global.trustLevel = 'high';
       await getPkgReleases({
         datasource,
         depName: 'mypkg',

lib/datasource/crate/index.ts

@@ -1,6 +1,7 @@
 import hasha from 'hasha';
 import Git from 'simple-git';
 import { join } from 'upath';
+import { getAdminConfig } from '../../config/admin';
 import { logger } from '../../logger';
 import { ExternalHostError } from '../../types/errors/external-host-error';
 import * as memCache from '../../util/cache/memory';
@@ -161,7 +162,7 @@ async function fetchRegistryInfo(
   };
 
   if (flavor !== RegistryFlavor.CratesIo) {
-    if (global.trustLevel !== 'high') {
+    if (getAdminConfig().trustLevel !== 'high') {
       logger.warn(
         'crate datasource: trustLevel=high is required for registries other than crates.io, bailing out'
       );

lib/datasource/npm/index.spec.ts

@@ -3,6 +3,7 @@ import nock from 'nock';
 import _registryAuthToken from 'registry-auth-token';
 import { getPkgReleases } from '..';
 import { getName } from '../../../test/util';
+import { setAdminConfig } from '../../config/admin';
 import { EXTERNAL_HOST_ERROR } from '../../constants/error-messages';
 import * as hostRules from '../../util/host-rules';
 import { id as datasource, getNpmrc, resetCache, setNpmrc } from '.';
@@ -17,7 +18,7 @@ describe(getName(__filename), () => {
   delete process.env.NPM_TOKEN;
   beforeEach(() => {
     jest.resetAllMocks();
-    global.trustLevel = 'low';
+    setAdminConfig();
     resetCache();
     setNpmrc();
     npmResponse = {
@@ -283,14 +284,14 @@ describe(getName(__filename), () => {
       .reply(200, npmResponse);
     process.env.REGISTRY = 'https://registry.from-env.com';
     process.env.RENOVATE_CACHE_NPM_MINUTES = '15';
-    global.trustLevel = 'high';
+    setAdminConfig({ trustLevel: 'high' });
     // eslint-disable-next-line no-template-curly-in-string
     const npmrc = 'registry=${REGISTRY}';
     const res = await getPkgReleases({ datasource, depName: 'foobar', npmrc });
     expect(res).toMatchSnapshot();
   });
   it('should throw error if necessary env var is not present', () => {
-    global.trustLevel = 'high';
+    setAdminConfig({ trustLevel: 'high' });
     // eslint-disable-next-line no-template-curly-in-string
     expect(() => setNpmrc('registry=${REGISTRY_MISSING}')).toThrow(
       Error('env-replace')

lib/datasource/npm/npmrc.spec.ts

@@ -1,4 +1,5 @@
 import { getName, mocked } from '../../../test/util';
+import { setAdminConfig } from '../../config/admin';
 import * as _sanitize from '../../util/sanitize';
 import { getNpmrc, setNpmrc } from './npmrc';
 
@@ -9,8 +10,8 @@ const sanitize = mocked(_sanitize);
 describe(getName(__filename), () => {
   beforeEach(() => {
     delete process.env.NPM_TOKEN;
-    delete global.trustLevel;
     setNpmrc('');
+    setAdminConfig();
     jest.resetAllMocks();
   });
 
@@ -38,7 +39,7 @@ describe(getName(__filename), () => {
   });
 
   it('sanitize _authtoken with high trust', () => {
-    global.trustLevel = 'high';
+    setAdminConfig({ trustLevel: 'high' });
     process.env.TEST_TOKEN = 'test';
     setNpmrc(
       // eslint-disable-next-line no-template-curly-in-string

lib/datasource/npm/npmrc.ts

@@ -1,5 +1,6 @@
 import is from '@sindresorhus/is';
 import ini from 'ini';
+import { getAdminConfig } from '../../config/admin';
 import { logger } from '../../logger';
 import { add } from '../../util/sanitize';
 
@@ -53,12 +54,13 @@ export function setNpmrc(input?: string): void {
     npmrcRaw = input;
     logger.debug('Setting npmrc');
     npmrc = ini.parse(input.replace(/\\n/g, '\n'));
+    const { trustLevel } = getAdminConfig();
     for (const [key, val] of Object.entries(npmrc)) {
-      if (global.trustLevel !== 'high') {
+      if (trustLevel !== 'high') {
         sanitize(key, val);
       }
       if (
-        global.trustLevel !== 'high' &&
+        trustLevel !== 'high' &&
         key.endsWith('registry') &&
         val &&
         val.includes('localhost')
@@ -71,7 +73,7 @@ export function setNpmrc(input?: string): void {
         return;
       }
     }
-    if (global.trustLevel !== 'high') {
+    if (trustLevel !== 'high') {
       return;
     }
     for (const key of Object.keys(npmrc)) {

lib/globals.d.ts

@@ -12,8 +12,6 @@ declare interface Error {
 declare namespace NodeJS {
   interface Global {
     gitAuthor?: { name: string; email: string };
-
-    trustLevel?: string;
   }
 }
 

lib/manager/composer/artifacts.spec.ts

@@ -2,6 +2,7 @@ import { exec as _exec } from 'child_process';
 import { join } from 'upath';
 import { envMock, mockExecAll } from '../../../test/exec-util';
 import { env, fs, git, mocked, partial } from '../../../test/util';
+import { setAdminConfig } from '../../config/admin';
 import {
   PLATFORM_TYPE_GITHUB,
   PLATFORM_TYPE_GITLAB,
@@ -45,7 +46,7 @@ describe('.updateArtifacts()', () => {
     await setUtilConfig(config);
     docker.resetPrefetchedImages();
     hostRules.clear();
-    delete global.trustLevel;
+    setAdminConfig();
   });
   it('returns if no composer.lock found', async () => {
     expect(
@@ -62,7 +63,7 @@ describe('.updateArtifacts()', () => {
     const execSnapshots = mockExecAll(exec);
     fs.readLocalFile.mockReturnValueOnce('Current composer.lock' as any);
     git.getRepoStatus.mockResolvedValue(repoStatus);
-    global.trustLevel = 'high';
+    setAdminConfig({ trustLevel: 'high' });
     expect(
       await composer.updateArtifacts({
         packageFileName: 'composer.json',

lib/manager/composer/artifacts.ts

@@ -2,6 +2,7 @@ import url from 'url';
 import is from '@sindresorhus/is';
 import { quote } from 'shlex';
 import upath from 'upath';
+import { getAdminConfig } from '../../config/admin';
 import { SYSTEM_INSUFFICIENT_DISK_SPACE } from '../../constants/error-messages';
 import {
   PLATFORM_TYPE_GITHUB,
@@ -147,7 +148,7 @@ export async function updateArtifacts({
       args += ' --ignore-platform-reqs';
     }
     args += ' --no-ansi --no-interaction';
-    if (global.trustLevel !== 'high' || config.ignoreScripts) {
+    if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) {
       args += ' --no-scripts --no-autoloader';
     }
     logger.debug({ cmd, args }, 'composer command');

lib/manager/npm/extract/index.ts

@@ -1,6 +1,7 @@
 import is from '@sindresorhus/is';
 import { dirname } from 'upath';
 import validateNpmPackageName from 'validate-npm-package-name';
+import { getAdminConfig } from '../../../config/admin';
 import { CONFIG_VALIDATION } from '../../../constants/error-messages';
 import * as datasourceGithubTags from '../../../datasource/github-tags';
 import * as datasourceNpm from '../../../datasource/npm';
@@ -107,7 +108,7 @@ export async function extractPackageFile(
       npmrc = npmrc.replace(/(^|\n)package-lock.*?(\n|$)/g, '\n');
     }
     if (npmrc) {
-      if (npmrc.includes('=${') && !(global.trustLevel === 'high')) {
+      if (npmrc.includes('=${') && getAdminConfig().trustLevel !== 'high') {
         logger.debug('Discarding .npmrc file with variables');
         ignoreNpmrcFile = true;
         npmrc = undefined;

lib/manager/npm/post-update/lerna.spec.ts

@@ -1,6 +1,7 @@
 import { exec as _exec } from 'child_process';
 import { envMock, mockExecAll } from '../../../../test/exec-util';
 import { getName, mocked } from '../../../../test/util';
+import { setAdminConfig } from '../../../config/admin';
 import * as _env from '../../../util/exec/env';
 import * as _lernaHelper from './lerna';
 
@@ -108,14 +109,13 @@ describe(getName(__filename), () => {
     });
     it('allows scripts for trust level high', async () => {
       const execSnapshots = mockExecAll(exec);
-      global.trustLevel = 'high';
+      setAdminConfig({ trustLevel: 'high' });
       const res = await lernaHelper.generateLockFiles(
         lernaPkgFile('npm'),
         'some-dir',
         {},
         {}
       );
-      delete global.trustLevel;
       expect(res.error).toBe(false);
       expect(execSnapshots).toMatchSnapshot();
     });

lib/manager/npm/post-update/lerna.ts

@@ -1,6 +1,7 @@
 import semver, { validRange } from 'semver';
 import { quote } from 'shlex';
 import { join } from 'upath';
+import { getAdminConfig } from '../../../config/admin';
 import { logger } from '../../../logger';
 import { ExecOptions, exec } from '../../../util/exec';
 import { PackageFile, PostUpdateConfig } from '../../common';
@@ -70,7 +71,10 @@ export async function generateLockFiles(
       return { error: false };
     }
     let lernaCommand = `lerna bootstrap --no-ci --ignore-scripts -- `;
-    if (global.trustLevel === 'high' && config.ignoreScripts !== false) {
+    if (
+      getAdminConfig().trustLevel === 'high' &&
+      config.ignoreScripts !== false
+    ) {
       cmdOptions = cmdOptions.replace('--ignore-scripts ', '');
       lernaCommand = lernaCommand.replace('--ignore-scripts ', '');
     }
@@ -90,7 +94,7 @@ export async function generateLockFiles(
       },
     };
     // istanbul ignore if
-    if (global.trustLevel === 'high') {
+    if (getAdminConfig().trustLevel === 'high') {
       execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
       execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
       execOptions.extraEnv.NPM_TOKEN = env.NPM_TOKEN;

lib/manager/npm/post-update/npm.ts

@@ -1,6 +1,7 @@
 import { validRange } from 'semver';
 import { quote } from 'shlex';
 import { join } from 'upath';
+import { getAdminConfig } from '../../../config/admin';
 import { SYSTEM_INSUFFICIENT_DISK_SPACE } from '../../../constants/error-messages';
 import { logger } from '../../../logger';
 import { ExecOptions, exec } from '../../../util/exec';
@@ -67,7 +68,7 @@ export async function generateLockFile(
       },
     };
     // istanbul ignore if
-    if (global.trustLevel === 'high') {
+    if (getAdminConfig().trustLevel === 'high') {
       execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
       execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
       execOptions.extraEnv.NPM_TOKEN = env.NPM_TOKEN;

lib/manager/npm/post-update/pnpm.ts

@@ -1,6 +1,7 @@
 import { validRange } from 'semver';
 import { quote } from 'shlex';
 import { join } from 'upath';
+import { getAdminConfig } from '../../../config/admin';
 import { logger } from '../../../logger';
 import { ExecOptions, exec } from '../../../util/exec';
 import { readFile, remove } from '../../../util/fs';
@@ -48,7 +49,7 @@ export async function generateLockFile(
       },
     };
     // istanbul ignore if
-    if (global.trustLevel === 'high') {
+    if (getAdminConfig().trustLevel === 'high') {
       execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
       execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
       execOptions.extraEnv.NPM_TOKEN = env.NPM_TOKEN;
@@ -61,7 +62,7 @@ export async function generateLockFile(
     }
     cmd = 'pnpm';
     let args = 'install --recursive --lockfile-only';
-    if (global.trustLevel !== 'high' || config.ignoreScripts) {
+    if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) {
       args += ' --ignore-scripts';
       args += ' --ignore-pnpmfile';
     }