diff --git a/docs/usage/self-hosted-configuration.md b/docs/usage/self-hosted-configuration.md index 93af532f4906e1..7b2bbd01ad6e75 100644 --- a/docs/usage/self-hosted-configuration.md +++ b/docs/usage/self-hosted-configuration.md @@ -9,6 +9,8 @@ The configuration options listed in this document are applicable to self-hosted Please also see [Self-Hosted Experimental Options](./self-hosted-experimental.md). +## allowCustomCrateRegistries + ## allowPostUpgradeCommandTemplating Set to true to allow templating of dependency level post-upgrade commands. @@ -52,6 +54,8 @@ npm ci --ignore-scripts npx ng update @angular/core --from=10.0.0 --to=11.0.0 --migrate-only --allow-dirty --force ``` +## allowScripts + ## allowedPostUpgradeCommands A list of regular expressions that determine which commands in `postUpgradeTasks` are allowed to be executed. @@ -186,6 +190,13 @@ e.g. ## endpoint +## exposeAllEnv + +By default, Renovate will only pass a limited set of environment variables to package managers. +Potentially, there could be leaks of confidential data if a script you don't trust enumerates all values in env, so set this to true only if you trust the repositories which the bot runs against. + +Setting this to true will also allow for variable substitution in `.npmrc` files. + ## force This object is used as a "force override" when you need to make sure certain configuration overrides whatever is configured in the repository. @@ -375,13 +386,4 @@ This is currently applicable to `npm` and `lerna`/`npm` only, and only used in c ## token -## trustLevel - -Setting trustLevel to `"high"` can make sense in many self-hosted cases where the bot operator trusts the content in each repository. - -Setting trustLevel=high means: - -- Child processes are run with full access to `env` -- `.npmrc` files can have environment variable substitution performed - ## username diff --git a/lib/config/__snapshots__/migration.spec.ts.snap b/lib/config/__snapshots__/migration.spec.ts.snap index 48456d788edf78..a9d93e6307f2b3 100644 --- a/lib/config/__snapshots__/migration.spec.ts.snap +++ b/lib/config/__snapshots__/migration.spec.ts.snap @@ -78,6 +78,8 @@ Array [ exports[`config/migration migrateConfig(config, parentConfig) migrates config 1`] = ` Object { "additionalBranchPrefix": "{{parentDir}}-", + "allowCustomCrateRegistries": true, + "allowScripts": true, "autodiscover": true, "automerge": false, "automergeType": "branch", @@ -94,6 +96,7 @@ Object { "dependencyDashboard": true, "dependencyDashboardTitle": "foo", "enabled": true, + "exposeAllEnv": true, "extends": Array [ ":automergeBranch", "config:js-app", @@ -109,8 +112,8 @@ Object { "includeForks": true, "lockFileMaintenance": Object { "automerge": true, + "exposeAllEnv": false, "schedule": "before 5am", - "trustLevel": "low", }, "major": Object { "automerge": false, @@ -243,7 +246,6 @@ Object { "travis": Object { "enabled": true, }, - "trustLevel": "high", } `; diff --git a/lib/config/admin.ts b/lib/config/admin.ts index 6d6fd61fc69edd..feb3701c818dcd 100644 --- a/lib/config/admin.ts +++ b/lib/config/admin.ts @@ -4,15 +4,17 @@ let adminConfig: RepoAdminConfig = {}; // TODO: once admin config work is complete, add a test to make sure this list includes all options with admin=true export const repoAdminOptions = [ + 'allowCustomCrateRegistries', 'allowPostUpgradeCommandTemplating', + 'allowScripts', 'allowedPostUpgradeCommands', 'customEnvVariables', 'dockerChildPrefix', 'dockerImagePrefix', 'dockerUser', 'dryRun', + 'exposeAllEnv', 'privateKey', - 'trustLevel', ]; export function setAdminConfig(config: RenovateConfig = {}): void { diff --git a/lib/config/definitions.ts b/lib/config/definitions.ts index 5bf8d99305ef2b..92b85aadaf02af 100644 --- a/lib/config/definitions.ts +++ b/lib/config/definitions.ts @@ -473,17 +473,33 @@ const options: RenovateOptions[] = [ default: false, }, { - name: 'trustLevel', + name: 'exposeAllEnv', description: - 'Set this to "high" if the bot should trust the repository owners/contents.', + 'Configure this to true to allow passing of all env variables to package managers.', admin: true, - type: 'string', - default: 'low', + type: 'boolean', + default: false, + }, + { + name: 'allowScripts', + description: + 'Configure this to true if repositories are allowed to run install scripts.', + admin: true, + type: 'boolean', + default: false, + }, + { + name: 'allowCustomCrateRegistries', + description: + 'Configure this to true if custom crate registries are allowed.', + admin: true, + type: 'boolean', + default: false, }, { name: 'ignoreScripts', description: - 'Configure this to true if trustLevel is high but you wish to skip running scripts when updating lock files.', + 'Configure this to true if allowScripts=true but you wish to skip running scripts when updating lock files.', type: 'boolean', default: false, }, diff --git a/lib/config/migration.spec.ts b/lib/config/migration.spec.ts index 7bd348c5ea4996..6f19f5c6cacffe 100644 --- a/lib/config/migration.spec.ts +++ b/lib/config/migration.spec.ts @@ -56,6 +56,7 @@ describe(getName(__filename), () => { masterIssueTitle: 'foo', gomodTidy: true, upgradeInRange: true, + trustLevel: 'high', automergeType: 'branch-push', branchName: '{{{branchPrefix}}}{{{managerBranchPrefix}}}{{{branchTopic}}}{{{baseDir}}}', diff --git a/lib/config/migration.ts b/lib/config/migration.ts index 8b4f7ad5b18d5b..32ddd4566b6eaa 100644 --- a/lib/config/migration.ts +++ b/lib/config/migration.ts @@ -191,11 +191,14 @@ export function migrateConfig( migratedConfig.rebaseWhen = 'never'; } } else if (key === 'exposeEnv') { + migratedConfig.exposeAllEnv = val; delete migratedConfig.exposeEnv; - if (val === true) { - migratedConfig.trustLevel = 'high'; - } else if (val === false) { - migratedConfig.trustLevel = 'low'; + } else if (key === 'trustLevel') { + delete migratedConfig.trustLevel; + if (val === 'high') { + migratedConfig.allowCustomCrateRegistries ??= true; + migratedConfig.allowScripts ??= true; + migratedConfig.exposeAllEnv ??= true; } } else if ( key === 'branchName' && diff --git a/lib/config/types.ts b/lib/config/types.ts index b2c9ca6b37fb42..2ef022c21c49b8 100644 --- a/lib/config/types.ts +++ b/lib/config/types.ts @@ -83,15 +83,17 @@ export interface GlobalOnlyConfig { // Config options used within the repository worker, but not user configurable // The below should contain config options where admin=true export interface RepoAdminConfig { + allowCustomCrateRegistries?: boolean; allowPostUpgradeCommandTemplating?: boolean; + allowScripts?: boolean; allowedPostUpgradeCommands?: string[]; customEnvVariables?: Record; dockerChildPrefix?: string; dockerImagePrefix?: string; dockerUser?: string; dryRun?: boolean; + exposeAllEnv?: boolean; privateKey?: string | Buffer; - trustLevel?: 'low' | 'high'; } export interface LegacyAdminConfig { diff --git a/lib/datasource/crate/__snapshots__/index.spec.ts.snap b/lib/datasource/crate/__snapshots__/index.spec.ts.snap index 48572b6e73a18d..6e8b60c6991564 100644 --- a/lib/datasource/crate/__snapshots__/index.spec.ts.snap +++ b/lib/datasource/crate/__snapshots__/index.spec.ts.snap @@ -331,7 +331,7 @@ Array [ ] `; -exports[`datasource/crate/index getReleases refuses to clone if trustLevel is not high 1`] = `null`; +exports[`datasource/crate/index getReleases refuses to clone if allowCustomCrateRegistries is not true 1`] = `null`; exports[`datasource/crate/index getReleases returns null for 404 1`] = ` Array [ diff --git a/lib/datasource/crate/index.spec.ts b/lib/datasource/crate/index.spec.ts index a83b9f6293da56..dd8e79fdefb2cb 100644 --- a/lib/datasource/crate/index.spec.ts +++ b/lib/datasource/crate/index.spec.ts @@ -225,7 +225,7 @@ describe(getName(__filename), () => { expect(res).toBeDefined(); expect(httpMock.getTrace()).toMatchSnapshot(); }); - it('refuses to clone if trustLevel is not high', async () => { + it('refuses to clone if allowCustomCrateRegistries is not true', async () => { const { mockClone } = setupGitMocks(); const url = 'https://dl.cloudsmith.io/basic/myorg/myrepo/cargo/index.git'; @@ -240,7 +240,7 @@ describe(getName(__filename), () => { }); it('clones cloudsmith private registry', async () => { const { mockClone } = setupGitMocks(); - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ allowCustomCrateRegistries: true }); const url = 'https://dl.cloudsmith.io/basic/myorg/myrepo/cargo/index.git'; const res = await getPkgReleases({ datasource, @@ -254,7 +254,7 @@ describe(getName(__filename), () => { }); it('clones other private registry', async () => { const { mockClone } = setupGitMocks(); - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ allowCustomCrateRegistries: true }); const url = 'https://github.com/mcorbin/testregistry'; const res = await getPkgReleases({ datasource, @@ -268,7 +268,7 @@ describe(getName(__filename), () => { }); it('clones once then reuses the cache', async () => { const { mockClone } = setupGitMocks(); - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ allowCustomCrateRegistries: true }); const url = 'https://github.com/mcorbin/othertestregistry'; await getPkgReleases({ datasource, @@ -284,7 +284,7 @@ describe(getName(__filename), () => { }); it('guards against race conditions while cloning', async () => { const { mockClone } = setupGitMocks(250); - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ allowCustomCrateRegistries: true }); const url = 'https://github.com/mcorbin/othertestregistry'; await Promise.all([ @@ -310,7 +310,7 @@ describe(getName(__filename), () => { }); it('returns null when git clone fails', async () => { setupErrorGitMock(); - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ allowCustomCrateRegistries: true }); const url = 'https://github.com/mcorbin/othertestregistry'; const result = await getPkgReleases({ diff --git a/lib/datasource/crate/index.ts b/lib/datasource/crate/index.ts index cce827f726b39f..44d39cb1852829 100644 --- a/lib/datasource/crate/index.ts +++ b/lib/datasource/crate/index.ts @@ -163,9 +163,9 @@ async function fetchRegistryInfo( }; if (flavor !== RegistryFlavor.CratesIo) { - if (getAdminConfig().trustLevel !== 'high') { + if (!getAdminConfig().allowCustomCrateRegistries) { logger.warn( - 'crate datasource: trustLevel=high is required for registries other than crates.io, bailing out' + 'crate datasource: allowCustomCrateRegistries=true is required for registries other than crates.io, bailing out' ); return null; } diff --git a/lib/datasource/npm/index.spec.ts b/lib/datasource/npm/index.spec.ts index 1b630c14be2635..d5091d722de3ad 100644 --- a/lib/datasource/npm/index.spec.ts +++ b/lib/datasource/npm/index.spec.ts @@ -359,7 +359,7 @@ describe(getName(__filename), () => { .reply(200, npmResponse); process.env.REGISTRY = 'https://registry.from-env.com'; process.env.RENOVATE_CACHE_NPM_MINUTES = '15'; - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ exposeAllEnv: true }); // eslint-disable-next-line no-template-curly-in-string const npmrc = 'registry=${REGISTRY}'; const res = await getPkgReleases({ datasource, depName: 'foobar', npmrc }); @@ -368,7 +368,7 @@ describe(getName(__filename), () => { }); it('should throw error if necessary env var is not present', () => { - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ exposeAllEnv: true }); // eslint-disable-next-line no-template-curly-in-string expect(() => setNpmrc('registry=${REGISTRY_MISSING}')).toThrow( Error('env-replace') diff --git a/lib/datasource/npm/npmrc.spec.ts b/lib/datasource/npm/npmrc.spec.ts index 186e4969726351..41fff3d27c3457 100644 --- a/lib/datasource/npm/npmrc.spec.ts +++ b/lib/datasource/npm/npmrc.spec.ts @@ -38,7 +38,7 @@ describe(getName(__filename), () => { }); it('sanitize _authtoken with high trust', () => { - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ exposeAllEnv: true }); process.env.TEST_TOKEN = 'test'; setNpmrc( // eslint-disable-next-line no-template-curly-in-string diff --git a/lib/datasource/npm/npmrc.ts b/lib/datasource/npm/npmrc.ts index dae13dfca01852..3641998d365c9a 100644 --- a/lib/datasource/npm/npmrc.ts +++ b/lib/datasource/npm/npmrc.ts @@ -61,13 +61,13 @@ export function setNpmrc(input?: string): void { npmrcRaw = input; logger.debug('Setting npmrc'); npmrc = ini.parse(input.replace(/\\n/g, '\n')); - const { trustLevel } = getAdminConfig(); + const { exposeAllEnv } = getAdminConfig(); for (const [key, val] of Object.entries(npmrc)) { - if (trustLevel !== 'high') { + if (!exposeAllEnv) { sanitize(key, val); } if ( - trustLevel !== 'high' && + !exposeAllEnv && key.endsWith('registry') && val && val.includes('localhost') @@ -80,7 +80,7 @@ export function setNpmrc(input?: string): void { return; } } - if (trustLevel !== 'high') { + if (!exposeAllEnv) { return; } for (const key of Object.keys(npmrc)) { diff --git a/lib/manager/composer/artifacts.spec.ts b/lib/manager/composer/artifacts.spec.ts index d7798754387c6c..fca585b9583432 100644 --- a/lib/manager/composer/artifacts.spec.ts +++ b/lib/manager/composer/artifacts.spec.ts @@ -30,6 +30,7 @@ const config = { localDir: join('/tmp/github/some/repo'), cacheDir: join('/tmp/renovate/cache'), composerIgnorePlatformReqs: true, + ignoreScripts: false, }; const repoStatus = partial({ @@ -46,7 +47,7 @@ describe('.updateArtifacts()', () => { await setUtilConfig(config); docker.resetPrefetchedImages(); hostRules.clear(); - setAdminConfig(); + setAdminConfig({ allowScripts: false }); }); it('returns if no composer.lock found', async () => { expect( @@ -63,7 +64,7 @@ describe('.updateArtifacts()', () => { const execSnapshots = mockExecAll(exec); fs.readLocalFile.mockReturnValueOnce('Current composer.lock' as any); git.getRepoStatus.mockResolvedValue(repoStatus); - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ allowScripts: true }); expect( await composer.updateArtifacts({ packageFileName: 'composer.json', diff --git a/lib/manager/composer/artifacts.ts b/lib/manager/composer/artifacts.ts index 9515106780c284..bffbe7510c707e 100644 --- a/lib/manager/composer/artifacts.ts +++ b/lib/manager/composer/artifacts.ts @@ -151,7 +151,7 @@ export async function updateArtifacts({ args += ' --ignore-platform-reqs'; } args += ' --no-ansi --no-interaction'; - if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) { + if (!getAdminConfig().allowScripts || config.ignoreScripts) { args += ' --no-scripts --no-autoloader'; } logger.debug({ cmd, args }, 'composer command'); diff --git a/lib/manager/npm/extract/index.ts b/lib/manager/npm/extract/index.ts index 7bccc130f11d2a..aacf7d55444bef 100644 --- a/lib/manager/npm/extract/index.ts +++ b/lib/manager/npm/extract/index.ts @@ -107,7 +107,7 @@ export async function extractPackageFile( npmrc = npmrc.replace(/(^|\n)package-lock.*?(\n|$)/g, '\n'); } if (is.string(npmrc)) { - if (npmrc.includes('=${') && getAdminConfig().trustLevel !== 'high') { + if (npmrc.includes('=${') && !getAdminConfig().exposeAllEnv) { logger.debug('Discarding .npmrc file with variables'); ignoreNpmrcFile = true; npmrc = undefined; diff --git a/lib/manager/npm/post-update/lerna.spec.ts b/lib/manager/npm/post-update/lerna.spec.ts index 0dddb7c585fe5d..b5a596d671bbc5 100644 --- a/lib/manager/npm/post-update/lerna.spec.ts +++ b/lib/manager/npm/post-update/lerna.spec.ts @@ -109,7 +109,7 @@ describe(getName(__filename), () => { }); it('allows scripts for trust level high', async () => { const execSnapshots = mockExecAll(exec); - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ allowScripts: true }); const res = await lernaHelper.generateLockFiles( lernaPkgFile('npm'), 'some-dir', diff --git a/lib/manager/npm/post-update/lerna.ts b/lib/manager/npm/post-update/lerna.ts index acba413c40c108..2ce9e38d4a8362 100644 --- a/lib/manager/npm/post-update/lerna.ts +++ b/lib/manager/npm/post-update/lerna.ts @@ -72,10 +72,7 @@ export async function generateLockFiles( return { error: false }; } let lernaCommand = `lerna bootstrap --no-ci --ignore-scripts -- `; - if ( - getAdminConfig().trustLevel === 'high' && - config.ignoreScripts !== false - ) { + if (getAdminConfig().allowScripts && config.ignoreScripts !== false) { cmdOptions = cmdOptions.replace('--ignore-scripts ', ''); lernaCommand = lernaCommand.replace('--ignore-scripts ', ''); } @@ -96,7 +93,7 @@ export async function generateLockFiles( }, }; // istanbul ignore if - if (getAdminConfig().trustLevel === 'high') { + if (getAdminConfig().exposeAllEnv) { execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH; execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL; } diff --git a/lib/manager/npm/post-update/npm.ts b/lib/manager/npm/post-update/npm.ts index 0025d620fe4c76..a11bce39231f08 100644 --- a/lib/manager/npm/post-update/npm.ts +++ b/lib/manager/npm/post-update/npm.ts @@ -71,7 +71,7 @@ export async function generateLockFile( }, }; // istanbul ignore if - if (getAdminConfig().trustLevel === 'high') { + if (getAdminConfig().exposeAllEnv) { execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH; execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL; } diff --git a/lib/manager/npm/post-update/pnpm.ts b/lib/manager/npm/post-update/pnpm.ts index 6541a412870a23..b9842631f96f53 100644 --- a/lib/manager/npm/post-update/pnpm.ts +++ b/lib/manager/npm/post-update/pnpm.ts @@ -50,7 +50,7 @@ export async function generateLockFile( }, }; // istanbul ignore if - if (getAdminConfig().trustLevel === 'high') { + if (getAdminConfig().exposeAllEnv) { execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH; execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL; } @@ -62,7 +62,7 @@ export async function generateLockFile( } cmd = 'pnpm'; let args = 'install --recursive --lockfile-only'; - if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) { + if (!getAdminConfig().allowScripts || config.ignoreScripts) { args += ' --ignore-scripts'; args += ' --ignore-pnpmfile'; } diff --git a/lib/manager/npm/post-update/yarn.ts b/lib/manager/npm/post-update/yarn.ts index 34aed8c7cdbf68..5e7d4958273365 100644 --- a/lib/manager/npm/post-update/yarn.ts +++ b/lib/manager/npm/post-update/yarn.ts @@ -102,7 +102,7 @@ export async function generateLockFile( extraEnv.YARN_ENABLE_IMMUTABLE_INSTALLS = 'false'; extraEnv.YARN_HTTP_TIMEOUT = '100000'; } - if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) { + if (!getAdminConfig().allowScripts || config.ignoreScripts) { if (isYarn1) { cmdOptions += ' --ignore-scripts'; } else { @@ -121,7 +121,7 @@ export async function generateLockFile( }, }; // istanbul ignore if - if (getAdminConfig().trustLevel === 'high') { + if (getAdminConfig().exposeAllEnv) { execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH; execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL; } diff --git a/lib/manager/pip_requirements/extract.spec.ts b/lib/manager/pip_requirements/extract.spec.ts index 6226ab5fc424da..9607c03eebc135 100644 --- a/lib/manager/pip_requirements/extract.spec.ts +++ b/lib/manager/pip_requirements/extract.spec.ts @@ -129,7 +129,7 @@ describe(getName(__filename), () => { }); it('should replace env vars in high trust mode', () => { process.env.PIP_TEST_TOKEN = 'its-a-secret'; - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ exposeAllEnv: true }); const res = extractPackageFile(requirements7, 'unused_file_name', {}); expect(res.registryUrls).toEqual([ 'https://pypi.org/pypi/', diff --git a/lib/manager/pip_requirements/extract.ts b/lib/manager/pip_requirements/extract.ts index 87e2ffaec01963..87fc491b410ce2 100644 --- a/lib/manager/pip_requirements/extract.ts +++ b/lib/manager/pip_requirements/extract.ts @@ -84,7 +84,7 @@ export function extractPackageFile( res.registryUrls = registryUrls.map((url) => { // handle the optional quotes in eg. `--extra-index-url "https://foo.bar"` const cleaned = url.replace(/^"/, '').replace(/"$/, ''); - if (getAdminConfig().trustLevel !== 'high') { + if (!getAdminConfig().exposeAllEnv) { return cleaned; } // interpolate any environment variables diff --git a/lib/util/exec/env.spec.ts b/lib/util/exec/env.spec.ts index e3a0eabc258ad3..ebc1c16900a513 100644 --- a/lib/util/exec/env.spec.ts +++ b/lib/util/exec/env.spec.ts @@ -58,7 +58,7 @@ describe('getChildProcess environment when trustlevel set to low', () => { describe('getChildProcessEnv when trustlevel set to high', () => { it('returns process.env if trustlevel set to high', () => { - setAdminConfig({ trustLevel: 'high' }); + setAdminConfig({ exposeAllEnv: true }); expect(getChildProcessEnv()).toMatchObject(process.env); }); }); diff --git a/lib/util/exec/env.ts b/lib/util/exec/env.ts index 38950e4e867a95..faffd61bf81526 100644 --- a/lib/util/exec/env.ts +++ b/lib/util/exec/env.ts @@ -17,7 +17,7 @@ export function getChildProcessEnv( customEnvVars: string[] = [] ): NodeJS.ProcessEnv { const env: NodeJS.ProcessEnv = {}; - if (getAdminConfig().trustLevel === 'high') { + if (getAdminConfig().exposeAllEnv) { return { ...env, ...process.env }; } const envVars = [...basicEnvVars, ...customEnvVars]; diff --git a/lib/util/exec/exec.spec.ts b/lib/util/exec/exec.spec.ts index f5a67fbda53284..e5db81a628a4e8 100644 --- a/lib/util/exec/exec.spec.ts +++ b/lib/util/exec/exec.spec.ts @@ -194,7 +194,7 @@ describe(getName(__filename), () => { maxBuffer: 10485760, }, ], - adminConfig: { trustLevel: 'high' }, + adminConfig: { exposeAllEnv: true }, }, ], diff --git a/lib/workers/branch/index.spec.ts b/lib/workers/branch/index.spec.ts index a38f6cce331b99..73d68242507905 100644 --- a/lib/workers/branch/index.spec.ts +++ b/lib/workers/branch/index.spec.ts @@ -736,7 +736,7 @@ describe(getName(__filename), () => { const adminConfig = { allowedPostUpgradeCommands: ['^echo {{{versioning}}}$'], allowPostUpgradeCommandTemplating: true, - trustLevel: 'high', + exposeAllEnv: true, }; setAdminConfig(adminConfig); @@ -816,7 +816,7 @@ describe(getName(__filename), () => { const adminConfig = { allowedPostUpgradeCommands: ['^exit 1$'], allowPostUpgradeCommandTemplating: true, - trustLevel: 'high', + exposeAllEnv: true, }; setAdminConfig(adminConfig); @@ -885,7 +885,7 @@ describe(getName(__filename), () => { const adminConfig = { allowedPostUpgradeCommands: ['^echo {{{versioning}}}$'], allowPostUpgradeCommandTemplating: false, - trustLevel: 'high', + exposeAllEnv: true, }; setAdminConfig(adminConfig); const result = await branchWorker.processBranch({ @@ -965,7 +965,7 @@ describe(getName(__filename), () => { const adminConfig = { allowedPostUpgradeCommands: ['^echo {{{depName}}}$'], allowPostUpgradeCommandTemplating: true, - trustLevel: 'high', + exposeAllEnv: true, }; setAdminConfig(adminConfig);