Set git insteadOf for all auth in all sidecar containers

[rarkins]

What would you like Renovate to be able to do?

Configure git insteadOf instructions:

• For all sidecar containers (but maybe also for non-sidecar too if done with env?)
• For all authentication we find
• For multiple types of URLs, e.g. insteadOf ssh://git@github.com:, insteadOf git://github.com/, etc.

Might this solve a few manager private auth problems in one go?

If you have any ideas on how this should be implemented, please tell us here.

If doing in env, presumably similar to #11077 by @Shegox

Is this a feature you are interested in implementing yourself?

No

[s2thudry]

I needed to do something similar to replace a SSH dependency and use HTTP instead with poetry, for those interested my configuration look like this.

{
  "platform": "gitlab",
  "endpoint": "https://gitlab.xxxx.com/api/v4/",
  "token": "xxxx",
  "autodiscover": true,
  "dryRun": false,
  "logFileLevel": "debug",
  "requireConfig": true,
  "onboarding": false,
  "binarySource": "docker",
  "customEnvVariables": {
    "GIT_CONFIG_COUNT": "1",
    "GIT_CONFIG_KEY_0": "url.https://oauth2:xxxxx@xxxxx.com/.insteadOf",
    "GIT_CONFIG_VALUE_0": "git@xxxx.com:"
  },

  "hostRules": [
    {

      "matchHost": "xxxx.com",
      "username": "renovatebot",
      "password": "xxxx"
    },
    {
      "hostType": "npm",
      "matchHost": "xxxx.com",
      "username": "renovatebot",
      "password": "xxxx"
    }
  ]
}

[Chumper]

@rarkins @viceice Is this the preferred solution for this use case?
Otherwise we should maybe go forward with making this a part of Renovate or go forward with my proposal in #12147

I will try out this solution, it should solve some problems we have with private packages.

[rarkins]

@Chumper I think it could be better if we use environment variables instead of commands, as pioneered in the gomod artifacts updating. e.g. https://github.com/renovatebot/renovate/blob/main/lib/util/git/auth.ts

[Chumper]

@rarkins Makes sense, in that case let me create a PR to add it to Python as well

[rarkins]

@Chumper some interesting alternative approaches proposed by @james-callahan in #20059 (comment)

[james-callahan]

@rarkins / @Chumper are there any blockers on implementing this?

[rarkins]

I think there's nothing stopping us either or both:

• Extending the number of type of hostRules which we convert to git env values, and
• Passing these to every type of sidecar container, not just Go

The only challenge would be what to do when there's conflicting credentials for the same host, due to different hostTypes (e.g. python vs npm). But in that case we could maybe do first or last one wins, and treat it as a documented limitation.

PRs welcome..

[Chumper]

yeah, sorry, late to the party.

As @rarkins said, there are a few ways of doing this, we just need someone to implement it.
I am transitioning to the binarySource=install method, so my desire for this feature is not that urgent anymore.
But it would be a nice feature for folks that are using the docker containers.