I am trying to run Renovate inside AWS CodeBuild with AWS CodeCommit (source repo) and AWS CodeArtifact (private npm registry).
Here is my buildspec.yml:
version: 0.2
env:
shell: bash
git-credential-helper: yes
variables:
RENOVATE_PLATFORM: 'codecommit'
RENOVATE_REPOSITORIES: '["repoName1", "repoName2"]'
RENOVATE_CONFIG: '{"extends":["config:recommended"]}'
LOG_LEVEL: 'debug'
AWS_REGION: 'us-east-1'
phases:
build:
on-failure: CONTINUE
commands:
- aws codeartifact login --tool npm --domain my_domain --domain-owner 111122223333 --repository my_repo
- npm install -g renovate
- renovate
And here is the renovate.json inside my repository:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"npmrc": "registry=..."
}
What I want:
Renovate should use CodeArtifact as the npm registry when checking for new npm packages for my repositories.
What actually happens:
Renovate always tries to use the default npm public registry (https://registry.npmjs.org/).
My constraints:
I don’t want to hard code an authentication token into renovate.json.
I want to rely on the aws CodeArtifact login command inside CodeBuild to configure npm authentication dynamically.
Question:
How can I configure Renovate (running inside AWS CodeBuild) so that it uses AWS CodeArtifact as the npm registry for dependency lookups instead of the public npm registry, without hardcoding tokens?
You should be able to do it by the following:
set the registryUrls in your renovate.json's packageRules, as explained here: https://docs.renovatebot.com/configuration-options/#registryurls. Also see this for finding out the repo URL for CodeArtifact: https://docs.aws.amazon.com/codeartifact/latest/ug/npm-auth.html#configuring-npm-without-using-the-login-command
keep the aws codeartifact login inside the pipeline
copy the renovate.json file from the repo directory to a temporary location
embed the .npmrc inside the temporary renovate.json, perhaps using a tool like jq
set the RENOVATE_CONFIG_FILE environment variable to point to the temporary renovate.json