fix(config): set npmToken in npmrc when not in encrypted

lib/workers/repository/init/merge.spec.ts

@@ -20,6 +20,7 @@ import {
   checkForRepoConfigError,
   detectRepoFileConfig,
   mergeRenovateConfig,
+  setNpmTokenInNpmrc,
 } from './merge';
 
 jest.mock('../../../util/fs');
@@ -385,5 +386,59 @@ describe('workers/repository/init/merge', () => {
         }),
       ).toBeDefined();
     });
+
+    it('sets npmToken to npmrc when it is not inside encrypted', async () => {
+      scm.getFileList.mockResolvedValue(['package.json', '.renovaterc.json']);
+      fs.readLocalFile.mockResolvedValue(
+        '{"npmToken": "{{ secrets.NPM_TOKEN }}", "npmrc": "something_authToken=${NPM_TOKEN}"}',
+      );
+      migrateAndValidate.migrateAndValidate.mockResolvedValue({
+        ...config,
+        npmToken: '{{ secrets.NPM_TOKEN }}',
+        npmrc: 'something_authToken=${NPM_TOKEN}',
+        warnings: [],
+        errors: [],
+      });
+      migrate.migrateConfig.mockImplementation((c) => ({
+        isMigrated: true,
+        migratedConfig: c,
+      }));
+      config.secrets = {
+        NPM_TOKEN: 'confidential',
+      };
+      const res = await mergeRenovateConfig(config);
+      expect(res.npmrc).toBe('something_authToken=confidential');
+    });
+  });
+
+  describe('setNpmTokenInNpmrc', () => {
+    it('skips in no npmToken found', () => {
+      const config = {};
+      setNpmTokenInNpmrc(config);
+      expect(config).toMatchObject({});
+    });
+
+    it('adds default npmrc registry if it does not exist', () => {
+      const config = { npmToken: 'token' };
+      setNpmTokenInNpmrc(config);
+      expect(config).toMatchObject({
+        npmrc: '//registry.npmjs.org/:_authToken=token\n',
+      });
+    });
+
+    it('adds npmToken at end of npmrc string if ${NPM_TOKEN} string not found', () => {
+      const config = { npmToken: 'token', npmrc: 'something\n' };
+      setNpmTokenInNpmrc(config);
+      expect(config).toMatchObject({ npmrc: 'something\n_authToken=token\n' });
+    });
+
+    it('replaces ${NPM_TOKEN} with npmToken value', () => {
+      const config = {
+        npmToken: 'token',
+        npmrc: 'something_auth=${NPM_TOKEN}\n',
+      };
+      setNpmTokenInNpmrc(config);
+      expect(config).toMatchObject({ npmrc: 'something_auth=token\n' });
+    });
   });
 });

lib/workers/repository/init/merge.ts

@@ -23,6 +23,7 @@ import { readLocalFile } from '../../../util/fs';
 import * as hostRules from '../../../util/host-rules';
 import * as queue from '../../../util/http/queue';
 import * as throttle from '../../../util/http/throttle';
+import { regEx } from '../../../util/regex';
 import { getOnboardingConfig } from '../onboarding/branch/config';
 import { getDefaultConfigFileName } from '../onboarding/branch/create';
 import {
@@ -216,6 +217,7 @@ export async function mergeRenovateConfig(
   const repository = config.repository!;
   // Decrypt before resolving in case we need npm authentication for any presets
   const decryptedConfig = await decryptConfig(migratedConfig, repository);
+  setNpmTokenInNpmrc(decryptedConfig);
   // istanbul ignore if
   if (is.string(decryptedConfig.npmrc)) {
     logger.debug('Found npmrc in decrypted config - setting');
@@ -237,6 +239,7 @@ export async function mergeRenovateConfig(
     logger.trace({ config: resolvedConfig }, 'resolved config after migrating');
     resolvedConfig = migrationResult.migratedConfig;
   }
+  setNpmTokenInNpmrc(resolvedConfig);
   // istanbul ignore if
   if (is.string(resolvedConfig.npmrc)) {
     logger.debug(
@@ -278,3 +281,32 @@ export async function mergeRenovateConfig(
   }
   return returnConfig;
 }
+
+/** needed when using portal secrets for npmToken */
+export function setNpmTokenInNpmrc(config: RenovateConfig): void {
+  if (!is.string(config.npmToken)) {
+    return;
+  }
+
+  const token = config.npmToken;
+
+  if (!is.string(config.npmrc)) {
+    logger.debug('Adding npmrc to config');
+    config.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`;
+    delete config.npmToken;
+    return;
+  }
+
+  if (config.npmrc.includes(`\${NPM_TOKEN}`)) {
+    logger.debug(`Replacing \${NPM_TOKEN} with decrypted token`);
+    config.npmrc = config.npmrc.replace(regEx(/\${NPM_TOKEN}/g), token);
+  } else {
+    logger.debug('Appending _authToken= to end of existing npmrc');
+    config.npmrc = config.npmrc.replace(
+      regEx(/\n?$/),
+      `\n_authToken=${token}\n`,
+    );
+  }
+
+  delete config.npmToken;
+}