From a67c45f9d6f495b019fc8a2fa5cf57b9de03d753 Mon Sep 17 00:00:00 2001
From: RahulGautamSingh <rahultesnik@gmail.com>
Date: Tue, 7 Jan 2025 00:25:03 +0530
Subject: [PATCH] fix(config): encrypted field validation (#33382)

Co-authored-by: Rhys Arkins <rhys@arkins.net>
---
 lib/config/decrypt.spec.ts | 12 ++++++++++++
 lib/config/decrypt.ts      |  6 ++++++
 2 files changed, 18 insertions(+)

diff --git a/lib/config/decrypt.spec.ts b/lib/config/decrypt.spec.ts
index 3a056690dba2eb..3878b86870d4ec 100644
--- a/lib/config/decrypt.spec.ts
+++ b/lib/config/decrypt.spec.ts
@@ -12,6 +12,7 @@ describe('config/decrypt', () => {
     beforeEach(() => {
       config = {};
       GlobalConfig.reset();
+      delete process.env.MEND_HOSTED;
       delete process.env.RENOVATE_X_ENCRYPTED_STRICT;
     });
 
@@ -34,8 +35,19 @@ describe('config/decrypt', () => {
 
     it('throws exception if encrypted found but no privateKey', async () => {
       config.encrypted = { a: '1' };
+
       process.env.RENOVATE_X_ENCRYPTED_STRICT = 'true';
+      await expect(decryptConfig(config, repository)).rejects.toThrow(
+        'config-validation',
+      );
+    });
+
+    // coverage
+    it('throws exception if encrypted found but no privateKey- Mend Hosted', async () => {
+      config.encrypted = { a: '1' };
 
+      process.env.MEND_HOSTED = 'true';
+      process.env.RENOVATE_X_ENCRYPTED_STRICT = 'true';
       await expect(decryptConfig(config, repository)).rejects.toThrow(
         'config-validation',
       );
diff --git a/lib/config/decrypt.ts b/lib/config/decrypt.ts
index 80cddcd490830a..d7f80a1f186a7b 100644
--- a/lib/config/decrypt.ts
+++ b/lib/config/decrypt.ts
@@ -179,6 +179,12 @@ export async function decryptConfig(
           error.validationSource = 'config';
           error.validationError = 'Encrypted config unsupported';
           error.validationMessage = `This config contains an encrypted object at location \`$.${key}\` but no privateKey is configured. To support encrypted config, the Renovate administrator must configure a \`privateKey\` in Global Configuration.`;
+          if (process.env.MEND_HOSTED === 'true') {
+            error.validationMessage = `Mend-hosted Renovate Apps no longer support the use of encrypted secrets in Renovate file config (e.g. renovate.json).
+Please migrate all secrets to the Developer Portal using the web UI available at https://developer.mend.io/
+
+Refer to migration documents here: https://docs.renovatebot.com/mend-hosted/migrating-secrets/`;
+          }
           throw error;
         } else {
           logger.error('Found encrypted data but no privateKey');