feat: rename allowedPostUpgradeCommands/allowPostUpgradeCommandTemplating

docs/usage/configuration-options.md

@@ -3361,7 +3361,7 @@ Table with options:
 Post-upgrade tasks are commands that are executed by Renovate after a dependency has been updated but before the commit is created.
 The intention is to run any other command line tools that would modify existing files or generate new files when a dependency changes.
 
-Each command must match at least one of the patterns defined in `allowedPostUpgradeCommands` (a global-only configuration option) in order to be executed.
+Each command must match at least one of the patterns defined in `allowedCommands` (a global-only configuration option) in order to be executed.
 If the list of allowed tasks is empty then no tasks will be executed.
 
 e.g.
@@ -3382,7 +3382,7 @@ The `postUpgradeTasks` configuration consists of three fields:
 
 A list of commands that are executed after Renovate has updated a dependency but before the commit is made.
 
-You can use variable templating in your commands as long as [`allowPostUpgradeCommandTemplating`](./self-hosted-configuration.md#allowpostupgradecommandtemplating) is enabled.
+You can use variable templating in your commands as long as [`allowCommandTemplating`](./self-hosted-configuration.md#allowcommandtemplating) is enabled.
 
 <!-- prettier-ignore -->
 !!! note

docs/usage/self-hosted-configuration.md

@@ -17,17 +17,13 @@ Please also see [Self-Hosted Experimental Options](./self-hosted-experimental.md
 !!! note
     Config options with `type=string` are always non-mergeable, so `mergeable=false`.
 
-## allowCustomCrateRegistries
-
-## allowPlugins
-
-## allowPostUpgradeCommandTemplating
+## allowCommandTemplating
 
 Let's look at an example of configuring packages with existing Angular migrations.
 
 ```javascript
 module.exports = {
-  allowedPostUpgradeCommands: ['^npm ci --ignore-scripts$', '^npx ng update'],
+  allowedCommands: ['^npm ci --ignore-scripts$', '^npx ng update'],
 };
 ```
 
@@ -58,11 +54,32 @@ npm ci --ignore-scripts
 npx ng update @angular/core --from=10.0.0 --to=11.0.0 --migrate-only --allow-dirty --force
 ```
 
-If you wish to disable templating because of any security or performance concern, you may set `allowPostUpgradeCommandTemplating` to `false`.
-But before you disable templating completely, try the `allowedPostUpgradeCommands` config option to limit what commands are allowed to run.
+If you wish to disable templating because of any security or performance concern, you may set `allowCommandTemplating` to `false`.
+But before you disable templating completely, try the `allowedCommands` config option to limit what commands are allowed to run.
+
+This configuration option was previously named `allowPostUpgradeCommandTemplating`.
+
+## allowCustomCrateRegistries
+
+## allowPlugins
 
 ## allowScripts
 
+## allowedCommands
+
+A list of regular expressions that decide which commands in `postUpgradeTasks` are allowed to run.
+If this list is empty then no tasks will be executed.
+
+For example:
+
+```json
+{
+  "allowedCommands": ["^tslint --fix$", "^tslint --[a-z]+$"]
+}
+```
+
+This configuration option was formerly known as `allowedPostUpgradeCommands`.
+
 ## allowedEnv
 
 Bot administrators can allow users to configure custom environment variables within repo config.
@@ -129,19 +146,6 @@ module.exports = {
 };
 ```
 
-## allowedPostUpgradeCommands
-
-A list of regular expressions that decide which commands in `postUpgradeTasks` are allowed to run.
-If this list is empty then no tasks will be executed.
-
-For example:
-
-```json
-{
-  "allowedPostUpgradeCommands": ["^tslint --fix$", "^tslint --[a-z]+$"]
-}
-```
-
 ## autodiscover
 
 When you enable `autodiscover`, by default, Renovate runs on _every_ repository that the bot account can access.

lib/config/global.ts

@@ -3,12 +3,12 @@ import type { RenovateConfig, RepoGlobalConfig } from './types';
 export class GlobalConfig {
   // TODO: once global config work is complete, add a test to make sure this list includes all options with globalOnly=true (#9603)
   private static readonly OPTIONS: (keyof RepoGlobalConfig)[] = [
+    'allowedCommands',
     'allowedEnv',
+    'allowCommandTemplating',
     'allowCustomCrateRegistries',
     'allowedHeaders',
-    'allowedPostUpgradeCommands',
     'allowPlugins',
-    'allowPostUpgradeCommandTemplating',
     'allowScripts',
     'binarySource',
     'cacheDir',

lib/config/migrations/migrations-service.ts

@@ -82,6 +82,8 @@ export class MigrationsService {
 
   static readonly renamedProperties: ReadonlyMap<string, string> = new Map([
     ['adoptium-java', 'java-version'],
+    ['allowPostUpgradeCommandTemplating', 'allowCommandTemplating'],
+    ['allowedPostUpgradeCommands', 'allowedCommands'],
     ['azureAutoApprove', 'autoApprove'],
     ['customChangelogUrl', 'changelogUrl'],
     ['endpoints', 'hostRules'],

lib/config/options/index.ts

@@ -107,17 +107,17 @@ const options: RenovateOptions[] = [
     globalOnly: true,
   },
   {
-    name: 'allowPostUpgradeCommandTemplating',
+    name: 'allowCommandTemplating',
     description:
       'Set this to `false` to disable template compilation for post-upgrade commands.',
     type: 'boolean',
     default: true,
     globalOnly: true,
   },
   {
-    name: 'allowedPostUpgradeCommands',
+    name: 'allowedCommands',
     description:
-      'A list of regular expressions that decide which post-upgrade tasks are allowed.',
+      'A list of regular expressions that decide which commands are allowed in post-upgrade tasks.',
     type: 'array',
     subType: 'string',
     default: [],

lib/config/types.ts

@@ -131,13 +131,13 @@ export interface GlobalOnlyConfig {
 // Config options used within the repository worker, but not user configurable
 // The below should contain config options where globalOnly=true
 export interface RepoGlobalConfig {
+  allowedCommands?: string[];
+  allowCommandTemplating?: boolean;
   allowCustomCrateRegistries?: boolean;
   allowPlugins?: boolean;
-  allowPostUpgradeCommandTemplating?: boolean;
   allowScripts?: boolean;
   allowedEnv?: string[];
   allowedHeaders?: string[];
-  allowedPostUpgradeCommands?: string[];
   binarySource?: 'docker' | 'global' | 'install' | 'hermit';
   cacheDir?: string;
   cacheHardTtlMinutes?: number;

lib/config/validation.spec.ts

@@ -1780,7 +1780,7 @@ describe('config/validation', () => {
 
     it('validates array type options', async () => {
       const config = {
-        allowedPostUpgradeCommands: ['cmd'],
+        allowedCommands: ['cmd'],
         checkedBranches: 'invalid-type',
         gitNoVerify: ['invalid'],
         mergeConfidenceDatasources: [1],

lib/workers/global/config/parse/cli.ts

@@ -20,6 +20,11 @@ export function getConfig(input: string[]): AllConfig {
   const argv = input
     .map((a) =>
       a
+        .replace(
+          '--allow-post-upgrade-command-templating',
+          '--allow-command-templating',
+        )
+        .replace('--allowed-post-upgrade-commands', '--allowed-commands')
         .replace('--endpoints=', '--host-rules=')
         .replace('--expose-env=true', '--trust-level=high')
         .replace('--expose-env', '--trust-level=high')

lib/workers/global/config/parse/env.ts

@@ -41,6 +41,8 @@ const renameKeys = {
   gitLabAutomerge: 'platformAutomerge', // migrate: gitLabAutomerge
   mergeConfidenceApiBaseUrl: 'mergeConfidenceEndpoint',
   mergeConfidenceSupportedDatasources: 'mergeConfidenceDatasources',
+  allowPostUpgradeCommandTemplating: 'allowCommandTemplating',
+  allowedPostUpgradeCommands: 'allowedCommands',
 };
 
 function renameEnvKeys(env: NodeJS.ProcessEnv): NodeJS.ProcessEnv {

lib/workers/repository/update/branch/execute-post-upgrade-commands.spec.ts

@@ -47,7 +47,7 @@ describe('workers/repository/update/branch/execute-post-upgrade-commands', () =>
       );
       GlobalConfig.set({
         localDir: __dirname,
-        allowedPostUpgradeCommands: ['some-command'],
+        allowedCommands: ['some-command'],
       });
       fs.localPathIsFile
         .mockResolvedValueOnce(true)
@@ -97,7 +97,7 @@ describe('workers/repository/update/branch/execute-post-upgrade-commands', () =>
       );
       GlobalConfig.set({
         localDir: __dirname,
-        allowedPostUpgradeCommands: ['some-command'],
+        allowedCommands: ['some-command'],
       });
       fs.localPathIsFile
         .mockResolvedValueOnce(true)
@@ -146,7 +146,7 @@ describe('workers/repository/update/branch/execute-post-upgrade-commands', () =>
       );
       GlobalConfig.set({
         localDir: __dirname,
-        allowedPostUpgradeCommands: ['some-command'],
+        allowedCommands: ['some-command'],
       });
       fs.localPathIsFile
         .mockResolvedValueOnce(true)

lib/workers/repository/update/branch/execute-post-upgrade-commands.ts

@@ -30,19 +30,15 @@ export async function postUpgradeCommandsExecutor(
 ): Promise<PostUpgradeCommandsExecutionResult> {
   let updatedArtifacts = [...(config.updatedArtifacts ?? [])];
   const artifactErrors = [...(config.artifactErrors ?? [])];
-  const allowedPostUpgradeCommands = GlobalConfig.get(
-    'allowedPostUpgradeCommands',
-  );
-  const allowPostUpgradeCommandTemplating = GlobalConfig.get(
-    'allowPostUpgradeCommandTemplating',
-  );
+  const allowedCommands = GlobalConfig.get('allowedCommands');
+  const allowCommandTemplating = GlobalConfig.get('allowCommandTemplating');
 
   for (const upgrade of filteredUpgradeCommands) {
     addMeta({ dep: upgrade.depName });
     logger.trace(
       {
         tasks: upgrade.postUpgradeTasks,
-        allowedCommands: allowedPostUpgradeCommands,
+        allowedCommands,
       },
       `Checking for post-upgrade tasks`,
     );
@@ -65,13 +61,9 @@ export async function postUpgradeCommandsExecutor(
       }
 
       for (const cmd of commands) {
-        if (
-          allowedPostUpgradeCommands!.some((pattern) =>
-            regEx(pattern).test(cmd),
-          )
-        ) {
+        if (allowedCommands!.some((pattern) => regEx(pattern).test(cmd))) {
           try {
-            const compiledCmd = allowPostUpgradeCommandTemplating
+            const compiledCmd = allowCommandTemplating
               ? compile(cmd, mergeChildConfig(config, upgrade))
               : cmd;
 
@@ -94,14 +86,14 @@ export async function postUpgradeCommandsExecutor(
           logger.warn(
             {
               cmd,
-              allowedPostUpgradeCommands,
+              allowedCommands,
             },
-            'Post-upgrade task did not match any on allowedPostUpgradeCommands list',
+            'Post-upgrade task did not match any on allowedCommands list',
           );
           artifactErrors.push({
             lockFile: upgrade.packageFile,
             stderr: sanitize(
-              `Post-upgrade command '${cmd}' has not been added to the allowed list in allowedPostUpgradeCommands`,
+              `Post-upgrade command '${cmd}' has not been added to the allowed list in allowedCommands`,
             ),
           });
         }

lib/workers/repository/update/branch/index.spec.ts

@@ -1631,8 +1631,8 @@ describe('workers/repository/update/branch/index', () => {
 
       GlobalConfig.set({
         ...adminConfig,
-        allowedPostUpgradeCommands: ['^echo {{{versioning}}}$'],
-        allowPostUpgradeCommandTemplating: true,
+        allowedCommands: ['^echo {{{versioning}}}$'],
+        allowCommandTemplating: true,
         exposeAllEnv: true,
         localDir: '/localDir',
       });
@@ -1665,7 +1665,7 @@ describe('workers/repository/update/branch/index', () => {
         commitSha: null,
       });
       const errorMessage = expect.stringContaining(
-        "Post-upgrade command 'disallowed task' has not been added to the allowed list in allowedPostUpgradeCommand",
+        "Post-upgrade command 'disallowed task' has not been added to the allowed list in allowedCommands",
       );
       expect(platform.ensureComment).toHaveBeenCalledWith(
         expect.objectContaining({
@@ -1729,8 +1729,8 @@ describe('workers/repository/update/branch/index', () => {
 
       GlobalConfig.set({
         ...adminConfig,
-        allowedPostUpgradeCommands: ['^exit 1$'],
-        allowPostUpgradeCommandTemplating: true,
+        allowedCommands: ['^exit 1$'],
+        allowCommandTemplating: true,
         exposeAllEnv: true,
         localDir: '/localDir',
       });
@@ -1814,8 +1814,8 @@ describe('workers/repository/update/branch/index', () => {
       commit.commitFilesToBranch.mockResolvedValueOnce(null);
       GlobalConfig.set({
         ...adminConfig,
-        allowedPostUpgradeCommands: ['^echo {{{versioning}}}$'],
-        allowPostUpgradeCommandTemplating: false,
+        allowedCommands: ['^echo {{{versioning}}}$'],
+        allowCommandTemplating: false,
         exposeAllEnv: true,
         localDir: '/localDir',
       });
@@ -1916,8 +1916,8 @@ describe('workers/repository/update/branch/index', () => {
 
       GlobalConfig.set({
         ...adminConfig,
-        allowedPostUpgradeCommands: ['^echo {{{depName}}}$'],
-        allowPostUpgradeCommandTemplating: true,
+        allowedCommands: ['^echo {{{depName}}}$'],
+        allowCommandTemplating: true,
         exposeAllEnv: true,
         localDir: '/localDir',
       });
@@ -2066,8 +2066,8 @@ describe('workers/repository/update/branch/index', () => {
 
       GlobalConfig.set({
         ...adminConfig,
-        allowedPostUpgradeCommands: ['^echo hardcoded-string$'],
-        allowPostUpgradeCommandTemplating: true,
+        allowedCommands: ['^echo hardcoded-string$'],
+        allowCommandTemplating: true,
         trustLevel: 'high',
         localDir: '/localDir',
       });