ci: hide encryption key from circleci logs (#23585)

PR Close #23585

.circleci/README.md

@@ -0,0 +1,19 @@
+# Encryption
+
+Based on https://github.com/circleci/encrypted-files
+
+In the CircleCI web UI, we have a secret variable called `KEY`
+https://circleci.com/gh/angular/angular/edit#env-vars
+which is only exposed to non-fork builds
+(see "Pass secrets to builds from forked pull requests" under
+https://circleci.com/gh/angular/angular/edit#advanced-settings)
+
+We use this as a symmetric AES encryption key to encrypt tokens like
+a GitHub token that enables publishing snapshots.
+
+To create the github_token file, we take this approach:
+- Find the angular-builds:token in http://valentine
+- Go inside the ngcontainer docker image so you use the same version of openssl as we will at runtime: `docker run --rm -it angular/ngcontainer`
+- echo "https://[token]:@github.com" > credentials
+- openssl aes-256-cbc -e -in credentials -out .circleci/github_token -k $KEY
+- If needed, base64-encode the result so you can copy-paste it out of docker: `base64 github_token`

.circleci/config.yml

@@ -158,6 +158,16 @@ jobs:
   publish_snapshot:
     <<: *job_defaults
     steps:
+      # See below - ideally this job should not trigger for non-upstream builds.
+      # But since it does, we have to check this condition.
+      - run:
+          name: Skip this job for Pull Requests and Fork builds
+          # Note, `|| true` on the end makes this step always exit 0
+          command: '[[
+              -v CIRCLE_PR_NUMBER
+              || "$CIRCLE_PROJECT_USERNAME" != "angular"
+              || "$CIRCLE_PROJECT_REPONAME" != "angular"
+          ]] && circleci step halt || true'
       - checkout:
           <<: *post_checkout
       - attach_workspace:
@@ -166,6 +176,9 @@ jobs:
       # This is not compatible with our mechanism of using a Personal Access Token
       # Clear the global setting
       - run: git config --global --unset "url.ssh://git@github.com.insteadof"
+      - run:
+          name: Decrypt github credentials
+          command: 'openssl aes-256-cbc -d -in .circleci/github_token -k "${KEY}" -out ~/.git_credentials'
       - run: ./scripts/ci/publish-build-artifacts.sh
 
   aio_monitoring:
@@ -191,8 +204,7 @@ workflows:
           # Note: no filters on this job because we want it to run for all upstream branches
           # We'd really like to filter out pull requests here, but not yet available:
           # https://discuss.circleci.com/t/workflows-pull-request-filter/14396/4
-          # Instead, the publish-build-artifacts.sh script just terminates when
-          # CIRCLE_PR_NUMBER is set.
+          # Instead, the job just exits immediately at the first step.
           requires:
             # Only publish if tests and integration tests pass
             - test

.circleci/github_token

@@ -1 +1,3 @@
-Salted__ê÷û<EFBFBD>Ë“]ê×þO<>ʤu'÷–UzhŽ®ìbEÕ]+ÉxCèY-ÿ?ýc"qÒ;ƲK@l#ÒxÞ€<C39E>IÊ1&w0ç+á\p/Ož;Â
+Salted__)I§·Às(<_°‡—Tùë?î
+‚ Ó³y–™ð”°³ž<C2B3>­&AË
+I]ôÁ²<17>4®‰·ø“½à?¶I

scripts/ci/publish-build-artifacts.sh

@@ -64,7 +64,7 @@ function publishRepo {
   BUILD_VER="${LATEST_TAG}+${SHORT_SHA}"
   if [[ ${CI} ]]; then
     (
-      # The file ~/.git_credentials is created below
+      # The file ~/.git_credentials is created in /.circleci/config.yml
       cd $REPO_DIR && \
       git config credential.helper "store --file=$HOME/.git_credentials"
     )
@@ -122,19 +122,7 @@ CUR_BRANCH=${CIRCLE_BRANCH:-$(git symbolic-ref --short HEAD)}
 if [ $# -gt 0 ]; then
   ORG=$1
   publishPackages "ssh" dist/packages-dist $CUR_BRANCH
-
-elif [[ \
-    "$CIRCLE_PROJECT_USERNAME" == "angular" && \
-    "$CIRCLE_PROJECT_REPONAME" == "angular" && \
-    ! -v CIRCLE_PR_NUMBER ]]; then
-  ORG="angular"
-  # $KEY is set on CI only for non-PR builds. See /.circleci/README.md
-  openssl aes-256-cbc -d -in .circleci/github_token -k "${KEY}" -out "${HOME}/.git_credentials"
-
-  publishPackages "http" dist/packages-dist $CUR_BRANCH
-  # Clean up the credentials file out of caution
-  rm "${HOME}/.git_credentials"
-
 else
-  echo "Not building the upstream/${CUR_BRANCH} branch, build artifacts won't be published."
+  ORG="angular"
+  publishPackages "http" dist/packages-dist $CUR_BRANCH
 fi