07fb4b5677
Previously all Bazel repositories were cached on CircleCI because the `experimental_repository_cache` flag has been specified and the given repository cache directory has been included in the CircleCI cache storage. The directory is currently still included in the CircleCI cache storage, but the `--repository_cache` flag is no longer specified, and the cache directory is basically empty all the time. The flag seems to have been removed accidentally within SHA c8b70ae8e4a878c8855249df82bf3a46ce6ea0e5. We should specifiy this flag on the CI again, so that Bazel doesn't need to install the Bazel managed node modules all the time. This would slow down analysis phase on CI; and also makes us dependent on the Yarn/NPM registry which often times out if we fetch a lot of dependencies. Also in order to make sure that cached Bazel repositories are also most of the time in sync with what's currently defined in the workspace, we need to update the cache key. PR Close #28515
Encryption
Based on https://github.com/circleci/encrypted-files
In the CircleCI web UI, we have a secret variable called KEY
https://circleci.com/gh/angular/angular/edit#env-vars
which is only exposed to non-fork builds
(see "Pass secrets to builds from forked pull requests" under
https://circleci.com/gh/angular/angular/edit#advanced-settings)
We use this as a symmetric AES encryption key to encrypt tokens like a GitHub token that enables publishing snapshots.
To create the github_token file, we take this approach:
- Find the angular-builds:token in http://valentine
- Go inside the CircleCI default docker image so you use the same version of openssl as we will at runtime:
docker run --rm -it circleci/node:10.12 - echo "https://[token]:@github.com" > credentials
- openssl aes-256-cbc -e -in credentials -out .circleci/github_token -k $KEY
- If needed, base64-encode the result so you can copy-paste it out of docker:
base64 github_token