d37dad82f1
This is done by requesting the refs and shas for the PR when the env.sh script is run. Additionally, the env.sh script is now setup to write all of the environment variables created to a cache file and subsequent loads of the environment load the values from there. The get-refs-and-shas-for-target.js script now also first attempts to load the refs and shas from an environment variable before falling back to requesting from github via the API. PR Close #36207 |
||
|---|---|---|
| .. | ||
| README.md | ||
| bazel.common.rc | ||
| bazel.linux.rc | ||
| bazel.windows.rc | ||
| config.yml | ||
| env-helpers.inc.sh | ||
| env.sh | ||
| gcp_token | ||
| github_token | ||
| setup_cache.sh | ||
| trigger-webhook.js | ||
| windows-env.ps1 | ||
README.md
Encryption
Based on https://github.com/circleci/encrypted-files
In the CircleCI web UI, we have a secret variable called KEY
https://circleci.com/gh/angular/angular/edit#env-vars
which is only exposed to non-fork builds
(see "Pass secrets to builds from forked pull requests" under
https://circleci.com/gh/angular/angular/edit#advanced-settings)
We use this as a symmetric AES encryption key to encrypt tokens like a GitHub token that enables publishing snapshots.
To create the github_token file, we take this approach:
- Find the angular-builds:token in http://valentine
- Go inside the CircleCI default docker image so you use the same version of openssl as we will at runtime:
docker run --rm -it circleci/node:10.12 - echo "https://[token]:@github.com" > credentials
- openssl aes-256-cbc -e -in credentials -out .circleci/github_token -k $KEY
- If needed, base64-encode the result so you can copy-paste it out of docker:
base64 github_token