George Kalpakas 3ceb2b85da ci: avoid hard-coding path to local yarn executable (#34384)
We keep a version of yarn in the repo, at
`third_party/github.com/yarnpkg/`. All CI jobs (including Windows ones)
should use that version for consistency (and easier updates). The path
to the actual `yarn.js` script, however, changes depending on the
version (e.g. `third_party/github.com/yarnpkg/v1.21.1/...`).
(NOTE: The Windows jobs are currently not using this local version, but
that should be fixed in a subsequent commit.)

Previously, when updating the local version of yarn, we would
potentially have to update the path in several places.

This commit addresses the problem by adding a Node.js script that infers
the correct path. The script can be used in all places where we need to
use the local version of yarn (including both Linux and Windows CI
jobs), thus eliminating the need to update the path in several places.

PR Close #34384
2019-12-16 07:39:58 -08:00
..
2019-07-03 08:54:02 -07:00

Encryption

Based on https://github.com/circleci/encrypted-files

In the CircleCI web UI, we have a secret variable called KEY https://circleci.com/gh/angular/angular/edit#env-vars which is only exposed to non-fork builds (see "Pass secrets to builds from forked pull requests" under https://circleci.com/gh/angular/angular/edit#advanced-settings)

We use this as a symmetric AES encryption key to encrypt tokens like a GitHub token that enables publishing snapshots.

To create the github_token file, we take this approach:

  • Find the angular-builds:token in http://valentine
  • Go inside the CircleCI default docker image so you use the same version of openssl as we will at runtime: docker run --rm -it circleci/node:10.12
  • echo "https://[token]:@github.com" > credentials
  • openssl aes-256-cbc -e -in credentials -out .circleci/github_token -k $KEY
  • If needed, base64-encode the result so you can copy-paste it out of docker: base64 github_token