8d11627e6c
Currently our version of Yarn is installed through the "circleci/node" docker image. This is problematic because in order to be able to update Yarn, we always need to update the docker image to a version that comes with the desired Yarn version. Sometimes there is no docker image with the desired latest Yarn version, and therefore we cannot easily update the Yarn version. Additionally updating the docker image also means that we need to update our version of NodeJS, as well as the version of `openssl` might have changed (meaning that our encrypted credential files may not be decodable with the new version of `openssl`) PR Close #28546 |
||
|---|---|---|
| .. | ||
| README.md | ||
| bazel.rc | ||
| config.yml | ||
| env-helpers.inc.sh | ||
| env.sh | ||
| gcp_token | ||
| get-commit-range.js | ||
| github_token | ||
| setup_cache.sh | ||
| trigger-webhook.js | ||
README.md
Encryption
Based on https://github.com/circleci/encrypted-files
In the CircleCI web UI, we have a secret variable called KEY
https://circleci.com/gh/angular/angular/edit#env-vars
which is only exposed to non-fork builds
(see "Pass secrets to builds from forked pull requests" under
https://circleci.com/gh/angular/angular/edit#advanced-settings)
We use this as a symmetric AES encryption key to encrypt tokens like a GitHub token that enables publishing snapshots.
To create the github_token file, we take this approach:
- Find the angular-builds:token in http://valentine
- Go inside the CircleCI default docker image so you use the same version of openssl as we will at runtime:
docker run --rm -it circleci/node:10.12 - echo "https://[token]:@github.com" > credentials
- openssl aes-256-cbc -e -in credentials -out .circleci/github_token -k $KEY
- If needed, base64-encode the result so you can copy-paste it out of docker:
base64 github_token