angular-cn/.circleci
George Kalpakas 295889ed2e ci: prevent CI cache from growing indefinitely (#41814)
Previously, the fallback key used for the CircleCI cache could match a
cache indefinitely (as long as `.bazelversion` didn't change). This
would allow the cache to grow quite large, which in turn would lead to
slow-down in CI jobs. See, also, angular/angular-cli#17533 for more
details of the impact of a growing CircleCI cache.

Unfortunately, using something like the lockfile checksum in the
fallback cache key would cause too many cache misses (esp. with
automatic updates via Renovate), again slowing CI down.

(The problem was originally discussed [here][2].)

This commit uses the technique described in [this blogpost][1] to
invalidate the cache monthly. This keeps the extra cache misses low
(essentially once per month per fork), while also preventing the cache
from growing indefinitely.

[1]: https://support.circleci.com/hc/en-us/articles/360012618473-Creating-a-daily-cache
[2]: https://github.com/angular/angular/pull/41467#discussion_r607818494

PR Close #41814
2021-04-26 11:03:10 -07:00
..
README.md docs(dev-infra): update .circleci/README.md (#37212) 2020-05-20 09:40:51 -07:00
bazel.common.rc refactor: simplify bazel saucelabs targets using karma pre-test wrapper and shared saucelabs connection between tests (#34769) 2020-01-28 13:47:00 -08:00
bazel.linux.rc ci: remove BES usages from CI (#40809) 2021-02-11 12:28:55 -08:00
bazel.windows.rc ci: separate the windows CI tests into build and test (#39289) 2020-10-16 14:22:22 -07:00
config.yml ci: prevent CI cache from growing indefinitely (#41814) 2021-04-26 11:03:10 -07:00
env-helpers.inc.sh ci(docs-infra): use the tests from the stable branch in `aio_monitoring_stable` CircleCI job (#30110) 2019-04-26 16:33:45 -07:00
env.sh docs: remove duplicated the (#40434) 2021-01-14 11:33:57 -08:00
gcp_token ci: update gcp_token (#31405) 2019-07-03 08:54:02 -07:00
github_token ci: re-encrypt .circleci/github_token (#26698) 2018-10-23 13:31:48 -07:00
rebase-pr.js ci: correctly rebase PRs for branches contain a slash (/) (#40184) 2020-12-21 10:12:03 -08:00
setup_cache.sh Revert "build: update to newer circleCI bazel remote cache proxy (#25054)" (#25076) 2018-07-24 16:05:58 -07:00
trigger-webhook.js style(dev-infra): enforce format on newly included files (#36940) 2020-06-12 15:06:41 -07:00
windows-env.ps1 build: upgrade to node 14 (#41544) 2021-04-14 09:40:17 -07:00

README.md

Encryption

Based on https://github.com/circleci/encrypted-files

In the CircleCI web UI, we have a secret variable called KEY https://circleci.com/gh/angular/angular/edit#env-vars which is only exposed to non-fork builds (see "Pass secrets to builds from forked pull requests" under https://circleci.com/gh/angular/angular/edit#advanced-settings)

We use this as a symmetric AES encryption key to encrypt tokens like a GitHub token that enables publishing snapshots.

To create the github_token file, we take this approach:

  • Find the angular-builds:token in the internal pw database
  • Go inside the CircleCI default docker image so you use the same version of openssl as we will at runtime: docker run --rm -it circleci/node:10.12
  • echo "https://[token]:@github.com" > credentials
  • openssl aes-256-cbc -e -in credentials -out .circleci/github_token -k $KEY
  • If needed, base64-encode the result so you can copy-paste it out of docker: base64 github_token