History

George Kalpakas 43bbc409a2 ci: pin docker images by ID for hermeticity (#32602 ) Previously, the docker images used on CI where specified by a tag (`10.16` and `10.16-browsers`). Since tags are not immutable, this only pins specific characteristics of the environment (e.g. the OS type and the Node.js version), but not others. Especially when using a tag that does not specify the patch version (e.g. `10.16` instead of `10.16.0`), it is inevitable that the image will change at some point, potentially leading to unrelated failures due to changes in the environment. One source of such failures can be the Chrome version used in tests. Since we install a specific ChromeDriver version (that is only compatible with specific Chrome version ranges), unexpectedly updating to a newer Chrome version may break the tests if the new version falls outside the range of supported version for our pinned ChromeDriver. Using a tag that specifies the patch version (e.g. `10.16.0`) or even the OS version (e.g. `10.16.0-buster`) is safer (i.e. has a lower probability of introducing the kind of breakages described above), but is still not fully hermetic. This commit prevents such breakages by pinning the docker images by ID. Image IDs are based on the image's digest (SHA256) and are thus immutable, ensuring that all CI jobs will be running on the exact same image. See [here][1] for more info on pre-built CircleCI docker images and more specifically [pinning images by ID][2]. [1]: https://circleci.com/docs/2.0/circleci-images [2]: https://circleci.com/docs/2.0/circleci-images#using-a-docker-image-id-to-pin-an-image-to-a-fixed-version PR Close #32602		2019-09-11 12:34:14 -04:00
..
README.md	build: use bazel version from node modules (#26691 )	2018-10-30 16:19:13 -04:00
bazel.common.rc	ci: use circleci windows preview (#31266 )	2019-08-19 13:32:14 -07:00
bazel.linux.rc	ci: use circleci windows preview (#31266 )	2019-08-19 13:32:14 -07:00
bazel.windows.rc	ci: use circleci windows preview (#31266 )	2019-08-19 13:32:14 -07:00
config.yml	ci: pin docker images by ID for hermeticity (#32602 )	2019-09-11 12:34:14 -04:00
env-helpers.inc.sh	ci(docs-infra): use the tests from the stable branch in `aio_monitoring_stable` CircleCI job (#30110 )	2019-04-26 16:33:45 -07:00
env.sh	ci: update material-unit-tests commit (#32485 )	2019-09-10 15:19:31 -04:00
gcp_token	ci: update gcp_token (#31405 )	2019-07-03 08:54:02 -07:00
get-commit-range.js	ci: work around `CIRCLE_COMPARE_URL` not being available wih CircleCI Pipelines (#32537 )	2019-09-09 12:21:44 -04:00
github_token	ci: re-encrypt .circleci/github_token (#26698 )	2018-10-23 13:31:48 -07:00
setup-rbe.sh	test(ivy): update Material to recent commit from master branch (#31569 )	2019-07-25 13:08:33 -07:00
setup_cache.sh	Revert "build: update to newer circleCI bazel remote cache proxy (#25054 )" (#25076 )	2018-07-24 16:05:58 -07:00
trigger-webhook.js	ci(docs-infra): manually trigger the preview server webhook (#27458 )	2018-12-04 13:59:54 -08:00
windows-env.ps1	ci: use circleci windows preview (#31266 )	2019-08-19 13:32:14 -07:00

README.md

Encryption

Based on https://github.com/circleci/encrypted-files

In the CircleCI web UI, we have a secret variable called KEY https://circleci.com/gh/angular/angular/edit#env-vars which is only exposed to non-fork builds (see "Pass secrets to builds from forked pull requests" under https://circleci.com/gh/angular/angular/edit#advanced-settings)

We use this as a symmetric AES encryption key to encrypt tokens like a GitHub token that enables publishing snapshots.

To create the github_token file, we take this approach:

Find the angular-builds:token in http://valentine
Go inside the CircleCI default docker image so you use the same version of openssl as we will at runtime: docker run --rm -it circleci/node:10.12
echo "https://[token]:@github.com" > credentials
openssl aes-256-cbc -e -in credentials -out .circleci/github_token -k $KEY
If needed, base64-encode the result so you can copy-paste it out of docker: base64 github_token