ci: hide encryption key from circleci logs (#23585)

PR Close #23585
This commit is contained in:
Alex Eagle 2018-04-27 16:21:38 -07:00 committed by Igor Minar
parent d7ed9c9e9e
commit b45fa5e263
4 changed files with 39 additions and 18 deletions

19
.circleci/README.md Normal file
View File

@ -0,0 +1,19 @@
# Encryption
Based on https://github.com/circleci/encrypted-files
In the CircleCI web UI, we have a secret variable called `KEY`
https://circleci.com/gh/angular/angular/edit#env-vars
which is only exposed to non-fork builds
(see "Pass secrets to builds from forked pull requests" under
https://circleci.com/gh/angular/angular/edit#advanced-settings)
We use this as a symmetric AES encryption key to encrypt tokens like
a GitHub token that enables publishing snapshots.
To create the github_token file, we take this approach:
- Find the angular-builds:token in http://valentine
- Go inside the ngcontainer docker image so you use the same version of openssl as we will at runtime: `docker run --rm -it angular/ngcontainer`
- echo "https://[token]:@github.com" > credentials
- openssl aes-256-cbc -e -in credentials -out .circleci/github_token -k $KEY
- If needed, base64-encode the result so you can copy-paste it out of docker: `base64 github_token`

View File

@ -158,6 +158,16 @@ jobs:
publish_snapshot: publish_snapshot:
<<: *job_defaults <<: *job_defaults
steps: steps:
# See below - ideally this job should not trigger for non-upstream builds.
# But since it does, we have to check this condition.
- run:
name: Skip this job for Pull Requests and Fork builds
# Note, `|| true` on the end makes this step always exit 0
command: '[[
-v CIRCLE_PR_NUMBER
|| "$CIRCLE_PROJECT_USERNAME" != "angular"
|| "$CIRCLE_PROJECT_REPONAME" != "angular"
]] && circleci step halt || true'
- checkout: - checkout:
<<: *post_checkout <<: *post_checkout
- attach_workspace: - attach_workspace:
@ -166,6 +176,9 @@ jobs:
# This is not compatible with our mechanism of using a Personal Access Token # This is not compatible with our mechanism of using a Personal Access Token
# Clear the global setting # Clear the global setting
- run: git config --global --unset "url.ssh://git@github.com.insteadof" - run: git config --global --unset "url.ssh://git@github.com.insteadof"
- run:
name: Decrypt github credentials
command: 'openssl aes-256-cbc -d -in .circleci/github_token -k "${KEY}" -out ~/.git_credentials'
- run: ./scripts/ci/publish-build-artifacts.sh - run: ./scripts/ci/publish-build-artifacts.sh
aio_monitoring: aio_monitoring:
@ -191,8 +204,7 @@ workflows:
# Note: no filters on this job because we want it to run for all upstream branches # Note: no filters on this job because we want it to run for all upstream branches
# We'd really like to filter out pull requests here, but not yet available: # We'd really like to filter out pull requests here, but not yet available:
# https://discuss.circleci.com/t/workflows-pull-request-filter/14396/4 # https://discuss.circleci.com/t/workflows-pull-request-filter/14396/4
# Instead, the publish-build-artifacts.sh script just terminates when # Instead, the job just exits immediately at the first step.
# CIRCLE_PR_NUMBER is set.
requires: requires:
# Only publish if tests and integration tests pass # Only publish if tests and integration tests pass
- test - test

View File

@ -1 +1,3 @@
Salted__ê÷û<EFBFBD>Ë“]ê×þO<>ʤu'÷UzhŽ®ìbEÕ]+ÉxCèY-ÿ?ýc"qÒ;ƲK@l#ÒxÞ€<C39E>IÊ1&w0ç+á\p/Ož; Salted__)I§·Às(<_°‡—Tùë?î
Ó³y™ð”°³ž<C2B3>­&AË
I]ôÁ²<17>4®‰·ø“½à?¶I

View File

@ -64,7 +64,7 @@ function publishRepo {
BUILD_VER="${LATEST_TAG}+${SHORT_SHA}" BUILD_VER="${LATEST_TAG}+${SHORT_SHA}"
if [[ ${CI} ]]; then if [[ ${CI} ]]; then
( (
# The file ~/.git_credentials is created below # The file ~/.git_credentials is created in /.circleci/config.yml
cd $REPO_DIR && \ cd $REPO_DIR && \
git config credential.helper "store --file=$HOME/.git_credentials" git config credential.helper "store --file=$HOME/.git_credentials"
) )
@ -122,19 +122,7 @@ CUR_BRANCH=${CIRCLE_BRANCH:-$(git symbolic-ref --short HEAD)}
if [ $# -gt 0 ]; then if [ $# -gt 0 ]; then
ORG=$1 ORG=$1
publishPackages "ssh" dist/packages-dist $CUR_BRANCH publishPackages "ssh" dist/packages-dist $CUR_BRANCH
elif [[ \
"$CIRCLE_PROJECT_USERNAME" == "angular" && \
"$CIRCLE_PROJECT_REPONAME" == "angular" && \
! -v CIRCLE_PR_NUMBER ]]; then
ORG="angular"
# $KEY is set on CI only for non-PR builds. See /.circleci/README.md
openssl aes-256-cbc -d -in .circleci/github_token -k "${KEY}" -out "${HOME}/.git_credentials"
publishPackages "http" dist/packages-dist $CUR_BRANCH
# Clean up the credentials file out of caution
rm "${HOME}/.git_credentials"
else else
echo "Not building the upstream/${CUR_BRANCH} branch, build artifacts won't be published." ORG="angular"
publishPackages "http" dist/packages-dist $CUR_BRANCH
fi fi