From b45fa5e2633a101c7750a9f28c1c73e42cb7fd84 Mon Sep 17 00:00:00 2001
From: Alex Eagle <eagle@post.harvard.edu>
Date: Fri, 27 Apr 2018 16:21:38 -0700
Subject: [PATCH] ci: hide encryption key from circleci logs (#23585)

PR Close #23585
---
 .circleci/README.md                   | 19 +++++++++++++++++++
 .circleci/config.yml                  | 16 ++++++++++++++--
 .circleci/github_token                |  4 +++-
 scripts/ci/publish-build-artifacts.sh | 18 +++---------------
 4 files changed, 39 insertions(+), 18 deletions(-)
 create mode 100644 .circleci/README.md

diff --git a/.circleci/README.md b/.circleci/README.md
new file mode 100644
index 0000000000..314caba8f3
--- /dev/null
+++ b/.circleci/README.md
@@ -0,0 +1,19 @@
+# Encryption
+
+Based on https://github.com/circleci/encrypted-files
+
+In the CircleCI web UI, we have a secret variable called `KEY`
+https://circleci.com/gh/angular/angular/edit#env-vars
+which is only exposed to non-fork builds
+(see "Pass secrets to builds from forked pull requests" under
+https://circleci.com/gh/angular/angular/edit#advanced-settings)
+
+We use this as a symmetric AES encryption key to encrypt tokens like
+a GitHub token that enables publishing snapshots.
+
+To create the github_token file, we take this approach:
+- Find the angular-builds:token in http://valentine
+- Go inside the ngcontainer docker image so you use the same version of openssl as we will at runtime: `docker run --rm -it angular/ngcontainer`
+- echo "https://[token]:@github.com" > credentials
+- openssl aes-256-cbc -e -in credentials -out .circleci/github_token -k $KEY
+- If needed, base64-encode the result so you can copy-paste it out of docker: `base64 github_token`
\ No newline at end of file
diff --git a/.circleci/config.yml b/.circleci/config.yml
index a4637e6531..f374b332c6 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -158,6 +158,16 @@ jobs:
   publish_snapshot:
     <<: *job_defaults
     steps:
+      # See below - ideally this job should not trigger for non-upstream builds.
+      # But since it does, we have to check this condition.
+      - run:
+          name: Skip this job for Pull Requests and Fork builds
+          # Note, `|| true` on the end makes this step always exit 0
+          command: '[[
+              -v CIRCLE_PR_NUMBER
+              || "$CIRCLE_PROJECT_USERNAME" != "angular"
+              || "$CIRCLE_PROJECT_REPONAME" != "angular"
+          ]] && circleci step halt || true'
       - checkout:
           <<: *post_checkout
       - attach_workspace:
@@ -166,6 +176,9 @@ jobs:
       # This is not compatible with our mechanism of using a Personal Access Token
       # Clear the global setting
       - run: git config --global --unset "url.ssh://git@github.com.insteadof"
+      - run:
+          name: Decrypt github credentials
+          command: 'openssl aes-256-cbc -d -in .circleci/github_token -k "${KEY}" -out ~/.git_credentials'
       - run: ./scripts/ci/publish-build-artifacts.sh
 
   aio_monitoring:
@@ -191,8 +204,7 @@ workflows:
           # Note: no filters on this job because we want it to run for all upstream branches
           # We'd really like to filter out pull requests here, but not yet available:
           # https://discuss.circleci.com/t/workflows-pull-request-filter/14396/4
-          # Instead, the publish-build-artifacts.sh script just terminates when
-          # CIRCLE_PR_NUMBER is set.
+          # Instead, the job just exits immediately at the first step.
           requires:
             # Only publish if tests and integration tests pass
             - test
diff --git a/.circleci/github_token b/.circleci/github_token
index 1c80ccfe59..2922f40f76 100644
--- a/.circleci/github_token
+++ b/.circleci/github_token
@@ -1 +1,3 @@
-Salted__ê÷û�Ë“]ê×þO�ʤu'÷–UzhŽ®ìbEÕ]+ÉxCèY-ÿ?ýc"qÒ;ƲK@l#ÒxÞ€�IÊ1&w0ç+á\p/Ož;Â
\ No newline at end of file
+Salted__)I§·Às(<_°‡—Tùë?î
+‚ Ó³y–™ð”°³ž�­&AË
+I]ôÁ²�4®‰·ø“½à?¶I
\ No newline at end of file
diff --git a/scripts/ci/publish-build-artifacts.sh b/scripts/ci/publish-build-artifacts.sh
index 42686a18a2..e89754a4d7 100755
--- a/scripts/ci/publish-build-artifacts.sh
+++ b/scripts/ci/publish-build-artifacts.sh
@@ -64,7 +64,7 @@ function publishRepo {
   BUILD_VER="${LATEST_TAG}+${SHORT_SHA}"
   if [[ ${CI} ]]; then
     (
-      # The file ~/.git_credentials is created below
+      # The file ~/.git_credentials is created in /.circleci/config.yml
       cd $REPO_DIR && \
       git config credential.helper "store --file=$HOME/.git_credentials"
     )
@@ -122,19 +122,7 @@ CUR_BRANCH=${CIRCLE_BRANCH:-$(git symbolic-ref --short HEAD)}
 if [ $# -gt 0 ]; then
   ORG=$1
   publishPackages "ssh" dist/packages-dist $CUR_BRANCH
-
-elif [[ \
-    "$CIRCLE_PROJECT_USERNAME" == "angular" && \
-    "$CIRCLE_PROJECT_REPONAME" == "angular" && \
-    ! -v CIRCLE_PR_NUMBER ]]; then
-  ORG="angular"
-  # $KEY is set on CI only for non-PR builds. See /.circleci/README.md
-  openssl aes-256-cbc -d -in .circleci/github_token -k "${KEY}" -out "${HOME}/.git_credentials"
-
-  publishPackages "http" dist/packages-dist $CUR_BRANCH
-  # Clean up the credentials file out of caution
-  rm "${HOME}/.git_credentials"
-
 else
-  echo "Not building the upstream/${CUR_BRANCH} branch, build artifacts won't be published."
+  ORG="angular"
+  publishPackages "http" dist/packages-dist $CUR_BRANCH
 fi