cargdev/angular
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity

ci: hide encryption key from circleci logs (#23585)

Browse Source 
PR Close #23585
This commit is contained in:
Alex Eagle
2018-04-27 16:21:38 -07:00
committed by Igor Minar
parent d7ed9c9e9e
commit b45fa5e263
4 changed files with 39 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.circleci/README.md Normal file
View File

@ -0,0 +1,19 @@
# Encryption
Based on https://github.com/circleci/encrypted-files
In the CircleCI web UI, we have a secret variable called `KEY`
https://circleci.com/gh/angular/angular/edit#env-vars
which is only exposed to non-fork builds
(see "Pass secrets to builds from forked pull requests" under
https://circleci.com/gh/angular/angular/edit#advanced-settings)
We use this as a symmetric AES encryption key to encrypt tokens like
a GitHub token that enables publishing snapshots.
To create the github_token file, we take this approach:
- Find the angular-builds:token in http://valentine
- Go inside the ngcontainer docker image so you use the same version of openssl as we will at runtime: `docker run --rm -it angular/ngcontainer`
- echo "https://[token]:@github.com" > credentials
- openssl aes-256-cbc -e -in credentials -out .circleci/github_token -k $KEY
- If needed, base64-encode the result so you can copy-paste it out of docker: `base64 github_token`

16
.circleci/config.yml
View File

@ -158,6 +158,16 @@ jobs:
publish_snapshot:
<<: *job_defaults
steps:
# See below - ideally this job should not trigger for non-upstream builds.
# But since it does, we have to check this condition.
- run:
name: Skip this job for Pull Requests and Fork builds
# Note, `|| true` on the end makes this step always exit 0
command: '[[
-v CIRCLE_PR_NUMBER
|| "$CIRCLE_PROJECT_USERNAME" != "angular"
|| "$CIRCLE_PROJECT_REPONAME" != "angular"
]] && circleci step halt || true'
- checkout:
<<: *post_checkout
- attach_workspace:
@ -166,6 +176,9 @@ jobs:
# This is not compatible with our mechanism of using a Personal Access Token
# Clear the global setting
- run: git config --global --unset "url.ssh://git@github.com.insteadof"
- run:
name: Decrypt github credentials
command: 'openssl aes-256-cbc -d -in .circleci/github_token -k "${KEY}" -out ~/.git_credentials'
- run: ./scripts/ci/publish-build-artifacts.sh
aio_monitoring:
@ -191,8 +204,7 @@ workflows:
# Note: no filters on this job because we want it to run for all upstream branches
# We'd really like to filter out pull requests here, but not yet available:
# https://discuss.circleci.com/t/workflows-pull-request-filter/14396/4
# Instead, the publish-build-artifacts.sh script just terminates when
# CIRCLE_PR_NUMBER is set.
# Instead, the job just exits immediately at the first step.
requires:
# Only publish if tests and integration tests pass
- test

4
.circleci/github_token
View File

@ -1 +1,3 @@
Salted__<EFBFBD><EFBFBD><EFBFBD><EFBFBD>˓]<5D><><EFBFBD>O<>ʤu'<27><>Uzh<7A><68><EFBFBD>bE<62>]+<2B>xC<78>Y-<2D>?<3F>c"q<>;ƲK@l#<23><78>I<EFBFBD>1&w0<77>+<2B>\p/O<>;<EFBFBD>
Salted__)I<><49><EFBFBD>s(<_<><5F><EFBFBD>T<EFBFBD><54>?<EFBFBD>
<EFBFBD> ӳy<D3B3><79>𔰳<EFBFBD><F094B0B3><EFBFBD>&A<>
I]<5D><><EFBFBD><17>4<EFBFBD><34><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>?<3F>I