ci: move CircleCI env variables definition to shell script (#26786)

PR Close #26786

.circleci/config.yml

@@ -19,29 +19,7 @@ var_2: &cache_key v2-angular-{{ .Branch }}-{{ checksum "yarn.lock" }}-0.7.0
 var_3: &define_env_vars
   run:
     name: Define environment variables
-    command: |
+    command: ./.circleci/env.sh
-      # In CircleCI, each step runs in a new shell. The way to share ENV variables across steps is to export them from
-      # `$BASH_ENV`, which is automatically sourced at the beginning of every step (for the default `bash` shell).
-      #
-      # See also https://circleci.com/docs/2.0/env-vars/#using-bash_env-to-set-environment-variables.
-      #
-      # NOTE:
-      # Using `tee -a` prints the values to stdout, which can help with debugging.
-      # Secrets (e.g. passwords, access token) should NOT be printed.
-      echo "export PROJECT_ROOT=$(pwd)" | tee -a $BASH_ENV
-      echo "export CI_AIO_MIN_PWA_SCORE=95" | tee -a $BASH_ENV
-      # This is the branch being built; e.g. `pull/12345` for PR builds.
-      echo "export CI_BRANCH=$CIRCLE_BRANCH" | tee -a $BASH_ENV
-      echo "export CI_COMMIT=$CIRCLE_SHA1" | tee -a $BASH_ENV
-      # `CI_COMMIT_RANGE` will only be available when `CIRCLE_COMPARE_URL` is also available,
-      # i.e. on push builds (a.k.a. non-PR builds). That is fine, since we only need it in push builds.
-      echo "export CI_COMMIT_RANGE=$(sed -r 's|^.*/([0-9a-f]+\.\.\.[0-9a-f]+)$|\1|i' <<< ${CIRCLE_COMPARE_URL:-})" | tee -a $BASH_ENV
-      echo "export CI_PULL_REQUEST=${CIRCLE_PR_NUMBER:-false}" | tee -a $BASH_ENV
-      echo "export CI_REPO_NAME=$CIRCLE_PROJECT_REPONAME" | tee -a $BASH_ENV
-      echo "export CI_REPO_OWNER=$CIRCLE_PROJECT_USERNAME" | tee -a $BASH_ENV
-      # WARNING: Secrets (do not print).
-      echo "export CI_SECRET_AIO_DEPLOY_FIREBASE_TOKEN=$AIO_DEPLOY_TOKEN" >> $BASH_ENV
-      echo "export CI_SECRET_PAYLOAD_FIREBASE_TOKEN=$ANGULAR_PAYLOAD_TOKEN" >> $BASH_ENV
 
 # See remote cache documentation in /docs/BAZEL.md
 var_4: &setup-bazel-remote-cache
@@ -79,9 +57,9 @@ jobs:
     <<: *job_defaults
     resource_class: xlarge
     steps:
-      - *define_env_vars
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
       - run: sudo cp .circleci/bazel.rc /etc/bazel.bazelrc
 
       # Check BUILD.bazel formatting before we have a node_modules directory
@@ -102,9 +80,9 @@ jobs:
     <<: *job_defaults
     resource_class: xlarge
     steps:
-      - *define_env_vars
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
       - run: sudo cp .circleci/bazel.rc /etc/bazel.bazelrc
 
       - run: bazel info release
@@ -148,9 +126,9 @@ jobs:
     steps:
       # don't run this job on the patch branch (to preserve resources)
       - run: circleci step halt
-      - *define_env_vars
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
       - run: sudo cp .circleci/bazel.rc /etc/bazel.bazelrc
 
       - run: bazel run @yarn//:yarn
@@ -163,9 +141,9 @@ jobs:
     steps:
       # don't run this job on the patch branch (to preserve resources)
       - run: circleci step halt
-      - *define_env_vars
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
       - run: sudo cp .circleci/bazel.rc /etc/bazel.bazelrc
 
       - run: bazel run @yarn//:yarn
@@ -175,10 +153,10 @@ jobs:
   test_aio:
     <<: *job_defaults
     steps:
-      - *define_env_vars
-      - *start-xvfb
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
+      - *start-xvfb
       - restore_cache:
           key: *cache_key
         # Build aio
@@ -208,16 +186,16 @@ jobs:
       - restore_cache:
           key: *cache_key
         # Deploy angular.io to production (if necessary)
-      - run: echo "export CI_STABLE_BRANCH=$(npm info @angular/core dist-tags.latest | sed -r 's/^\s*([0-9]+\.[0-9]+)\.[0-9]+.*$/\1.x/')" | tee -a $BASH_ENV
+      - run: setPublicVar CI_STABLE_BRANCH "$(npm info @angular/core dist-tags.latest | sed -r 's/^\s*([0-9]+\.[0-9]+)\.[0-9]+.*$/\1.x/')"
       - run: yarn --cwd aio deploy-production
 
   test_aio_local:
     <<: *job_defaults
     steps:
-      - *define_env_vars
-      - *start-xvfb
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
+      - *start-xvfb
       - attach_workspace:
           at: dist
       - restore_cache:
@@ -235,9 +213,9 @@ jobs:
   test_aio_tools:
     <<: *job_defaults
     steps:
-      - *define_env_vars
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
       - attach_workspace:
           at: dist
       - restore_cache:
@@ -252,10 +230,10 @@ jobs:
   test_docs_examples_0:
     <<: *job_defaults
     steps:
-      - *define_env_vars
-      - *start-xvfb
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
+      - *start-xvfb
       - attach_workspace:
           at: dist
       - restore_cache:
@@ -270,10 +248,10 @@ jobs:
   test_docs_examples_1:
     <<: *job_defaults
     steps:
-      - *define_env_vars
-      - *start-xvfb
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
+      - *start-xvfb
       - attach_workspace:
           at: dist
       - restore_cache:
@@ -291,9 +269,9 @@ jobs:
     environment:
        AIO_SNAPSHOT_ARTIFACT_PATH: &aio_preview_artifact_path 'aio/tmp/snapshot.tgz'
     steps:
-      - *define_env_vars
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
       - restore_cache:
           key: *cache_key
       - run: yarn install --frozen-lockfile --non-interactive
@@ -308,10 +286,10 @@ jobs:
   test_aio_preview:
     <<: *job_defaults
     steps:
-      - *define_env_vars
-      - *start-xvfb
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
+      - *start-xvfb
       - restore_cache:
           key: *cache_key
       - run: yarn install --cwd aio --frozen-lockfile --non-interactive
@@ -330,9 +308,9 @@ jobs:
     <<: *job_defaults
     resource_class: xlarge
     steps:
-      - *define_env_vars
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
       - run: sudo cp .circleci/bazel.rc /etc/bazel.bazelrc
       - run: bazel run @nodejs//:yarn
       - *setup_bazel_remote_execution
@@ -360,10 +338,10 @@ jobs:
     # on a 4G worker so we use a larger machine here too.
     resource_class: xlarge
     steps:
-      - *define_env_vars
-      - *start-xvfb
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
+      - *start-xvfb
       - attach_workspace:
           at: dist
       - run: ./integration/run_tests.sh
@@ -373,6 +351,8 @@ jobs:
   publish_snapshot:
     <<: *job_defaults
     steps:
+      - checkout:
+          <<: *post_checkout
       - *define_env_vars
       # See below - ideally this job should not trigger for non-upstream builds.
       # But since it does, we have to check this condition.
@@ -384,8 +364,6 @@ jobs:
               || "$CI_REPO_OWNER" != "angular"
               || "$CI_REPO_NAME" != "angular"
           ]] && circleci step halt || true'
-      - checkout:
-          <<: *post_checkout
       - attach_workspace:
           at: dist
       # CircleCI has a config setting to force SSH for all github connections
@@ -400,10 +378,10 @@ jobs:
   aio_monitoring:
     <<: *job_defaults
     steps:
-      - *define_env_vars
-      - *start-xvfb
       - checkout:
           <<: *post_checkout
+      - *define_env_vars
+      - *start-xvfb
       - restore_cache:
           key: *cache_key
       - run:

.circleci/env-helpers.inc.sh

@@ -0,0 +1,38 @@
+####################################################################################################
+# Helpers for defining environment variables for CircleCI.
+#
+# In CircleCI, each step runs in a new shell. The way to share ENV variables across steps is to
+# export them from `$BASH_ENV`, which is automatically sourced at the beginning of every step (for
+# the default `bash` shell).
+#
+# See also https://circleci.com/docs/2.0/env-vars/#using-bash_env-to-set-environment-variables.
+####################################################################################################
+
+# Set and print an environment variable.
+#
+# Use this function for setting environment variables that are public, i.e. it is OK for them to be
+# visible to anyone through the CI logs.
+#
+# Usage: `setPublicVar <name> <value>`
+function setPublicVar() {
+  setSecretVar $1 $2;
+  echo "$1=$2";
+}
+
+# Set (without printing) an environment variable.
+#
+# Use this function for setting environment variables that are secret, i.e. should not be visible to
+# everyone through the CI logs.
+#
+# Usage: `setSecretVar <name> <value>`
+function setSecretVar() {
+  # WARNING: Secrets (e.g. passwords, access tokens) should NOT be printed.
+  # (Keep original shell options to restore at the end.)
+  local -r originalShellOptions=$(set +o);
+  set +x -eu -o pipefail;
+
+  echo "export $1=\"${2:-}\";" >> $BASH_ENV;
+
+  # Restore original shell options.
+  eval "$originalShellOptions";
+}

.circleci/env.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Load helpers and make them available everywhere (through `$BASH_ENV`).
+readonly envHelpersPath="`dirname $0`/env-helpers.inc.sh";
+source $envHelpersPath;
+echo "source $envHelpersPath;" >> $BASH_ENV;
+
+
+####################################################################################################
+# Define PUBLIC environment variables for CircleCI.
+####################################################################################################
+setPublicVar PROJECT_ROOT "$(pwd)";
+setPublicVar CI_AIO_MIN_PWA_SCORE "95";
+# This is the branch being built; e.g. `pull/12345` for PR builds.
+setPublicVar CI_BRANCH "$CIRCLE_BRANCH";
+setPublicVar CI_COMMIT "$CIRCLE_SHA1";
+# `CI_COMMIT_RANGE` will only be available when `CIRCLE_COMPARE_URL` is also available,
+# i.e. on push builds (a.k.a. non-PR builds). That is fine, since we only need it in push builds.
+setPublicVar CI_COMMIT_RANGE "$(sed -r 's|^.*/([0-9a-f]+\.\.\.[0-9a-f]+)$|\1|i' <<< ${CIRCLE_COMPARE_URL:-})";
+setPublicVar CI_PULL_REQUEST "${CIRCLE_PR_NUMBER:-false}";
+setPublicVar CI_REPO_NAME "$CIRCLE_PROJECT_REPONAME";
+setPublicVar CI_REPO_OWNER "$CIRCLE_PROJECT_USERNAME";
+
+
+####################################################################################################
+# Define SECRET environment variables for CircleCI.
+####################################################################################################
+setSecretVar CI_SECRET_AIO_DEPLOY_FIREBASE_TOKEN "$AIO_DEPLOY_TOKEN";
+setSecretVar CI_SECRET_PAYLOAD_FIREBASE_TOKEN "$ANGULAR_PAYLOAD_TOKEN";
+
+
+# Source `$BASH_ENV` to make the variables available immediately.
+source $BASH_ENV;