Use ejson to manage build secrets

This commit is contained in:
Michael Vines 2018-12-15 13:49:22 -08:00
parent b8ab3078fb
commit 1298ab1647
3 changed files with 45 additions and 2 deletions

30
.buildkite/env/README.md vendored Normal file
View File

@ -0,0 +1,30 @@
[ejson](https://github.com/Shopify/ejson) and
[ejson2env](https://github.com/Shopify/ejson2env) are used to manage access
tokens and other secrets required for CI.
#### Setup
```bash
$ sudo gem install ejson ejson2env
```
then obtain the necessary keypair and place it in `/opt/ejson/keys/`.
#### Usage
Run the following command to decrypt the secrets into the environment:
```bash
eval $(ejson2env secrets.ejson)
```
#### Managing secrets.ejson
To decrypt `secrets.ejson` for modification, run:
```bash
$ ejson decrypt secrets.ejson
```
Edit, then run the following to re-encrypt the file **BEFORE COMMITING YOUR
CHANGES**:
```bash
$ ejson encrypt secrets.ejson
```

11
.buildkite/env/secrets.ejson vendored Normal file
View File

@ -0,0 +1,11 @@
{
"_public_key": "ae29f4f7ad2fc92de70d470e411c8426d5d48db8817c9e3dae574b122192335f",
"environment": {
"GITHUB_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:g0bjCcawOZX/X03kVwMv4fRjoaiDDM2j:ASH6J8U5pqIbeP0NERBI9qGJAoQDZHepeZtLgFgcH5g4vTXV3I4F9/FaYXvLCYMq1ct9zHcVBHo=]",
"CODECOV_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:XDoyD6GBTT5kHEXA64qvwejaLGMC4D0q:ninSBJsqg+aRsWoRm9MnXMqwDMx1nXmELsyCy8nUsFZXoNK3DCWLW42CfzmidKJUee5pyw==]",
"CRATES_IO_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:+MNfhjqmMtkUgpmXhnUIiNK+I1MptAse:3yAM7PbjpkUt/nSZHFSm06Rpwycc/4OYmsUAsoMZpBKFBB9rByamWCizFyYumkqW]",
"INFLUX_DATABASE": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:zCDJjeYgNCeKqXL4GnAfmhrh75jShHST:JrPCKCGsmOBTaJm2Oj8qDGUG]",
"INFLUX_USERNAME": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:vmmEN9adSh4nE9KOOre0H2U6RmvoHHGa:ctPY7SdPsdMPfI+QDvhS2CJftRII8Lc2]",
"INFLUX_PASSWORD": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:qQUuHle12rhx7z2bQmcnTAKXoo88kchH:HGL3ZWlq98ClK3TZhzCVXd2EVXPhRrCo8Fn/vfoDRtxJXDbSpPFJNET4JzDGAxu9eL75TW50QP0=]"
}
}

View File

@ -1,4 +1,7 @@
#!/bin/bash -e
#!/usr/bin/env bash
set -e
eval "$(ejson2env .buildkite/env/secrets.ejson)"
# Ensure the pattern "+++ ..." never occurs when |set -x| is set, as buildkite
# interprets this as the start of a log group.
@ -24,4 +27,3 @@ export PS4="++"
set -x
rsync -a --delete --link-dest="$d" "$d"/target .
)