From 1298ab1647f3ec970e6a23758ff6c243fa68f5a2 Mon Sep 17 00:00:00 2001
From: Michael Vines <mvines@gmail.com>
Date: Sat, 15 Dec 2018 13:49:22 -0800
Subject: [PATCH] Use ejson to manage build secrets

---
 .buildkite/env/README.md     | 30 ++++++++++++++++++++++++++++++
 .buildkite/env/secrets.ejson | 11 +++++++++++
 .buildkite/hooks/pre-command |  6 ++++--
 3 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 .buildkite/env/README.md
 create mode 100644 .buildkite/env/secrets.ejson

diff --git a/.buildkite/env/README.md b/.buildkite/env/README.md
new file mode 100644
index 000000000..a30c89f7a
--- /dev/null
+++ b/.buildkite/env/README.md
@@ -0,0 +1,30 @@
+
+[ejson](https://github.com/Shopify/ejson) and
+[ejson2env](https://github.com/Shopify/ejson2env) are used to manage access
+tokens and other secrets required for CI.
+
+#### Setup
+```bash
+$ sudo gem install ejson ejson2env
+```
+
+then obtain the necessary keypair and place it in `/opt/ejson/keys/`.
+
+#### Usage
+Run the following command to decrypt the secrets into the environment:
+```bash
+eval $(ejson2env secrets.ejson)
+```
+
+#### Managing secrets.ejson
+To decrypt `secrets.ejson` for modification, run:
+```bash
+$ ejson decrypt secrets.ejson
+```
+
+Edit, then run the following to re-encrypt the file **BEFORE COMMITING YOUR
+CHANGES**:
+```bash
+$ ejson encrypt secrets.ejson
+```
+
diff --git a/.buildkite/env/secrets.ejson b/.buildkite/env/secrets.ejson
new file mode 100644
index 000000000..58117e3e9
--- /dev/null
+++ b/.buildkite/env/secrets.ejson
@@ -0,0 +1,11 @@
+{
+    "_public_key": "ae29f4f7ad2fc92de70d470e411c8426d5d48db8817c9e3dae574b122192335f",
+    "environment": {
+      "GITHUB_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:g0bjCcawOZX/X03kVwMv4fRjoaiDDM2j:ASH6J8U5pqIbeP0NERBI9qGJAoQDZHepeZtLgFgcH5g4vTXV3I4F9/FaYXvLCYMq1ct9zHcVBHo=]",
+      "CODECOV_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:XDoyD6GBTT5kHEXA64qvwejaLGMC4D0q:ninSBJsqg+aRsWoRm9MnXMqwDMx1nXmELsyCy8nUsFZXoNK3DCWLW42CfzmidKJUee5pyw==]",
+      "CRATES_IO_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:+MNfhjqmMtkUgpmXhnUIiNK+I1MptAse:3yAM7PbjpkUt/nSZHFSm06Rpwycc/4OYmsUAsoMZpBKFBB9rByamWCizFyYumkqW]",
+      "INFLUX_DATABASE": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:zCDJjeYgNCeKqXL4GnAfmhrh75jShHST:JrPCKCGsmOBTaJm2Oj8qDGUG]",
+      "INFLUX_USERNAME": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:vmmEN9adSh4nE9KOOre0H2U6RmvoHHGa:ctPY7SdPsdMPfI+QDvhS2CJftRII8Lc2]",
+      "INFLUX_PASSWORD": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:qQUuHle12rhx7z2bQmcnTAKXoo88kchH:HGL3ZWlq98ClK3TZhzCVXd2EVXPhRrCo8Fn/vfoDRtxJXDbSpPFJNET4JzDGAxu9eL75TW50QP0=]"
+    }
+}
diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
index 410c9bbfb..12cf676bf 100644
--- a/.buildkite/hooks/pre-command
+++ b/.buildkite/hooks/pre-command
@@ -1,4 +1,7 @@
-#!/bin/bash -e
+#!/usr/bin/env bash
+set -e
+
+eval "$(ejson2env .buildkite/env/secrets.ejson)"
 
 # Ensure the pattern "+++ ..." never occurs when |set -x| is set, as buildkite
 # interprets this as the start of a log group.
@@ -24,4 +27,3 @@ export PS4="++"
   set -x
   rsync -a --delete --link-dest="$d" "$d"/target .
 )
-