Use ejson to manage build secrets
This commit is contained in:
parent
b8ab3078fb
commit
1298ab1647
|
@ -0,0 +1,30 @@
|
||||||
|
|
||||||
|
[ejson](https://github.com/Shopify/ejson) and
|
||||||
|
[ejson2env](https://github.com/Shopify/ejson2env) are used to manage access
|
||||||
|
tokens and other secrets required for CI.
|
||||||
|
|
||||||
|
#### Setup
|
||||||
|
```bash
|
||||||
|
$ sudo gem install ejson ejson2env
|
||||||
|
```
|
||||||
|
|
||||||
|
then obtain the necessary keypair and place it in `/opt/ejson/keys/`.
|
||||||
|
|
||||||
|
#### Usage
|
||||||
|
Run the following command to decrypt the secrets into the environment:
|
||||||
|
```bash
|
||||||
|
eval $(ejson2env secrets.ejson)
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Managing secrets.ejson
|
||||||
|
To decrypt `secrets.ejson` for modification, run:
|
||||||
|
```bash
|
||||||
|
$ ejson decrypt secrets.ejson
|
||||||
|
```
|
||||||
|
|
||||||
|
Edit, then run the following to re-encrypt the file **BEFORE COMMITING YOUR
|
||||||
|
CHANGES**:
|
||||||
|
```bash
|
||||||
|
$ ejson encrypt secrets.ejson
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
{
|
||||||
|
"_public_key": "ae29f4f7ad2fc92de70d470e411c8426d5d48db8817c9e3dae574b122192335f",
|
||||||
|
"environment": {
|
||||||
|
"GITHUB_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:g0bjCcawOZX/X03kVwMv4fRjoaiDDM2j:ASH6J8U5pqIbeP0NERBI9qGJAoQDZHepeZtLgFgcH5g4vTXV3I4F9/FaYXvLCYMq1ct9zHcVBHo=]",
|
||||||
|
"CODECOV_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:XDoyD6GBTT5kHEXA64qvwejaLGMC4D0q:ninSBJsqg+aRsWoRm9MnXMqwDMx1nXmELsyCy8nUsFZXoNK3DCWLW42CfzmidKJUee5pyw==]",
|
||||||
|
"CRATES_IO_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:+MNfhjqmMtkUgpmXhnUIiNK+I1MptAse:3yAM7PbjpkUt/nSZHFSm06Rpwycc/4OYmsUAsoMZpBKFBB9rByamWCizFyYumkqW]",
|
||||||
|
"INFLUX_DATABASE": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:zCDJjeYgNCeKqXL4GnAfmhrh75jShHST:JrPCKCGsmOBTaJm2Oj8qDGUG]",
|
||||||
|
"INFLUX_USERNAME": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:vmmEN9adSh4nE9KOOre0H2U6RmvoHHGa:ctPY7SdPsdMPfI+QDvhS2CJftRII8Lc2]",
|
||||||
|
"INFLUX_PASSWORD": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:qQUuHle12rhx7z2bQmcnTAKXoo88kchH:HGL3ZWlq98ClK3TZhzCVXd2EVXPhRrCo8Fn/vfoDRtxJXDbSpPFJNET4JzDGAxu9eL75TW50QP0=]"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,4 +1,7 @@
|
||||||
#!/bin/bash -e
|
#!/usr/bin/env bash
|
||||||
|
set -e
|
||||||
|
|
||||||
|
eval "$(ejson2env .buildkite/env/secrets.ejson)"
|
||||||
|
|
||||||
# Ensure the pattern "+++ ..." never occurs when |set -x| is set, as buildkite
|
# Ensure the pattern "+++ ..." never occurs when |set -x| is set, as buildkite
|
||||||
# interprets this as the start of a log group.
|
# interprets this as the start of a log group.
|
||||||
|
@ -24,4 +27,3 @@ export PS4="++"
|
||||||
set -x
|
set -x
|
||||||
rsync -a --delete --link-dest="$d" "$d"/target .
|
rsync -a --delete --link-dest="$d" "$d"/target .
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue