Use ejson to manage build secrets
This commit is contained in:
parent
b8ab3078fb
commit
1298ab1647
|
@ -0,0 +1,30 @@
|
|||
|
||||
[ejson](https://github.com/Shopify/ejson) and
|
||||
[ejson2env](https://github.com/Shopify/ejson2env) are used to manage access
|
||||
tokens and other secrets required for CI.
|
||||
|
||||
#### Setup
|
||||
```bash
|
||||
$ sudo gem install ejson ejson2env
|
||||
```
|
||||
|
||||
then obtain the necessary keypair and place it in `/opt/ejson/keys/`.
|
||||
|
||||
#### Usage
|
||||
Run the following command to decrypt the secrets into the environment:
|
||||
```bash
|
||||
eval $(ejson2env secrets.ejson)
|
||||
```
|
||||
|
||||
#### Managing secrets.ejson
|
||||
To decrypt `secrets.ejson` for modification, run:
|
||||
```bash
|
||||
$ ejson decrypt secrets.ejson
|
||||
```
|
||||
|
||||
Edit, then run the following to re-encrypt the file **BEFORE COMMITING YOUR
|
||||
CHANGES**:
|
||||
```bash
|
||||
$ ejson encrypt secrets.ejson
|
||||
```
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
"_public_key": "ae29f4f7ad2fc92de70d470e411c8426d5d48db8817c9e3dae574b122192335f",
|
||||
"environment": {
|
||||
"GITHUB_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:g0bjCcawOZX/X03kVwMv4fRjoaiDDM2j:ASH6J8U5pqIbeP0NERBI9qGJAoQDZHepeZtLgFgcH5g4vTXV3I4F9/FaYXvLCYMq1ct9zHcVBHo=]",
|
||||
"CODECOV_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:XDoyD6GBTT5kHEXA64qvwejaLGMC4D0q:ninSBJsqg+aRsWoRm9MnXMqwDMx1nXmELsyCy8nUsFZXoNK3DCWLW42CfzmidKJUee5pyw==]",
|
||||
"CRATES_IO_TOKEN": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:+MNfhjqmMtkUgpmXhnUIiNK+I1MptAse:3yAM7PbjpkUt/nSZHFSm06Rpwycc/4OYmsUAsoMZpBKFBB9rByamWCizFyYumkqW]",
|
||||
"INFLUX_DATABASE": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:zCDJjeYgNCeKqXL4GnAfmhrh75jShHST:JrPCKCGsmOBTaJm2Oj8qDGUG]",
|
||||
"INFLUX_USERNAME": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:vmmEN9adSh4nE9KOOre0H2U6RmvoHHGa:ctPY7SdPsdMPfI+QDvhS2CJftRII8Lc2]",
|
||||
"INFLUX_PASSWORD": "EJ[1:tS112AOuK5/Kj7Y8+4yg3eyhLcmMIys8+AAC7PKs9n4=:qQUuHle12rhx7z2bQmcnTAKXoo88kchH:HGL3ZWlq98ClK3TZhzCVXd2EVXPhRrCo8Fn/vfoDRtxJXDbSpPFJNET4JzDGAxu9eL75TW50QP0=]"
|
||||
}
|
||||
}
|
|
@ -1,4 +1,7 @@
|
|||
#!/bin/bash -e
|
||||
#!/usr/bin/env bash
|
||||
set -e
|
||||
|
||||
eval "$(ejson2env .buildkite/env/secrets.ejson)"
|
||||
|
||||
# Ensure the pattern "+++ ..." never occurs when |set -x| is set, as buildkite
|
||||
# interprets this as the start of a log group.
|
||||
|
@ -24,4 +27,3 @@ export PS4="++"
|
|||
set -x
|
||||
rsync -a --delete --link-dest="$d" "$d"/target .
|
||||
)
|
||||
|
||||
|
|
Loading…
Reference in New Issue