From 4fa0a0775b3c2bf6c512af6c9cf83e127444eaa1 Mon Sep 17 00:00:00 2001 From: Cheran Date: Mon, 9 Sep 2024 09:33:09 +0530 Subject: [PATCH 01/26] Add access token for private repo support --- .circleci/config.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 6b1ab8c..18f7eb9 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -35,6 +35,9 @@ parameters: type: string default: "default" enum: ["default", "development", "staging", "sepolia-staging"] + GITHUB_ACCESS_TOKEN: + type: env_var_name + default: GITHUB_ACCESS_TOKEN jobs: publish: @@ -92,9 +95,17 @@ jobs: - equal: ["<< pipeline.parameters.SOURCE_TYPE >>", "github"] steps: - run: - name: Clone repository from URL + name: Clone repository command: | - git clone "<< pipeline.parameters.REPOSITORY >>.git" ~/project/repository + REPO_URL="<< pipeline.parameters.REPOSITORY >>" + REPO_PATH=$(echo $REPO_URL | sed 's#https://github.com/##') + + if [ -n "${<< parameters.GITHUB_ACCESS_TOKEN >>}" ]; then + git clone "https://${<< parameters.GITHUB_ACCESS_TOKEN >>}@github.com/${REPO_PATH}" ~/project/repository + else + git clone "$REPO_URL" ~/project/repository + fi + cd ~/project/repository if [ -n "<< pipeline.parameters.REF >>" ]; then git checkout "<< pipeline.parameters.REF >>" From fd42922c2f02f396f3b74c841adfef323a79c6d3 Mon Sep 17 00:00:00 2001 From: Cheran Date: Mon, 9 Sep 2024 09:34:45 +0530 Subject: [PATCH 02/26] Change env var type --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 18f7eb9..8526beb 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -36,7 +36,7 @@ parameters: default: "default" enum: ["default", "development", "staging", "sepolia-staging"] GITHUB_ACCESS_TOKEN: - type: env_var_name + type: string default: GITHUB_ACCESS_TOKEN jobs: From a1b78f163720b9e3dc2e922db359fb59553f2d17 Mon Sep 17 00:00:00 2001 From: Cheran Date: Mon, 9 Sep 2024 09:35:26 +0530 Subject: [PATCH 03/26] Update default --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 8526beb..93ac942 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -37,7 +37,7 @@ parameters: enum: ["default", "development", "staging", "sepolia-staging"] GITHUB_ACCESS_TOKEN: type: string - default: GITHUB_ACCESS_TOKEN + default: "" jobs: publish: From 926f7f4757f2b4d867a85c1cd1c6af89d64c4bf5 Mon Sep 17 00:00:00 2001 From: Cheran Date: Mon, 9 Sep 2024 09:38:13 +0530 Subject: [PATCH 04/26] Fix get env var logic --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 93ac942..3aba260 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -100,8 +100,8 @@ jobs: REPO_URL="<< pipeline.parameters.REPOSITORY >>" REPO_PATH=$(echo $REPO_URL | sed 's#https://github.com/##') - if [ -n "${<< parameters.GITHUB_ACCESS_TOKEN >>}" ]; then - git clone "https://${<< parameters.GITHUB_ACCESS_TOKEN >>}@github.com/${REPO_PATH}" ~/project/repository + if [ -n "${<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>}" ]; then + git clone "https://${<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>}@github.com/${REPO_PATH}" ~/project/repository else git clone "$REPO_URL" ~/project/repository fi From 570811352b6287dba82c7794c1b6a7c611b28049 Mon Sep 17 00:00:00 2001 From: Cheran Date: Mon, 9 Sep 2024 09:48:01 +0530 Subject: [PATCH 05/26] Simplify env var access --- .circleci/config.yml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 3aba260..a3c820b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -100,18 +100,11 @@ jobs: REPO_URL="<< pipeline.parameters.REPOSITORY >>" REPO_PATH=$(echo $REPO_URL | sed 's#https://github.com/##') - if [ -n "${<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>}" ]; then - git clone "https://${<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>}@github.com/${REPO_PATH}" ~/project/repository + if [ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ]; then + git clone "https://<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>@github.com/${REPO_PATH}" ~/project/repository else git clone "$REPO_URL" ~/project/repository fi - - cd ~/project/repository - if [ -n "<< pipeline.parameters.REF >>" ]; then - git checkout "<< pipeline.parameters.REF >>" - else - echo "No branch specified, staying on default branch." - fi - run: name: Run build command working_directory: ~/project/repository From b2968e79671326a801562910ecede9d7f92510f5 Mon Sep 17 00:00:00 2001 From: Cheran Date: Thu, 12 Sep 2024 08:04:07 +0530 Subject: [PATCH 06/26] Add decryption of access token --- .circleci/config.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index a3c820b..cde7403 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -49,6 +49,28 @@ jobs: command: | sudo apt-get update && sudo apt-get install -y awscli npm install node-forge + - run: + name: Decrypt GITHUB_ACCESS_TOKEN + command: | + if [ -n "<< pipeline.parameters.ENCRYPTED_GITHUB_ACCESS_TOKEN >>" ]; then + sudo npm install -g node-forge + + echo "const forge = require('node-forge');" > decrypt_token.js + echo "const fs = require('fs');" >> decrypt_token.js + echo "const privateKeyPem = Buffer.from(process.env.BASE64_ENCODED_PRIVATE_KEY, 'base64').toString('utf8');" >> decrypt_token.js + echo "const privateKey = forge.pki.privateKeyFromPem(privateKeyPem);" >> decrypt_token.js + echo "const encryptedToken = forge.util.decode64(process.env.ENCRYPTED_GITHUB_ACCESS_TOKEN);" >> decrypt_token.js + echo "const decryptedToken = privateKey.decrypt(encryptedToken, 'RSA-OAEP', { md: forge.md.sha256.create(), mgf1: { md: forge.md.sha1.create() } });" >> decrypt_token.js + echo "fs.writeFileSync('decrypted_token.txt', decryptedToken);" >> decrypt_token.js + + node decrypt_token.js + export GITHUB_ACCESS_TOKEN=$(cat decrypted_token.txt) + rm decrypt_token.js decrypted_token.txt + + echo "GITHUB_ACCESS_TOKEN has been decrypted and set as an environment variable." + else + echo "No ENCRYPTED_GITHUB_ACCESS_TOKEN provided, skipping decryption." + fi - run: name: Decode environment variables command: | From 018d88ac46214edfc3cb4c149adcf8112e90c10b Mon Sep 17 00:00:00 2001 From: Cheran Date: Thu, 12 Sep 2024 08:43:23 +0530 Subject: [PATCH 07/26] Revert env var name --- .circleci/config.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index cde7403..726c669 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -52,14 +52,14 @@ jobs: - run: name: Decrypt GITHUB_ACCESS_TOKEN command: | - if [ -n "<< pipeline.parameters.ENCRYPTED_GITHUB_ACCESS_TOKEN >>" ]; then + if [ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ]; then sudo npm install -g node-forge echo "const forge = require('node-forge');" > decrypt_token.js echo "const fs = require('fs');" >> decrypt_token.js echo "const privateKeyPem = Buffer.from(process.env.BASE64_ENCODED_PRIVATE_KEY, 'base64').toString('utf8');" >> decrypt_token.js echo "const privateKey = forge.pki.privateKeyFromPem(privateKeyPem);" >> decrypt_token.js - echo "const encryptedToken = forge.util.decode64(process.env.ENCRYPTED_GITHUB_ACCESS_TOKEN);" >> decrypt_token.js + echo "const encryptedToken = forge.util.decode64(process.env.GITHUB_ACCESS_TOKEN);" >> decrypt_token.js echo "const decryptedToken = privateKey.decrypt(encryptedToken, 'RSA-OAEP', { md: forge.md.sha256.create(), mgf1: { md: forge.md.sha1.create() } });" >> decrypt_token.js echo "fs.writeFileSync('decrypted_token.txt', decryptedToken);" >> decrypt_token.js @@ -69,7 +69,7 @@ jobs: echo "GITHUB_ACCESS_TOKEN has been decrypted and set as an environment variable." else - echo "No ENCRYPTED_GITHUB_ACCESS_TOKEN provided, skipping decryption." + echo "No GITHUB_ACCESS_TOKEN provided, skipping decryption." fi - run: name: Decode environment variables From ed0518581e8ac79292f91afaf8e3d667c5252217 Mon Sep 17 00:00:00 2001 From: Cheran Date: Thu, 12 Sep 2024 09:26:08 +0530 Subject: [PATCH 08/26] Remove reinstall --- .circleci/config.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 726c669..ba0fa87 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -53,8 +53,6 @@ jobs: name: Decrypt GITHUB_ACCESS_TOKEN command: | if [ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ]; then - sudo npm install -g node-forge - echo "const forge = require('node-forge');" > decrypt_token.js echo "const fs = require('fs');" >> decrypt_token.js echo "const privateKeyPem = Buffer.from(process.env.BASE64_ENCODED_PRIVATE_KEY, 'base64').toString('utf8');" >> decrypt_token.js From 30074b46919fcc2206ecfa610191cf56d0cc9c22 Mon Sep 17 00:00:00 2001 From: Cheran Date: Thu, 12 Sep 2024 09:33:11 +0530 Subject: [PATCH 09/26] Add export --- .circleci/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index ba0fa87..9d716c5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -53,6 +53,7 @@ jobs: name: Decrypt GITHUB_ACCESS_TOKEN command: | if [ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ]; then + export GITHUB_ACCESS_TOKEN=pipeline.parameters.GITHUB_ACCESS_TOKEN echo "const forge = require('node-forge');" > decrypt_token.js echo "const fs = require('fs');" >> decrypt_token.js echo "const privateKeyPem = Buffer.from(process.env.BASE64_ENCODED_PRIVATE_KEY, 'base64').toString('utf8');" >> decrypt_token.js From aff33188054c7eafa07c5032505a5b96e69968f7 Mon Sep 17 00:00:00 2001 From: Cheran Date: Thu, 12 Sep 2024 09:37:46 +0530 Subject: [PATCH 10/26] Export correctly --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 9d716c5..e2c4ba1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -53,7 +53,7 @@ jobs: name: Decrypt GITHUB_ACCESS_TOKEN command: | if [ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ]; then - export GITHUB_ACCESS_TOKEN=pipeline.parameters.GITHUB_ACCESS_TOKEN + export GITHUB_ACCESS_TOKEN="${pipeline.parameters.GITHUB_ACCESS_TOKEN}" echo "const forge = require('node-forge');" > decrypt_token.js echo "const fs = require('fs');" >> decrypt_token.js echo "const privateKeyPem = Buffer.from(process.env.BASE64_ENCODED_PRIVATE_KEY, 'base64').toString('utf8');" >> decrypt_token.js From 20eac580f66649a3d3786fc62ae4ef81f256b974 Mon Sep 17 00:00:00 2001 From: Cheran Date: Thu, 12 Sep 2024 09:42:05 +0530 Subject: [PATCH 11/26] Use correct substitution syntax --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index e2c4ba1..c054923 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -53,7 +53,7 @@ jobs: name: Decrypt GITHUB_ACCESS_TOKEN command: | if [ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ]; then - export GITHUB_ACCESS_TOKEN="${pipeline.parameters.GITHUB_ACCESS_TOKEN}" + export GITHUB_ACCESS_TOKEN="<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" echo "const forge = require('node-forge');" > decrypt_token.js echo "const fs = require('fs');" >> decrypt_token.js echo "const privateKeyPem = Buffer.from(process.env.BASE64_ENCODED_PRIVATE_KEY, 'base64').toString('utf8');" >> decrypt_token.js From 1758b105029675aed102f88bf63d8f3b019c947d Mon Sep 17 00:00:00 2001 From: Cheran Date: Thu, 12 Sep 2024 09:46:10 +0530 Subject: [PATCH 12/26] Replace with env for clone --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c054923..668702b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -121,8 +121,8 @@ jobs: REPO_URL="<< pipeline.parameters.REPOSITORY >>" REPO_PATH=$(echo $REPO_URL | sed 's#https://github.com/##') - if [ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ]; then - git clone "https://<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>@github.com/${REPO_PATH}" ~/project/repository + if [ -n ${process.env.GITHUB_ACCESS_TOKEN} ]; then + git clone "https://${process.env.GITHUB_ACCESS_TOKEN}@github.com/${REPO_PATH}" ~/project/repository else git clone "$REPO_URL" ~/project/repository fi From f34093cdf8c785223c5dcc2ab8075fd92f2757d7 Mon Sep 17 00:00:00 2001 From: Cheran Date: Thu, 12 Sep 2024 09:54:39 +0530 Subject: [PATCH 13/26] Use token directly --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 668702b..605216c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -121,8 +121,8 @@ jobs: REPO_URL="<< pipeline.parameters.REPOSITORY >>" REPO_PATH=$(echo $REPO_URL | sed 's#https://github.com/##') - if [ -n ${process.env.GITHUB_ACCESS_TOKEN} ]; then - git clone "https://${process.env.GITHUB_ACCESS_TOKEN}@github.com/${REPO_PATH}" ~/project/repository + if [ -n "$GITHUB_ACCESS_TOKEN" ]; then + git clone "https://$GITHUB_ACCESS_TOKEN@github.com/${REPO_PATH}" ~/project/repository else git clone "$REPO_URL" ~/project/repository fi From ff57729243a764ab74d6da265041d8c93ccc9755 Mon Sep 17 00:00:00 2001 From: Cheran Date: Thu, 12 Sep 2024 09:59:30 +0530 Subject: [PATCH 14/26] Add debug info --- .circleci/config.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 605216c..3b6acbc 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -63,7 +63,8 @@ jobs: echo "fs.writeFileSync('decrypted_token.txt', decryptedToken);" >> decrypt_token.js node decrypt_token.js - export GITHUB_ACCESS_TOKEN=$(cat decrypted_token.txt) + echo 'export GITHUB_ACCESS_TOKEN=$(cat decrypted_token.txt)' >> $BASH_ENV + source $BASH_ENV rm decrypt_token.js decrypted_token.txt echo "GITHUB_ACCESS_TOKEN has been decrypted and set as an environment variable." @@ -121,9 +122,16 @@ jobs: REPO_URL="<< pipeline.parameters.REPOSITORY >>" REPO_PATH=$(echo $REPO_URL | sed 's#https://github.com/##') + echo "Debugging information:" + echo "REPO_URL: $REPO_URL" + echo "REPO_PATH: $REPO_PATH" + echo "GITHUB_ACCESS_TOKEN is set: $([[ -n "$GITHUB_ACCESS_TOKEN" ]] && echo 'Yes' || echo 'No')" + if [ -n "$GITHUB_ACCESS_TOKEN" ]; then + echo "Cloning with token..." git clone "https://$GITHUB_ACCESS_TOKEN@github.com/${REPO_PATH}" ~/project/repository else + echo "Cloning without token..." git clone "$REPO_URL" ~/project/repository fi - run: From f4b7663ffcb40a7bff1797a6502255aee913aee3 Mon Sep 17 00:00:00 2001 From: Cheran Date: Thu, 12 Sep 2024 10:05:14 +0530 Subject: [PATCH 15/26] Add decryption file --- .circleci/config.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 3b6acbc..7cb20e1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -63,11 +63,14 @@ jobs: echo "fs.writeFileSync('decrypted_token.txt', decryptedToken);" >> decrypt_token.js node decrypt_token.js - echo 'export GITHUB_ACCESS_TOKEN=$(cat decrypted_token.txt)' >> $BASH_ENV - source $BASH_ENV + if [ -f decrypted_token.txt ]; then + echo 'export GITHUB_ACCESS_TOKEN=$(cat decrypted_token.txt)' > ~/project/github_token.sh + source ~/project/github_token.sh + echo "GITHUB_ACCESS_TOKEN has been decrypted and saved to ~/project/github_token.sh" + else + echo "Error: decrypted_token.txt was not created. Decryption likely failed." + fi rm decrypt_token.js decrypted_token.txt - - echo "GITHUB_ACCESS_TOKEN has been decrypted and set as an environment variable." else echo "No GITHUB_ACCESS_TOKEN provided, skipping decryption." fi @@ -119,6 +122,10 @@ jobs: - run: name: Clone repository command: | + if [ -f ~/project/github_token.sh ]; then + source ~/project/github_token.sh + fi + REPO_URL="<< pipeline.parameters.REPOSITORY >>" REPO_PATH=$(echo $REPO_URL | sed 's#https://github.com/##') From 5aae4c4ad9a97258b785993a89a6eb575d6c2540 Mon Sep 17 00:00:00 2001 From: Cheran Date: Thu, 12 Sep 2024 11:13:39 +0530 Subject: [PATCH 16/26] Combine these steps --- .circleci/config.yml | 66 ++++++++++++++++++++------------------------ 1 file changed, 30 insertions(+), 36 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 7cb20e1..f9a8c1b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -49,31 +49,6 @@ jobs: command: | sudo apt-get update && sudo apt-get install -y awscli npm install node-forge - - run: - name: Decrypt GITHUB_ACCESS_TOKEN - command: | - if [ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ]; then - export GITHUB_ACCESS_TOKEN="<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" - echo "const forge = require('node-forge');" > decrypt_token.js - echo "const fs = require('fs');" >> decrypt_token.js - echo "const privateKeyPem = Buffer.from(process.env.BASE64_ENCODED_PRIVATE_KEY, 'base64').toString('utf8');" >> decrypt_token.js - echo "const privateKey = forge.pki.privateKeyFromPem(privateKeyPem);" >> decrypt_token.js - echo "const encryptedToken = forge.util.decode64(process.env.GITHUB_ACCESS_TOKEN);" >> decrypt_token.js - echo "const decryptedToken = privateKey.decrypt(encryptedToken, 'RSA-OAEP', { md: forge.md.sha256.create(), mgf1: { md: forge.md.sha1.create() } });" >> decrypt_token.js - echo "fs.writeFileSync('decrypted_token.txt', decryptedToken);" >> decrypt_token.js - - node decrypt_token.js - if [ -f decrypted_token.txt ]; then - echo 'export GITHUB_ACCESS_TOKEN=$(cat decrypted_token.txt)' > ~/project/github_token.sh - source ~/project/github_token.sh - echo "GITHUB_ACCESS_TOKEN has been decrypted and saved to ~/project/github_token.sh" - else - echo "Error: decrypted_token.txt was not created. Decryption likely failed." - fi - rm decrypt_token.js decrypted_token.txt - else - echo "No GITHUB_ACCESS_TOKEN provided, skipping decryption." - fi - run: name: Decode environment variables command: | @@ -120,27 +95,46 @@ jobs: - equal: ["<< pipeline.parameters.SOURCE_TYPE >>", "github"] steps: - run: - name: Clone repository + name: Decrypt GITHUB_ACCESS_TOKEN and Clone Repository command: | - if [ -f ~/project/github_token.sh ]; then - source ~/project/github_token.sh - fi - REPO_URL="<< pipeline.parameters.REPOSITORY >>" REPO_PATH=$(echo $REPO_URL | sed 's#https://github.com/##') echo "Debugging information:" echo "REPO_URL: $REPO_URL" echo "REPO_PATH: $REPO_PATH" - echo "GITHUB_ACCESS_TOKEN is set: $([[ -n "$GITHUB_ACCESS_TOKEN" ]] && echo 'Yes' || echo 'No')" - - if [ -n "$GITHUB_ACCESS_TOKEN" ]; then - echo "Cloning with token..." - git clone "https://$GITHUB_ACCESS_TOKEN@github.com/${REPO_PATH}" ~/project/repository + echo "GITHUB_ACCESS_TOKEN parameter is set: $([[ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ]] && echo 'Yes' || echo 'No')" + echo "BASE64_ENCODED_PRIVATE_KEY is set: $([[ -n "$BASE64_ENCODED_PRIVATE_KEY" ]] && echo 'Yes' || echo 'No')" + + if [ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ] && [ -n "$BASE64_ENCODED_PRIVATE_KEY" ]; then + echo "Decrypting GITHUB_ACCESS_TOKEN..." + ENCRYPTED_TOKEN="<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" + + echo "const forge = require('node-forge');" > decrypt_token.js + echo "const privateKeyPem = Buffer.from(process.env.BASE64_ENCODED_PRIVATE_KEY, 'base64').toString('utf8');" >> decrypt_token.js + echo "const privateKey = forge.pki.privateKeyFromPem(privateKeyPem);" >> decrypt_token.js + echo "const encryptedToken = forge.util.decode64('$ENCRYPTED_TOKEN');" >> decrypt_token.js + echo "const decryptedToken = privateKey.decrypt(encryptedToken, 'RSA-OAEP', { md: forge.md.sha256.create(), mgf1: { md: forge.md.sha1.create() } });" >> decrypt_token.js + echo "console.log(decryptedToken);" >> decrypt_token.js + + DECRYPTED_TOKEN=$(node decrypt_token.js) + rm decrypt_token.js + + if [ -n "$DECRYPTED_TOKEN" ]; then + echo "GITHUB_ACCESS_TOKEN has been decrypted successfully." + echo "Cloning with token..." + git clone "https://$DECRYPTED_TOKEN@github.com/${REPO_PATH}" ~/project/repository + else + echo "Error: Failed to decrypt GITHUB_ACCESS_TOKEN." + exit 1 + fi else - echo "Cloning without token..." + echo "GITHUB_ACCESS_TOKEN or BASE64_ENCODED_PRIVATE_KEY is missing. Cloning without token..." git clone "$REPO_URL" ~/project/repository fi + + # Clear the decrypted token from memory + DECRYPTED_TOKEN="" - run: name: Run build command working_directory: ~/project/repository From cf2eb3bff18079fb1ca23837574b93567d008713 Mon Sep 17 00:00:00 2001 From: Cheran Date: Wed, 18 Sep 2024 15:51:32 +0530 Subject: [PATCH 17/26] [ENG-179] Allow env var for node version (#16) * Allow env var for node version * Use same base image * Add support for secrets * Update env vars * Formatting * Remove some caching * Remove caching * Simplify this logic * Use existing method to create script * Minor lint fixes * More formatting --- .circleci/config.yml | 243 ++++++++++++++++++------------------------- 1 file changed, 104 insertions(+), 139 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index f9a8c1b..cad017a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,92 +1,114 @@ version: 2.1 parameters: - SOURCE_TYPE: + BUILD_COMMAND: type: string - default: "github" - S3_URL: + default: "npm run build" + BUILD_DIR: type: string default: "" - REPOSITORY: + ENVIRONMENT: type: string - default: "https://github.com/thales-markets/thales-sport-markets" - REF: + default: "default" + enum: ["default", "development", "staging", "sepolia-staging"] + ENVIRONMENT_VARIABLES: type: string default: "" - BUILD_DIR: + GITHUB_ACCESS_TOKEN: type: string default: "" - PACKAGE_INSTALL_COMMAND: + NODE_VERSION: type: string - default: "export NODE_OPTIONS=--openssl-legacy-provider && npm install" - BUILD_COMMAND: + default: "22.4.1" + ONE_CLICK_SERVER_URL: type: string - default: "npm run build" + default: "" OUTPUT_DIR: type: string default: "" - ONE_CLICK_SERVER_URL: + PACKAGE_INSTALL_COMMAND: + type: string + default: "export NODE_OPTIONS=--openssl-legacy-provider && npm install" + REF: type: string default: "" - ENVIRONMENT_VARIABLES: + REPOSITORY: type: string - default: "" # Base64 encoded - ENVIRONMENT: + default: "https://github.com/thales-markets/thales-sport-markets" + S3_URL: type: string - default: "default" - enum: ["default", "development", "staging", "sepolia-staging"] - GITHUB_ACCESS_TOKEN: + default: "" + SECRETS: type: string default: "" + SOURCE_TYPE: + type: string + default: "github" jobs: publish: docker: - - image: cimg/node:22.4.1 + - image: cimg/base:stable steps: - run: - name: Install dependencies + name: Install AWS CLI command: | - sudo apt-get update && sudo apt-get install -y awscli - npm install node-forge + if ! command -v aws &> /dev/null; then + sudo apt-get update && sudo apt-get install -y awscli + fi + - run: - name: Decode environment variables + name: Install NVM and Node.js command: | - # echo "Decoding environment variables..." - # echo "<< pipeline.parameters.ENVIRONMENT_VARIABLES >>" > ~/project/encrypted_data.txt - - # # Create a JavaScript script to decrypt the environment variables - # echo "const forge = require('node-forge');" > decrypt.js - # echo "const fs = require('fs');" >> decrypt.js - # echo "const path = require('path');" >> decrypt.js - # echo "const privateKeyPem = Buffer.from(process.env.BASE64_ENCODED_PRIVATE_KEY, 'base64').toString('utf8');" >> decrypt.js - # echo "const privateKey = forge.pki.privateKeyFromPem(privateKeyPem);" >> decrypt.js - # echo "const encryptedData = fs.readFileSync(path.join('/home/circleci/project/encrypted_data.txt'), 'utf8');" >> decrypt.js - # echo "const decodedData = forge.util.decode64(encryptedData);" >> decrypt.js - # echo "const decryptedData = privateKey.decrypt(decodedData, 'RSA-OAEP', { md: forge.md.sha256.create(), mgf1: { md: forge.md.sha1.create() } });" >> decrypt.js - # echo "fs.writeFileSync(path.join('/home/circleci/project/decrypted_env.txt'), decryptedData);" >> decrypt.js + if [ ! -d "$HOME/.nvm" ]; then + curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash + fi + export NVM_DIR="$HOME/.nvm" + [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" + nvm install << pipeline.parameters.NODE_VERSION >> + nvm use << pipeline.parameters.NODE_VERSION >> + echo 'export NVM_DIR="$HOME/.nvm"' >> $BASH_ENV + echo '[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' >> $BASH_ENV - # # Run the JavaScript script - # node decrypt.js + - run: + name: Install Dependencies + command: | + npm install node-forge - echo "<< pipeline.parameters.ENVIRONMENT_VARIABLES >>" > /home/circleci/project/decrypted_env.txt - sed -i 's/^/export /' /home/circleci/project/decrypted_env.txt + - run: + name: Create Decryption Script + command: | + echo "const forge = require('node-forge');" > ~/project/decrypt.js + echo "const fs = require('fs');" >> ~/project/decrypt.js + echo "" >> ~/project/decrypt.js + echo "function decryptData(encryptedData) {" >> ~/project/decrypt.js + echo " const privateKeyPem = Buffer.from(process.env.BASE64_ENCODED_PRIVATE_KEY, 'base64').toString('utf8');" >> ~/project/decrypt.js + echo " const privateKey = forge.pki.privateKeyFromPem(privateKeyPem);" >> ~/project/decrypt.js + echo " const decodedData = forge.util.decode64(encryptedData);" >> ~/project/decrypt.js + echo " return privateKey.decrypt(decodedData, 'RSA-OAEP', {" >> ~/project/decrypt.js + echo " md: forge.md.sha256.create()," >> ~/project/decrypt.js + echo " mgf1: { md: forge.md.sha1.create() }" >> ~/project/decrypt.js + echo " });" >> ~/project/decrypt.js + echo "}" >> ~/project/decrypt.js + echo "" >> ~/project/decrypt.js + echo "const encryptedData = process.argv[2];" >> ~/project/decrypt.js + echo "console.log(decryptData(encryptedData));" >> ~/project/decrypt.js - echo "Environment variables after sourcing:" - source /home/circleci/project/decrypted_env.txt - env + - run: + name: Decode secrets and environment variables + command: | + if [ -n "<< pipeline.parameters.SECRETS >>" ]; then + echo "Decoding secrets..." + node ~/project/decrypt.js "<< pipeline.parameters.SECRETS >>" > ~/project/decrypted_secrets.txt + sed -i 's/^/export /' ~/project/decrypted_secrets.txt + source ~/project/decrypted_secrets.txt + fi - # Log parameter values - echo "Source type: << pipeline.parameters.SOURCE_TYPE >>" - echo "S3 URL: << pipeline.parameters.S3_URL >>" - echo "Repository: << pipeline.parameters.REPOSITORY >>" - echo "Reference: << pipeline.parameters.REF >>" - echo "Build directory: << pipeline.parameters.BUILD_DIR >>" - echo "Package install command: << pipeline.parameters.PACKAGE_INSTALL_COMMAND >>" - echo "Build command: << pipeline.parameters.BUILD_COMMAND >>" - echo "Output directory: << pipeline.parameters.OUTPUT_DIR >>" - echo "One click server URL: << pipeline.parameters.ONE_CLICK_SERVER_URL >>" - echo "Environment: << pipeline.parameters.ENVIRONMENT >>" + if [ -n "<< pipeline.parameters.ENVIRONMENT_VARIABLES >>" ]; then + echo "Processing environment variables..." + echo "<< pipeline.parameters.ENVIRONMENT_VARIABLES >>" | sed 's/^/export /' > ~/project/environment_variables.txt + source ~/project/environment_variables.txt + fi - when: condition: @@ -95,73 +117,28 @@ jobs: - equal: ["<< pipeline.parameters.SOURCE_TYPE >>", "github"] steps: - run: - name: Decrypt GITHUB_ACCESS_TOKEN and Clone Repository + name: Clone Repository command: | REPO_URL="<< pipeline.parameters.REPOSITORY >>" REPO_PATH=$(echo $REPO_URL | sed 's#https://github.com/##') - - echo "Debugging information:" - echo "REPO_URL: $REPO_URL" - echo "REPO_PATH: $REPO_PATH" - echo "GITHUB_ACCESS_TOKEN parameter is set: $([[ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ]] && echo 'Yes' || echo 'No')" - echo "BASE64_ENCODED_PRIVATE_KEY is set: $([[ -n "$BASE64_ENCODED_PRIVATE_KEY" ]] && echo 'Yes' || echo 'No')" if [ -n "<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" ] && [ -n "$BASE64_ENCODED_PRIVATE_KEY" ]; then - echo "Decrypting GITHUB_ACCESS_TOKEN..." ENCRYPTED_TOKEN="<< pipeline.parameters.GITHUB_ACCESS_TOKEN >>" - - echo "const forge = require('node-forge');" > decrypt_token.js - echo "const privateKeyPem = Buffer.from(process.env.BASE64_ENCODED_PRIVATE_KEY, 'base64').toString('utf8');" >> decrypt_token.js - echo "const privateKey = forge.pki.privateKeyFromPem(privateKeyPem);" >> decrypt_token.js - echo "const encryptedToken = forge.util.decode64('$ENCRYPTED_TOKEN');" >> decrypt_token.js - echo "const decryptedToken = privateKey.decrypt(encryptedToken, 'RSA-OAEP', { md: forge.md.sha256.create(), mgf1: { md: forge.md.sha1.create() } });" >> decrypt_token.js - echo "console.log(decryptedToken);" >> decrypt_token.js - - DECRYPTED_TOKEN=$(node decrypt_token.js) - rm decrypt_token.js - - if [ -n "$DECRYPTED_TOKEN" ]; then - echo "GITHUB_ACCESS_TOKEN has been decrypted successfully." - echo "Cloning with token..." - git clone "https://$DECRYPTED_TOKEN@github.com/${REPO_PATH}" ~/project/repository - else - echo "Error: Failed to decrypt GITHUB_ACCESS_TOKEN." - exit 1 - fi + DECRYPTED_TOKEN=$(node ~/project/decrypt.js "$ENCRYPTED_TOKEN") + git clone "https://$DECRYPTED_TOKEN@github.com/${REPO_PATH}" ~/project/repository + unset DECRYPTED_TOKEN else - echo "GITHUB_ACCESS_TOKEN or BASE64_ENCODED_PRIVATE_KEY is missing. Cloning without token..." git clone "$REPO_URL" ~/project/repository fi - # Clear the decrypted token from memory - DECRYPTED_TOKEN="" - run: - name: Run build command + name: Build Project working_directory: ~/project/repository command: | - set -e # Ensure that the script fails if any command fails - if [ -f ~/project/.env ]; then - source ~/project/.env - fi - - # Navigate to the build directory if specified - if [ -n "<< pipeline.parameters.BUILD_DIR >>" ]; then - echo "Changing to build directory: << pipeline.parameters.BUILD_DIR >>" - cd "<< pipeline.parameters.BUILD_DIR >>" - else - echo "No build directory specified, staying in repository root." - fi - - # Run package install command if specified - if [ -n "<< pipeline.parameters.PACKAGE_INSTALL_COMMAND >>" ]; then - echo "Running package install command..." - eval "<< pipeline.parameters.PACKAGE_INSTALL_COMMAND >>" - else - echo "No package install command specified." - fi - - # Run build command - echo "Running build command..." + set -e + [ -f ~/project/.env ] && source ~/project/.env + [ -n "<< pipeline.parameters.BUILD_DIR >>" ] && cd "<< pipeline.parameters.BUILD_DIR >>" + [ -n "<< pipeline.parameters.PACKAGE_INSTALL_COMMAND >>" ] && eval "<< pipeline.parameters.PACKAGE_INSTALL_COMMAND >>" eval "<< pipeline.parameters.BUILD_COMMAND >>" - when: @@ -199,11 +176,7 @@ jobs: name: Check for index.html working_directory: ~/project/repository command: | - OUTPUT_DIR=. - if [ -n "<< pipeline.parameters.OUTPUT_DIR >>" ]; then - OUTPUT_DIR="<< pipeline.parameters.OUTPUT_DIR >>" - fi - + OUTPUT_DIR=${<< pipeline.parameters.OUTPUT_DIR >>:-.} if [ -f "$OUTPUT_DIR/index.html" ]; then echo "index.html found in $OUTPUT_DIR" else @@ -212,64 +185,56 @@ jobs: fi - run: - name: Create earthfast release + name: Create Earthfast Bundle working_directory: ~/project command: | OUTPUT_DIR="<< pipeline.parameters.OUTPUT_DIR >>" - if [ -z "$OUTPUT_DIR" ] || [ "$OUTPUT_DIR" = "." ]; then - BUNDLE_PATH="repository" - else - BUNDLE_PATH="repository/$OUTPUT_DIR" - fi + BUNDLE_PATH="${OUTPUT_DIR:+repository/$OUTPUT_DIR}" + BUNDLE_PATH="${BUNDLE_PATH:-repository}" - echo "Creating bundle from path: $BUNDLE_PATH" bundle_filename="$(npx --package=earthfast-cli@0.7.1 --yes earthfast bundle create earthfast-bundle "$BUNDLE_PATH")" - checksum="$(npx --package=earthfast-cli@0.7.1 --yes earthfast bundle checksum $bundle_filename)" echo $checksum > ~/project/repository/checksum echo "Bundle Filename: $bundle_filename" echo "Checksum: $checksum" - # store artifacts in circleci for download - store_artifacts: path: earthfast-bundle.tgz - store_artifacts: path: ~/project/repository/checksum + - run: - name: Notify one click server of the outcome + name: Notify One Click Server when: always command: | ONE_CLICK_SERVER_URL="<< pipeline.parameters.ONE_CLICK_SERVER_URL >>" PIPELINE_ID="<< pipeline.id >>" - - BUNDLE_URL="" - CHECKSUM="" - STATUS="failure" - CHECKSUM_PATH="$HOME/project/repository/checksum" + if [ -f "$CHECKSUM_PATH" ]; then CHECKSUM=$(cat "$CHECKSUM_PATH") STATUS="success" BUNDLE_URL="https://output.circle-artifacts.com/output/job/${CIRCLE_WORKFLOW_JOB_ID}/artifacts/${CIRCLE_NODE_INDEX}/earthfast-bundle.tgz" else - echo "Checksum file not found at $CHECKSUM_PATH" + STATUS="failure" fi - echo "Bundle URL: $BUNDLE_URL" - echo "Pipeline ID: $PIPELINE_ID" - echo "Checksum: $CHECKSUM" - echo "Status: $STATUS" - echo "One Click Server URL: $ONE_CLICK_SERVER_URL" - - DATA='{"checksum":"'"$CHECKSUM"'","bundleUrl":"'"$BUNDLE_URL"'","pipelineId":"'"$PIPELINE_ID"'","status":"'"$STATUS"'"}' - echo "Data Payload: $DATA" + DATA=$(jq -n \ + --arg checksum "$CHECKSUM" \ + --arg bundleUrl "$BUNDLE_URL" \ + --arg pipelineId "$PIPELINE_ID" \ + --arg status "$STATUS" \ + '{checksum: $checksum, bundleUrl: $bundleUrl, pipelineId: $pipelineId, status: $status}') SIGNATURE=$(echo -n "$DATA" | openssl dgst -sha256 -hmac "$CIRCLECI_WEBHOOK_SECRET" | sed 's/^.* //') FULL_URL="${ONE_CLICK_SERVER_URL}/circleci/notify" - echo "Full URL: $FULL_URL" - curl -X POST -H "Content-Type: application/json" -H "x-circleci-signature: $SIGNATURE" -d "$DATA" "$FULL_URL" + curl -X POST \ + -H "Content-Type: application/json" \ + -H "x-circleci-signature: $SIGNATURE" \ + -d "$DATA" \ + "$FULL_URL" workflows: version: 2 From 3eead18991d1475fd62300432c6d79e6dd25704f Mon Sep 17 00:00:00 2001 From: Cheran Date: Wed, 18 Sep 2024 15:53:34 +0530 Subject: [PATCH 18/26] Fix for index.html check --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index cad017a..4aeda28 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -176,7 +176,7 @@ jobs: name: Check for index.html working_directory: ~/project/repository command: | - OUTPUT_DIR=${<< pipeline.parameters.OUTPUT_DIR >>:-.} + OUTPUT_DIR="${<< pipeline.parameters.OUTPUT_DIR >>:-.}" if [ -f "$OUTPUT_DIR/index.html" ]; then echo "index.html found in $OUTPUT_DIR" else From eea223fa801ac054cc9c7d1780c9b65517a7807f Mon Sep 17 00:00:00 2001 From: Cheran Date: Wed, 18 Sep 2024 15:55:57 +0530 Subject: [PATCH 19/26] Add special case for . --- .circleci/config.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 4aeda28..1a206f1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -176,7 +176,10 @@ jobs: name: Check for index.html working_directory: ~/project/repository command: | - OUTPUT_DIR="${<< pipeline.parameters.OUTPUT_DIR >>:-.}" + OUTPUT_DIR="${<< pipeline.parameters.OUTPUT_DIR >>:-}" + if [ -z "$OUTPUT_DIR" ]; then + OUTPUT_DIR="." + fi if [ -f "$OUTPUT_DIR/index.html" ]; then echo "index.html found in $OUTPUT_DIR" else From 0c85708d334e2ef919bef9703d93113e68cd74e9 Mon Sep 17 00:00:00 2001 From: Cheran Date: Wed, 18 Sep 2024 15:57:12 +0530 Subject: [PATCH 20/26] Revert this code --- .circleci/config.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 1a206f1..3e57eb5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -176,9 +176,9 @@ jobs: name: Check for index.html working_directory: ~/project/repository command: | - OUTPUT_DIR="${<< pipeline.parameters.OUTPUT_DIR >>:-}" - if [ -z "$OUTPUT_DIR" ]; then - OUTPUT_DIR="." + OUTPUT_DIR=. + if [ -n "<< pipeline.parameters.OUTPUT_DIR >>" ]; then + OUTPUT_DIR="<< pipeline.parameters.OUTPUT_DIR >>" fi if [ -f "$OUTPUT_DIR/index.html" ]; then echo "index.html found in $OUTPUT_DIR" From 316b182cc291eb8c465b9211cc09f85042d83f8b Mon Sep 17 00:00:00 2001 From: Cheran Date: Wed, 18 Sep 2024 16:26:58 +0530 Subject: [PATCH 21/26] Revert this because signature error --- .circleci/config.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 3e57eb5..e07ccd2 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -223,12 +223,7 @@ jobs: STATUS="failure" fi - DATA=$(jq -n \ - --arg checksum "$CHECKSUM" \ - --arg bundleUrl "$BUNDLE_URL" \ - --arg pipelineId "$PIPELINE_ID" \ - --arg status "$STATUS" \ - '{checksum: $checksum, bundleUrl: $bundleUrl, pipelineId: $pipelineId, status: $status}') + DATA='{"checksum":"'"$CHECKSUM"'","bundleUrl":"'"$BUNDLE_URL"'","pipelineId":"'"$PIPELINE_ID"'","status":"'"$STATUS"'"}' SIGNATURE=$(echo -n "$DATA" | openssl dgst -sha256 -hmac "$CIRCLECI_WEBHOOK_SECRET" | sed 's/^.* //') FULL_URL="${ONE_CLICK_SERVER_URL}/circleci/notify" From e5922cd40102814544ee949ada68ad0c2153163c Mon Sep 17 00:00:00 2001 From: Cheran Date: Wed, 18 Sep 2024 17:47:13 +0530 Subject: [PATCH 22/26] Add custom branch param --- .circleci/config.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index e07ccd2..65d1188 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -131,6 +131,13 @@ jobs: git clone "$REPO_URL" ~/project/repository fi + cd ~/project/repository + if [ -n "<< pipeline.parameters.REF >>" ]; then + git checkout "<< pipeline.parameters.REF >>" + else + echo "No branch specified, staying on default branch." + fi + - run: name: Build Project working_directory: ~/project/repository From c8759c1830bb010fdf8b9ecff21ef33b32fbe1d0 Mon Sep 17 00:00:00 2001 From: Dheeraj Manjunath Date: Thu, 19 Sep 2024 21:55:11 -0400 Subject: [PATCH 23/26] Add mirror workflow --- .github/workflows/mirror-private-repo.yml | 46 +++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/mirror-private-repo.yml diff --git a/.github/workflows/mirror-private-repo.yml b/.github/workflows/mirror-private-repo.yml new file mode 100644 index 0000000..0864a44 --- /dev/null +++ b/.github/workflows/mirror-private-repo.yml @@ -0,0 +1,46 @@ +# This workflow mirrors the public repository to a private repository +# copies all branches and tags from the public repository to the private repository +name: Mirror to Private Repository + +on: + push: + branches: + - main + - dev + - dm-mirror-private-repo-2 + workflow_dispatch: # Keeps manual triggering option + +jobs: + mirror_repository: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Fetch all history for all branches and tags + + - name: Push to private repository + env: + GH_TOKEN: ${{ secrets.GH_PAT }} + TARGET_PRIVATE_MIRROR_REPO: ${{ secrets.TARGET_PRIVATE_MIRROR_REPO }} + run: | + # Configure Git + git config user.name github-actions + git config user.email github-actions@github.com + + if [ -z "$GH_TOKEN" ]; then + echo "Error: GH_PAT is not set" + exit 1 + fi + + # Clone the source repository + git clone --mirror https://${GH_TOKEN}@github.com/earthfast/dashboard-runner.git source-repo + cd source-repo + + # Push branches to the private repository + git push --prune https://${GH_TOKEN}@github.com/${TARGET_PRIVATE_MIRROR_REPO}.git +refs/heads/*:refs/heads/* + + # Push tags to the private repository + git push --prune https://${GH_TOKEN}@github.com/${TARGET_PRIVATE_MIRROR_REPO}.git +refs/tags/*:refs/tags/* + + echo "Repository mirrored successfully!" \ No newline at end of file From 32de7e700187e2d09716ea0be303e727aad8b99e Mon Sep 17 00:00:00 2001 From: Dheeraj Manjunath Date: Thu, 19 Sep 2024 22:19:27 -0400 Subject: [PATCH 24/26] remove test branch --- .github/workflows/mirror-private-repo.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/mirror-private-repo.yml b/.github/workflows/mirror-private-repo.yml index 0864a44..a75deb3 100644 --- a/.github/workflows/mirror-private-repo.yml +++ b/.github/workflows/mirror-private-repo.yml @@ -7,7 +7,6 @@ on: branches: - main - dev - - dm-mirror-private-repo-2 workflow_dispatch: # Keeps manual triggering option jobs: From 5ed5ab1d77ec92dd0c64b11f69cfd18f28280aa4 Mon Sep 17 00:00:00 2001 From: Cheran Date: Mon, 23 Sep 2024 16:26:28 +0530 Subject: [PATCH 25/26] Add test for secrets --- .circleci/config.yml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 65d1188..443576d 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -91,17 +91,32 @@ jobs: echo " });" >> ~/project/decrypt.js echo "}" >> ~/project/decrypt.js echo "" >> ~/project/decrypt.js - echo "const encryptedData = process.argv[2];" >> ~/project/decrypt.js - echo "console.log(decryptData(encryptedData));" >> ~/project/decrypt.js + echo "const input = process.argv[2];" >> ~/project/decrypt.js + echo "try {" >> ~/project/decrypt.js + echo " const parsedJson = JSON.parse(input);" >> ~/project/decrypt.js + echo " const decryptedJson = Object.keys(parsedJson).reduce((acc, key) => {" >> ~/project/decrypt.js + echo " acc[key] = decryptData(parsedJson[key]);" >> ~/project/decrypt.js + echo " return acc;" >> ~/project/decrypt.js + echo " }, {});" >> ~/project/decrypt.js + echo " console.log(JSON.stringify(decryptedJson));" >> ~/project/decrypt.js + echo "} catch (e) {" >> ~/project/decrypt.js + echo " // If parsing fails, assume it's a single encrypted token" >> ~/project/decrypt.js + echo " console.log(decryptData(input));" >> ~/project/decrypt.js + echo "}" >> ~/project/decrypt.js - run: name: Decode secrets and environment variables command: | if [ -n "<< pipeline.parameters.SECRETS >>" ]; then echo "Decoding secrets..." - node ~/project/decrypt.js "<< pipeline.parameters.SECRETS >>" > ~/project/decrypted_secrets.txt - sed -i 's/^/export /' ~/project/decrypted_secrets.txt + DECRYPTED_JSON=$(node ~/project/decrypt.js '<< pipeline.parameters.SECRETS >>') + if [[ $DECRYPTED_JSON == {* ]]; then + echo "$DECRYPTED_JSON" | jq -r 'to_entries | map("export \(.key)=\(.value|@sh)") | .[]' > ~/project/decrypted_secrets.txt + else + echo "export DECRYPTED_SECRET=$DECRYPTED_JSON" > ~/project/decrypted_secrets.txt + fi source ~/project/decrypted_secrets.txt + cat ~/project/decrypted_secrets.txt fi if [ -n "<< pipeline.parameters.ENVIRONMENT_VARIABLES >>" ]; then From ec63334217bc54b67fe59048230a925eb0ee77c1 Mon Sep 17 00:00:00 2001 From: Dheeraj Manjunath Date: Mon, 23 Sep 2024 10:00:00 -0400 Subject: [PATCH 26/26] Add CI Trigger param to circleci config (#20) --- .circleci/config.yml | 13 +++++++++++++ .github/workflows/mirror-private-repo.yml | 7 +++++++ .github/workflows/trigger-circleci.yml | 11 ++++++++++- 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 443576d..df7688b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -44,12 +44,25 @@ parameters: SOURCE_TYPE: type: string default: "github" + CI_TRIGGER: + type: boolean + default: true jobs: publish: docker: - image: cimg/base:stable steps: + - run: + name: Check CI_TRIGGER + command: | + if [ "<< pipeline.parameters.CI_TRIGGER >>" != true ]; then + echo "CI_TRIGGER is not true. Exiting with success." + circleci-agent step halt + else + echo "CI_TRIGGER is true. Continuing with the workflow." + fi + - run: name: Install AWS CLI command: | diff --git a/.github/workflows/mirror-private-repo.yml b/.github/workflows/mirror-private-repo.yml index a75deb3..fc9f89e 100644 --- a/.github/workflows/mirror-private-repo.yml +++ b/.github/workflows/mirror-private-repo.yml @@ -32,6 +32,13 @@ jobs: exit 1 fi + # Ensure this is only run in the dashboard-runner repository + REPO_NAME=$(basename -s .git `git config --get remote.origin.url`) + if [ "$REPO_NAME" != "dashboard-runner" ]; then + echo "This action is only allowed to run in the dashboard-runner repository." + exit 0 + fi + # Clone the source repository git clone --mirror https://${GH_TOKEN}@github.com/earthfast/dashboard-runner.git source-repo cd source-repo diff --git a/.github/workflows/trigger-circleci.yml b/.github/workflows/trigger-circleci.yml index 664c0fe..615d357 100644 --- a/.github/workflows/trigger-circleci.yml +++ b/.github/workflows/trigger-circleci.yml @@ -24,6 +24,14 @@ jobs: echo "::set-output name=branch::main" fi + - name: Ensure repository is dashboard-runner + run: | + REPO_NAME=$(basename -s .git `git config --get remote.origin.url`) + if [ "$REPO_NAME" != "dashboard-runner" ]; then + echo "This action is only allowed to run in the earthfast/dashboard-runner repository." + exit 0 + fi + - name: Trigger CircleCI Pipeline run: | curl -X POST \ @@ -41,7 +49,8 @@ jobs: "OUTPUT_DIR": ".", "ENVIRONMENT_VARIABLES": "", "ONE_CLICK_SERVER_URL": "https://jorge.ngrok.pro", - "ENVIRONMENT": "${{ steps.env-branch.outputs.environment }}" + "ENVIRONMENT": "${{ steps.env-branch.outputs.environment }}", + "CI_TRIGGER": true } }' \ https://circleci.com/api/v2/project/gh/earthfast/dashboard-runner/pipeline