Rework tag driven release infrastructure #20
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit c5fa678.
retronym
force-pushed
the
topic/tag-driven-release-take-2
branch
5 times, most recently
from
6c4932e to
c965f79
Compare
| # SONA_USER | ||
| - secure: "XXXXXX" | ||
| # SONA_PASS | ||
| - secure: "XXXXXX" |
There was a problem hiding this comment.
Where does encrypted_1ce132863fa7_key and companion go?
There was a problem hiding this comment.
They are referred to admin/build.sh. Are they provided automagically by Travis? I don't quite understand this part.
There was a problem hiding this comment.
Right, I meant, why don't they have to be listed in .travis.yml
There was a problem hiding this comment.
Here's the log of running genKeyPair.sh
sh -x ./admin/genKeyPair.sh
+ set -e
+ for f in admin/secring.asc.enc admin/secring.asc admin/pubring.asc
+ promptDelete admin/secring.asc.enc
+ [[ -f admin/secring.asc.enc ]]
+ echo About to delete admin/secring.asc.enc, Enter for okay / CTRL-C to cancel
About to delete admin/secring.asc.enc, Enter for okay / CTRL-C to cancel
+ read
+ rm admin/secring.asc.enc
+ for f in admin/secring.asc.enc admin/secring.asc admin/pubring.asc
+ promptDelete admin/secring.asc
+ [[ -f admin/secring.asc ]]
+ for f in admin/secring.asc.enc admin/secring.asc admin/pubring.asc
+ promptDelete admin/pubring.asc
+ [[ -f admin/pubring.asc ]]
+ echo About to delete admin/pubring.asc, Enter for okay / CTRL-C to cancel
About to delete admin/pubring.asc, Enter for okay / CTRL-C to cancel
+ read
+ rm admin/pubring.asc
+ echo Generating key pair. Please enter 1. repo name 2. scala-internals@googlegroups.com, 3. a new passphrase
Generating key pair. Please enter 1. repo name 2. scala-internals@googlegroups.com, 3. a new passphrase
+ cp admin/gpg.sbt project
+ sbt 'set pgpReadOnly := false' 'set pgpPublicRing := file("admin/pubring.asc")' 'set pgpSecretRing := file("admin/secring.asc")' 'pgp-cmd gen-key'
[info] Loading global plugins from /Users/jason/.sbt/0.13/plugins
[info] Loading project definition from /Users/jason/code/scala-java8-compat/project/project
[info] Loading project definition from /Users/jason/code/scala-java8-compat/project
[warn] There may be incompatibilities among your library dependencies.
[warn] Here are some of the libraries that were evicted:
[warn] * com.typesafe.sbt:sbt-pgp:0.8.1 -> 0.8.3
[warn] Run 'evicted' to see detailed eviction warnings
[info] Set current project to scala-java8-compat (in build file:/Users/jason/code/scala-java8-compat/)
[info] Defining */*:pgpReadOnly
[info] The new value will be used by no settings or tasks.
[info] Reapplying settings...
[info] Set current project to scala-java8-compat (in build file:/Users/jason/code/scala-java8-compat/)
[info] Defining */*:pgpPublicRing
[info] The new value will be used by */*:pgpStaticContext
[info] Reapplying settings...
[info] Set current project to scala-java8-compat (in build file:/Users/jason/code/scala-java8-compat/)
[info] Defining */*:pgpSecretRing
[info] The new value will be used by */*:pgpStaticContext
[info] Reapplying settings...
[info] Set current project to scala-java8-compat (in build file:/Users/jason/code/scala-java8-compat/)
Please enter the name associated with the key: scala-java8-compat
Please enter the email associated with the key: scala-internals@googlegroups.com
Please enter the passphrase for the key: ***************
Please re-enter the passphrase for the key: ***************
[info] Creating a new PGP key, this could take a long time.
[info] Public key := /Users/jason/code/scala-java8-compat/admin/pubring.asc
[info] Secret key := /Users/jason/code/scala-java8-compat/admin/secring.asc
[info] Please do not share your secret key. Your public key is free to share.
+ rm project/gpg.sbt
+ echo ============================================================================================
============================================================================================
+ echo Encrypting admin/secring.asc. Update K and IV variables in admin/build.sh accordingly.
Encrypting admin/secring.asc. Update K and IV variables in admin/build.sh accordingly.
+ echo ============================================================================================
============================================================================================
+ travis encrypt-file admin/secring.asc
encrypting admin/secring.asc for scala/scala-java8-compat
storing result as secring.asc.enc
storing secure env variables for decryption
Please add the following to your build script (before_install stage in your .travis.yml, for instance):
openssl aes-256-cbc -K $encrypted_1ce132863fa7_key -iv $encrypted_1ce132863fa7_iv -in secring.asc.enc -out admin/secring.asc -d
Pro Tip: You can add it automatically by running with --add.
Make sure to add secring.asc.enc to the git repository.
Make sure not to add admin/secring.asc to the git repository.
Commit all changes to your .travis.yml.
+ rm admin/secring.asc
+ mv secring.asc.enc admin
+ echo ============================================================================================
============================================================================================
+ echo Encrypting environment variables. Add each to a line in .travis.yml. Include a comment
Encrypting environment variables. Add each to a line in .travis.yml. Include a comment
+ echo with the name of the corresponding variable
with the name of the corresponding variable
+ echo ============================================================================================
============================================================================================
+ read -s -p 'PGP_PASSPHRASE: ' PGP_PASSPHRASE
PGP_PASSPHRASE: + travis encrypt PGP_PASSPHRASE=D1cXBjsw15dLUA4
Please add the following to your .travis.yml file:
secure: "YwLY+gZ1TQvRYEGMNKIHR6RAinI4UftTpXGEESQqOGIZvfKW3/rZqMGVU1vnEtgBQENH7jrL+ujFsH0K4t36WF3jgnGd/fYhiODuOofi0+ZWG0hcvt0EtM9XguvT7BrmWn1+zTdVuZyz8IYxacVpk6sToDyLwxmjUdGMEMu5qV8="
There was a problem hiding this comment.
Ah, so Travis does more magic behind the scenes.
There was a problem hiding this comment.
So I suspect this won't work :(
There was a problem hiding this comment.
I've noticed the --add option didn't work with travis encrypt for some reason.
There was a problem hiding this comment.
Oh, I see. It has stored them on the Travis server as a build setting.
There was a problem hiding this comment.
Cool! Don't underestimate the magic of Travis! :-)
There was a problem hiding this comment.
travis encrypt FOO=BAR --add worked for me. Maybe you tried travis encrypt --add FOO=BAR ?
In the end I decided not to use --add in this script so we could hand-curate the comments.
retronym
force-pushed
the
topic/tag-driven-release-take-2
branch
from
c965f79 to
4bd763b
Compare
The previous approach of encrypying sensitive.sbt was prone to leaking passwords to the build log if SBT were to report an error on a line of code containing a secret. The commit now switches to encrypting the PGP passphrase and Sonatype credentials as environment variables. The private key is still encrypted on disk as it is too large, but now that we only need to encrypt a single file we can revert to using the built in `encrypt-file` command in the Travis CI command line tool.
retronym
force-pushed
the
topic/tag-driven-release-take-2
branch
from
4bd763b to
4a6cfc9
Compare
|
LGTM! Much smoother. |
retronym
added a commit
that referenced
this pull request
Jan 14, 2015
Rework tag driven release infrastructure
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.