ci: use snapshot deploy secret directly

devversion · devversion · commit c608955532ed · 2023-01-05T16:13:08.000+01:00
Instead of encoding the GitHub snapshot robot access token in a file that needs to be decoded by an
ambiguously named secret called `KEY`, the token can be directly stored in the secrets of CircleCI
given easier maintenance and the same risk.

The leakage of the secret still means the GitHub token file could be decoded. We are switching to a
similar model as in the components repo, which also simplifies key rotations etc.
diff --git a/.circleci/dynamic_config.yml b/.circleci/dynamic_config.yml
@@ -317,17 +317,9 @@ jobs:
     steps:
       - custom_attach_workspace
       - install_python
-      - run:
-          name: Decrypt Credentials
-          # Note: when changing the image, you might have to re-encrypt the credentials with a
-          # matching version of openssl.
-          # See https://stackoverflow.com/a/43847627/2116927 for more info.
-          command: |
-            openssl aes-256-cbc -d -in .circleci/github_token -k "${KEY}" -out ~/github_token -md md5
       - run:
           name: Deployment to Snapshot
-          command: |
-            yarn admin snapshots --verbose --githubTokenFile=${HOME}/github_token
+          command: yarn admin snapshots --verbose
       - fail_fast
 
   publish_artifacts:
diff --git a/.circleci/github_token b/.circleci/github_token
diff --git a/scripts/snapshots.ts b/scripts/snapshots.ts
@@ -130,7 +130,6 @@ async function _publishSnapshot(
 
 export interface SnapshotsOptions {
   force?: boolean;
-  githubTokenFile?: string;
   githubToken?: string;
   branch?: string;
 }
@@ -151,11 +150,7 @@ export default async function (opts: SnapshotsOptions, logger: logging.Logger) {
     branch = '' + process.env['CIRCLE_BRANCH'];
   }
 
-  const githubToken = (
-    opts.githubToken ||
-    (opts.githubTokenFile && fs.readFileSync(opts.githubTokenFile, 'utf-8')) ||
-    ''
-  ).trim();
+  const githubToken = (opts.githubToken || process.env.SNAPSHOT_BUILDS_GITHUB_TOKEN || '').trim();
 
   if (githubToken) {
     logger.info('Setting up global git name.');
