From e47148ba64820c0fca0449d2aa59f8431959edb6 Mon Sep 17 00:00:00 2001 From: Marcos Lilljedahl Date: Wed, 30 Mar 2022 18:05:17 -0300 Subject: [PATCH 1/2] ci: Unify keys and add private key for testing purposes This commit enables PR's to run inegration tests by relying on keys with only the necessary permissions to run on CI workloads Signed-off-by: Marcos Lilljedahl --- .github/workflows/test-integration.yml | 4 +--- .github/workflows/test-universe.yml | 4 +--- pkg/universe.dagger.io/netlify/test/test.cue | 8 +++---- pkg/universe.dagger.io/test_secrets.yaml | 21 ---------------- tests/age_key.txt | 4 ++++ tests/secrets_sops.yaml | 25 ++++++++++---------- tests/tasks/gitpull/private_repo.cue | 2 +- 7 files changed, 24 insertions(+), 44 deletions(-) delete mode 100644 pkg/universe.dagger.io/test_secrets.yaml create mode 100644 tests/age_key.txt diff --git a/.github/workflows/test-integration.yml b/.github/workflows/test-integration.yml index 5f177e3d..e6c4d84c 100644 --- a/.github/workflows/test-integration.yml +++ b/.github/workflows/test-integration.yml @@ -57,11 +57,9 @@ jobs: sudo chmod +x /usr/local/bin/sops - name: "Import Dagger private key" - env: - DAGGER_AGE_KEY: ${{ secrets.DAGGER_AGE_KEY }} run: | mkdir -p ~/.config/dagger - echo "$DAGGER_AGE_KEY" > ~/.config/dagger/keys.txt + cp ./tests/age_key.txt ~/.config/dagger/keys.txt - name: "Expose GitHub Runtime" uses: crazy-max/ghaction-github-runtime@v1 diff --git a/.github/workflows/test-universe.yml b/.github/workflows/test-universe.yml index 1ae55d23..4d1a0bd1 100644 --- a/.github/workflows/test-universe.yml +++ b/.github/workflows/test-universe.yml @@ -49,11 +49,9 @@ jobs: sudo chmod +x /usr/local/bin/sops - name: "Import Dagger private key" - env: - DAGGER_AGE_KEY: ${{ secrets.DAGGER_AGE_KEY }} run: | mkdir -p ~/.config/sops/age - echo "$DAGGER_AGE_KEY" > ~/.config/sops/age/keys.txt + echo ./tests/age_key.txt ~/.config/sops/age/keys.txt - name: "Expose GitHub Runtime" uses: crazy-max/ghaction-github-runtime@v1 diff --git a/pkg/universe.dagger.io/netlify/test/test.cue b/pkg/universe.dagger.io/netlify/test/test.cue index 897d5796..d663aaaf 100644 --- a/pkg/universe.dagger.io/netlify/test/test.cue +++ b/pkg/universe.dagger.io/netlify/test/test.cue @@ -13,7 +13,7 @@ import ( dagger.#Plan & { client: commands: sops: { name: "sops" - args: ["-d", "../../test_secrets.yaml"] + args: ["-d", "../../secrets_sops.yaml"] stdout: dagger.#Secret } @@ -26,7 +26,7 @@ dagger.#Plan & { format: "yaml" } - token: testSecrets.output.netlifyToken.contents + token: testSecrets.output.NETLIFY_TOKEN.contents marker: "hello world" @@ -41,7 +41,7 @@ dagger.#Plan & { simple: { // Deploy to netlify deploy: netlify.#Deploy & { - team: "blocklayer" + team: "dagger-test" token: common.token site: "dagger-test" contents: common.data.output @@ -57,7 +57,7 @@ dagger.#Plan & { swapImage: { // Deploy to netlify deploy: netlify.#Deploy & { - team: "blocklayer" + team: "dagger-test" token: common.token site: "dagger-test" contents: common.data.output diff --git a/pkg/universe.dagger.io/test_secrets.yaml b/pkg/universe.dagger.io/test_secrets.yaml deleted file mode 100644 index 68f4c664..00000000 --- a/pkg/universe.dagger.io/test_secrets.yaml +++ /dev/null @@ -1,21 +0,0 @@ -netlifyToken: ENC[AES256_GCM,data:DeTBgf73iiIDVJZ3i1Rd6Cn9KvJGwh7n8/u/zWKdpaMvU7R1X43JqMbZMg==,iv:0HmdJr7BHKQk+RrCWAzZCkU7BkJ5N5//otgwAgJnQ6w=,tag:DoVYsCnO6HMHXpakX4uBlA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnUEhWbjV3M29oUUJyWk81 - Wk1WQ1E0cmtuVlhNSGxkWUM3WmJXdUYvbzAwCjlFWW9IVmtmTjY1aU1LR2lxWFlT - am9RemNqSDRWK2FDYk1xeGNiTFlWMFUKLS0tIFVrSzBCMERQbnhYb09ReVpFK00v - TG5YUDlFVzlRRFBCdEhsNVlVK1dMRTgKx1TPZWWQiaU8iMni03/ekG+m4rFCcaa4 - JI+ED2d+8411BgZtlss/ukQtwskidvYTvetyWw2jes6o1lhfDv5q2A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-01-20T00:42:44Z" - mac: ENC[AES256_GCM,data:N4dbowNmz34Hn/o1Ofv4g9Z5I7EzcYyrGpXSu9fkczd69zkTpv87uFamEdV/kQM2bbIEm9gS8d0oTi41qsC0iax368YUJmjG6xMptwrrA/mcjRzwXjlPrCZN9454srJw4NXWm0F5/aJQa4XlO65OCLZw+4WCz0wyAWwKzuQNAb0=,iv:EIG55jdEIbVp390uCVJ/rCjJO+s+CsAblH0/CIMNgIc=,tag:dcZDoMsBToikTQ83R0azag==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.1 diff --git a/tests/age_key.txt b/tests/age_key.txt new file mode 100644 index 00000000..1b8e26eb --- /dev/null +++ b/tests/age_key.txt @@ -0,0 +1,4 @@ +# Dagger CI +# created: 2021-05-26T17:10:52-07:00 +# public key: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk +AGE-SECRET-KEY-1R8RRCL7NXA5SHW6HEZCJ5FJG2JJECSNVDHCF533W3CNDJGQL0AVQEA0JK7 diff --git a/tests/secrets_sops.yaml b/tests/secrets_sops.yaml index aa72e3ed..0b54bd92 100644 --- a/tests/secrets_sops.yaml +++ b/tests/secrets_sops.yaml @@ -1,8 +1,9 @@ -TestPAT: ENC[AES256_GCM,data:tLrYG8WCZah93gWkvltLzvxAhB1Tj7fmPZ/iZac8bjMo0+y74bq1qg==,iv:UD9s7flTy/FvW+NHg82l1xJruXldnSCRlRQpg5z7WO8=,tag:v35hzseqeY7V3P7J/hg28w==,type:str] -DOCKERHUB_TOKEN: ENC[AES256_GCM,data:ZWXFsmZI/uf5VT/1Se4lvON4AK349sXclWI+kZrzabj7447U,iv:eTj0xRSwMjUUrokpIr7UohC07cO69WAsxO/NZXSsmLw=,tag:PjHp/PnIDL/dx4cjESpJgQ==,type:str] +TestPAT: ENC[AES256_GCM,data:R6yLIJWAdXBiXtNewC9TNZoG92Stzebvc94XHaTjdg1H3iLkV9/J4w==,iv:TDIkf+YNFnqj1f9UFPcMfHblcpLT56cOlShpm5JaMkY=,tag:urFpg9cSg+7+nsf9DON1Fw==,type:str] +NETLIFY_TOKEN: ENC[AES256_GCM,data:AyLLlXC3FuAwHuQLM5RRhzwKIZyFkucKBABLXeWBYLnF9oaEfhn/xBRCbw==,iv:QyMGzxp4NY2jgFgj6ZEW7sGXQdPBWHPfRrs196EHnLg=,tag:/IJYM6C/g9iNcY+IQrUvbA==,type:str] +DOCKERHUB_TOKEN: ENC[AES256_GCM,data:oYROIHQZfR7c28aGvdDU3mURR/SBGhlbRsd84mNVAuxdy6S8,iv:RsVszAOxF19Z3i4HbWw4BKHCJdly8IT2gVOrQwE5Fgk=,tag:oks5BXxcU3UzoawzNkX7uw==,type:str] AWS: - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:jH9qw1DFauiOILteQJP4hbcAL/A=,iv:4WBQsGoQtApT7vUgIjopq4dC1KME9wQU1I7oj6KQy/E=,tag:WbSDp5rFEVgmqprY+RcBuw==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:oR+i0k/escdAGX0hUWTpGGQvbbiU4BWlb3983lpcA1tI1egTj6Nmpg==,iv:iXPaZvjg03htTPiOMER5+iLP2qzdOJTfnq7xSHbFTAs=,tag:fa66HZubWdceC864bjXoDQ==,type:str] + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:KahWpPHbl+rv1RGOJHfl+g76FgQ=,iv:iDAYBuCJ4xMKLf4dHM50hq7B22nVXRd/nxAynwgjlns=,tag:+aBqWay5U//pT5b3RSGYWw==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:mlEQJPJxsnaaXvB0L3SeNbAbY+rsKP4J01NzCvtQsyOMN35COXETDQ==,iv:NH5zhV5akMXcH+Gx/DvVHdOrl31kaIDwtyw1IF0gzHg=,tag:NL3uBHqHDFT80FqbflMVtw==,type:str] sops: kms: [] gcp_kms: [] @@ -12,14 +13,14 @@ sops: - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaUprdU9CUFpGdFRTazA5 - Wll2RzVjUlhvRUVDbU1aVVhKV204Wjg3azFVCmdhYXZFTEl2TGFPTk83cmxjK2hM - RVNGZHBoSDZmQ1RKL0Y3S0ZHMUxEd2MKLS0tIDJaZWdsYVVuUXJPVkVCVlNPQkVG - eUt4NEUyVXVaa1FBVWhoeEJSTVpiWnMKJXNDKz9mf7zmb1oJ9BXgkDDfz2QUg/fJ - Sx2jlW7s1TuiH8GeL4jxw5Euh0DFw6YZO9j05dcygJslZWtLopUHAQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTa2ZOR3U1YzRNNGhwMHZx + dG5yUFlyK2VMZGVaWkcxdzRwMk5oQjB1MVY4CnJKMTVONksvZHIrQkJIcWZpVXhK + aUR1N0dtazM1ODFzS01CVmlVeERKeUEKLS0tIHh4OEVtc1BMbU9MRXRoOGJQakhj + cjgrby94cDZ0SW51UFNjVmpjVFNCeE0K9/OH1T2xiNSu27uTE6fqyzZfAIzpSNdL + q/1B8YeDrRGg/jYYW53bLlwmcBzAK89JdE/RtFnLnqJ203mhrnpIWw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-02-18T17:21:55Z" - mac: ENC[AES256_GCM,data:50O/LO+8z+Dqm3wx8xaJGyL+nQ3KShQgDAYnV+GEjaacwBGhPSbwK5M/JxR98mq0PlikbHl0cv5CfUpvkShIuTdrz68QSsxn1KcVgiJeW5s8v2+0dJGEjOzy8ASnHm3uG0msB6cD00hrECc7htjaHCWk55cMlKliGUNNAh5Q28g=,iv:IujDY2mWrhfQNI1D40hev4yFNiqQSv8k4KN7kvpe7LQ=,tag:DfvoOkSxX1YIWPqAY31ifA==,type:str] + lastmodified: "2022-03-30T20:59:45Z" + mac: ENC[AES256_GCM,data:lfCIakVD8rd5PV38i9uz1z0btv/EQdlDbluxnZ+7fH9TDaKzLEgMhBrI/uOT8JImzVkgLB084nRPvfmIDQneAsE+lNakcWkUYHibxSjMr9fibaRnBSUFh3MfXf1zogKdIYjeoOdHyOAC7xus303ASJbebF45BiRVun+rjLIf1Pk=,iv:3K9RJzPymURK58zuHRil412rLmkQ4Mbz3B7zXW74aMw=,tag:haRsB73PQ9FPp1h265J3ew==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.7.1 + version: 3.7.2 diff --git a/tests/tasks/gitpull/private_repo.cue b/tests/tasks/gitpull/private_repo.cue index e64be887..605e5a40 100644 --- a/tests/tasks/gitpull/private_repo.cue +++ b/tests/tasks/gitpull/private_repo.cue @@ -24,7 +24,7 @@ dagger.#Plan & { } testRepo: core.#GitPull & { - remote: "https://github.com/dagger/dagger.git" + remote: "https://github.com/dagger/test.git" ref: "main" auth: { username: "dagger-test" From b84a273f45ed70c53986d28dcb3fc6f93f2ebf7a Mon Sep 17 00:00:00 2001 From: Marcos Lilljedahl Date: Wed, 30 Mar 2022 19:05:42 -0300 Subject: [PATCH 2/2] ci: Fix key copying Signed-off-by: Marcos Lilljedahl --- .github/workflows/test-universe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-universe.yml b/.github/workflows/test-universe.yml index 4d1a0bd1..212a273d 100644 --- a/.github/workflows/test-universe.yml +++ b/.github/workflows/test-universe.yml @@ -51,7 +51,7 @@ jobs: - name: "Import Dagger private key" run: | mkdir -p ~/.config/sops/age - echo ./tests/age_key.txt ~/.config/sops/age/keys.txt + cp ./tests/age_key.txt ~/.config/sops/age/keys.txt - name: "Expose GitHub Runtime" uses: crazy-max/ghaction-github-runtime@v1