From 87d576e936e234d0429ad753267a2760c5dfd314 Mon Sep 17 00:00:00 2001
From: Andrea Luzzardi <aluzzardi@gmail.com>
Date: Thu, 18 Mar 2021 15:30:00 -0700
Subject: [PATCH] ci: remove git-crypt, switch to sops

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
---
 .gitattributes           |   3 ---
 .github/workflows/ci.yml |  33 ++++++++++++++++-----------------
 tests/test-lib.sh        |  20 ++++++++++++--------
 tests/test.secret        | Bin 180 -> 0 bytes
 tests/test.sh            |   5 -----
 5 files changed, 28 insertions(+), 33 deletions(-)
 delete mode 100644 .gitattributes
 delete mode 100644 tests/test.secret

diff --git a/.gitattributes b/.gitattributes
deleted file mode 100644
index 00b39fdf..00000000
--- a/.gitattributes
+++ /dev/null
@@ -1,3 +0,0 @@
-*.secret filter=git-crypt diff=git-crypt
-*.key filter=git-crypt diff=git-crypt
-*.secret.* filter=git-crypt diff=git-crypt
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8b6209f9..47ec8853 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,26 +14,31 @@ jobs:
       - name: Check out
         uses: actions/checkout@v2
 
+      - name: Set up Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.16
+
       - name: Install Dependencies
         run: |
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends shellcheck git-crypt
-
+          # Cue
           export CUE_VERSION="$(grep cue ./go.mod | cut -d' ' -f2)"
           export CUE_TARBALL="cue_${CUE_VERSION}_linux_amd64.tar.gz"
-
           echo "Installing cue version $CUE_VERSION"
-          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sudo sh -s -- -b /usr/local/bin v1.23.8
-
           curl -L https://github.com/cuelang/cue/releases/download/${CUE_VERSION}/${CUE_TARBALL} | sudo tar zxf - -C /usr/local/bin
 
-      - name: Unlock secrets
+          # SOPS
+          sudo curl -L -o /usr/local/bin/sops https://github.com/mozilla/sops/releases/download/v3.6.1/sops-v3.6.1.linux
+          sudo chmod +x /usr/local/bin/sops
+
+          # golangci
+          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sudo sh -s -- -b /usr/local/bin v1.23.8
+
+      - name: Import PGP private key
         env:
-          GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY }}
+          SOPS_PGP_KEY: ${{ secrets.SOPS_PGP_KEY }}
         run: |
-          echo "$GIT_CRYPT_KEY" | base64  -d > /tmp/git-crypt-key
-          git-crypt unlock /tmp/git-crypt-key
-          rm -f /tmp/git-crypt-key
+          echo "$SOPS_PGP_KEY" | base64 -d | gpg --import
 
       - name: Login to Docker Hub
         uses: docker/login-action@v1
@@ -41,12 +46,6 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Set up Go
-        uses: actions/setup-go@v1
-        with:
-          go-version: 1.16
-        id: go
-
       - name: Lint
         run: |
           make lint
diff --git a/tests/test-lib.sh b/tests/test-lib.sh
index 242ee92f..4b2858d3 100644
--- a/tests/test-lib.sh
+++ b/tests/test-lib.sh
@@ -127,14 +127,18 @@ test::one(){
   return "$ret"
 }
 
+# Similar to test::one, however tests will be skipped if secrets cannot be decrypted
+test::secret(){
+  local inputFile="$1"
+  shift
+
+  if sops exec-file "$inputFile" echo  > /dev/null 2>&1; then
+    test::one "$@" --input-yaml "$inputFile"
+  else
+    logger::warning "Skip \"$1\": secrets not available"
+  fi
+}
+
 disable(){
   logger::warning "Test \"$2\" has been disabled."
 }
-
-secret(){
-  if [ -z "${DAGGER_SECRETS_LOADED+x}" ] || [ "$DAGGER_SECRETS_LOADED" != "1" ]; then
-    logger::warning "Skip \"$2\": secrets not available"
-  else
-    "$@"
-  fi
-}
diff --git a/tests/test.secret b/tests/test.secret
deleted file mode 100644
index 17fca195f17246dd8f381df91f654732acec338b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 180
zcmV;l089S>M@dveQdv+`0GxRSOxqk5CacMR0T!thl(xM8)xHoI;3{)s15PM_aXu>y
z-PVWw{k^E}KEw$XiZ6eWD`ZHvLrptVfaP8Rj#?)qp+OHt%paz*CBoD-5fIDCA)#hk
z40KSpz6c=uRZ34@j>irNKio3gW(y7io4f3enhieHvHeHfGN0K_U#E<y&SuMyM?e``
iONvK?gwC1X_Bce!2|GQ90f@4*N2iDUYW`BP`<a27YEX0l

diff --git a/tests/test.sh b/tests/test.sh
index ce5d936a..3f541367 100755
--- a/tests/test.sh
+++ b/tests/test.sh
@@ -6,11 +6,6 @@ readonly d=$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)
 # shellcheck source=/dev/null
 . "$d/test-lib.sh"
 
-# shellcheck source=/dev/null
-if grep -q "DAGGER_SECRETS" "$d/test.secret"; then
-    source "$d/test.secret"
-fi
-
 # Point this to your dagger binary
 readonly DAGGER_BINARY="${DAGGER_BINARY:-$d/../cmd/dagger/dagger}"
 # The default arguments are a no-op, but having "anything" is a little cheat necessary for "${DAGGER_BINARY_ARGS[@]}" to not be empty down there