ci: remove git-crypt, switch to sops

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>

.gitattributes

@@ -1,3 +0,0 @@
-*.secret filter=git-crypt diff=git-crypt
-*.key filter=git-crypt diff=git-crypt
-*.secret.* filter=git-crypt diff=git-crypt

.github/workflows/ci.yml

@@ -14,26 +14,31 @@ jobs:
       - name: Check out
         uses: actions/checkout@v2
 
+      - name: Set up Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.16
+
       - name: Install Dependencies
         run: |
-          sudo apt-get update
+          # Cue
-          sudo apt-get install -y --no-install-recommends shellcheck git-crypt
-
           export CUE_VERSION="$(grep cue ./go.mod | cut -d' ' -f2)"
           export CUE_TARBALL="cue_${CUE_VERSION}_linux_amd64.tar.gz"
-
           echo "Installing cue version $CUE_VERSION"
-          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sudo sh -s -- -b /usr/local/bin v1.23.8
-
           curl -L https://github.com/cuelang/cue/releases/download/${CUE_VERSION}/${CUE_TARBALL} | sudo tar zxf - -C /usr/local/bin
 
-      - name: Unlock secrets
+          # SOPS
+          sudo curl -L -o /usr/local/bin/sops https://github.com/mozilla/sops/releases/download/v3.6.1/sops-v3.6.1.linux
+          sudo chmod +x /usr/local/bin/sops
+
+          # golangci
+          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sudo sh -s -- -b /usr/local/bin v1.23.8
+
+      - name: Import PGP private key
         env:
-          GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY }}
+          SOPS_PGP_KEY: ${{ secrets.SOPS_PGP_KEY }}
         run: |
-          echo "$GIT_CRYPT_KEY" | base64  -d > /tmp/git-crypt-key
+          echo "$SOPS_PGP_KEY" | base64 -d | gpg --import
-          git-crypt unlock /tmp/git-crypt-key
-          rm -f /tmp/git-crypt-key
 
       - name: Login to Docker Hub
         uses: docker/login-action@v1
@@ -41,12 +46,6 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Set up Go
-        uses: actions/setup-go@v1
-        with:
-          go-version: 1.16
-        id: go
-
       - name: Lint
         run: |
           make lint

tests/test-lib.sh

@@ -127,14 +127,18 @@ test::one(){
   return "$ret"
 }
 
+# Similar to test::one, however tests will be skipped if secrets cannot be decrypted
+test::secret(){
+  local inputFile="$1"
+  shift
+
+  if sops exec-file "$inputFile" echo  > /dev/null 2>&1; then
+    test::one "$@" --input-yaml "$inputFile"
+  else
+    logger::warning "Skip \"$1\": secrets not available"
+  fi
+}
+
 disable(){
   logger::warning "Test \"$2\" has been disabled."
 }
-
-secret(){
-  if [ -z "${DAGGER_SECRETS_LOADED+x}" ] || [ "$DAGGER_SECRETS_LOADED" != "1" ]; then
-    logger::warning "Skip \"$2\": secrets not available"
-  else
-    "$@"
-  fi
-}

tests/test.sh

@@ -6,11 +6,6 @@ readonly d=$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)
 # shellcheck source=/dev/null
 . "$d/test-lib.sh"
 
-# shellcheck source=/dev/null
-if grep -q "DAGGER_SECRETS" "$d/test.secret"; then
-    source "$d/test.secret"
-fi
-
 # Point this to your dagger binary
 readonly DAGGER_BINARY="${DAGGER_BINARY:-$d/../cmd/dagger/dagger}"
 # The default arguments are a no-op, but having "anything" is a little cheat necessary for "${DAGGER_BINARY_ARGS[@]}" to not be empty down there