From f78bb33ba9738742cd5129d494514080939140c9 Mon Sep 17 00:00:00 2001
From: Daniel Moran <danxmoran@gmail.com>
Date: Wed, 13 Jan 2021 09:39:05 -0800
Subject: [PATCH] build: add guards against using secrets in forked PR builds
(#20506)
---
.circleci/config.yml | 67 ++++++++++++++++++++++++++++++--------------
1 file changed, 46 insertions(+), 21 deletions(-)
diff --git a/.circleci/config.yml b/.circleci/config.yml
index b97605e632..ef4b3abfcf 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -38,20 +38,23 @@ workflows:
- grace_daily:
requires:
- build
+ filters:
+ branches:
+ # Forked pull requests have CIRCLE_BRANCH set to pull/XXX
+ ignore: /pull\/[0-9]+/
- litmus_daily:
requires:
- build
filters:
branches:
- only:
- - /^(?!pull\/).*$/
+ # Forked pull requests have CIRCLE_BRANCH set to pull/XXX
+ ignore: /pull\/[0-9]+/
- litmus_integration:
requires:
- build
filters:
branches:
- only:
- - master
+ only: master
hourly-e2e:
triggers:
@@ -125,6 +128,20 @@ orbs:
browser-tools: circleci/browser-tools@1.1
commands:
+ # Log into quay.io, with a pre-check to ensure we aren't running from a forked PR.
+ quay_login:
+ steps:
+ - run:
+ name: Ensure not running from a fork
+ command: |
+ if [ -n "$CIRCLE_PR_NUMBER" ]; then
+ echo 'Error: build from fork detected, exiting!'
+ exit 1
+ fi
+ - run:
+ name: Log into Quay
+ command: docker login -u "$QUAY_USER" -p $QUAY_PASS quay.io
+
# Install system dependencies needed to run a native build of influxd
install_core_deps:
steps:
@@ -150,6 +167,24 @@ commands:
publish_release:
type: boolean
steps:
+ - when:
+ condition: << parameters.publish_release >>
+ steps:
+ - run:
+ name: Ensure not running from a fork
+ command: |
+ if [ -n "$CIRCLE_PR_NUMBER" ]; then
+ echo 'Error: release from fork detected, exiting!'
+ exit 1
+ fi
+ - run:
+ name: Import GPG key
+ command: |
+ echo -e "$GPG_PRIVATE_KEY" > private.key
+ gpg --batch --import private.key
+ - run:
+ name: Log into Quay
+ command: docker login -u "$QUAY_USER" -p $QUAY_PASS quay.io
- run:
name: Set GOPATH
# Machine executors use a different GOPATH from the cimg/go Docker executors.
@@ -212,11 +247,6 @@ commands:
llvm-dev \
lzma-dev \
zlib1g-dev
- - run:
- name: Import GPG key
- command: |
- echo -e "$GPG_PRIVATE_KEY" > private.key
- gpg --batch --import private.key
- run:
name: Install cross-compilers
environment:
@@ -276,7 +306,7 @@ commands:
name: Build release
# `goreleaser release --skip-publish` builds Docker images, but doesn't push them.
# As opposed to `goreleaser build`, which stops before building Dockers.
- command: goreleaser --debug release --skip-publish -p 1 --rm-dist --skip-validate
+ command: goreleaser --debug release --skip-publish --skip-sign -p 1 --rm-dist --skip-validate
- when:
condition: << parameters.publish_release >>
steps:
@@ -594,9 +624,6 @@ jobs:
name: Restore Yarn Cache
keys:
- yarn-deps-lock-{{ checksum "ui/yarn.lock" }}
- - run:
- name: Docker Login
- command: docker login -u "$QUAY_USER" -p $QUAY_PASS quay.io
- install_core_deps
- run_goreleaser:
publish_release: false
@@ -628,9 +655,7 @@ jobs:
name: Restore Yarn Cache
keys:
- yarn-deps-lock-{{ checksum "ui/yarn.lock" }}
- - run:
- name: Docker Login
- command: docker login -u "$QUAY_USER" -p $QUAY_PASS quay.io
+ - quay_login
- install_core_deps
- run_goreleaser:
publish_release: true
@@ -683,7 +708,7 @@ jobs:
steps:
- attach_workspace:
at: ~/project
- - run: docker login -u=$QUAY_USER -p=$QUAY_PASS quay.io
+ - quay_login
- run: docker run --entrypoint "./run_litmus_tests_oss.sh" -e ONE_TEST=src/cloud/rest_api/smoke/test_smoke.py -e BINARYPATH=/Litmus/result/bin/linux/influxd -e BOLTPATH=/Litmus/result/influxd_test/influxd.bolt -e ENGINEPATH=/Litmus/result/influxd_test --net host -v /var/run/docker.sock:/var/run/docker.sock -v ~/project:/Litmus/result quay.io/influxdb/litmus:latest
- run:
name: Litmus Smoke Tests Success
@@ -705,7 +730,7 @@ jobs:
steps:
- attach_workspace:
at: ~/project
- - run: docker login -u=$QUAY_USER -p=$QUAY_PASS quay.io
+ - quay_login
- run: docker run --entrypoint "./run_litmus_tests_oss.sh" -e TEST_LIST=tests_lists/gateway_api_tests.list -e INFLUXPATH=/Litmus/result/bin/linux/influx -e BINARYPATH=/Litmus/result/bin/linux/influxd -e BOLTPATH=/tmp/influxd_test/influxd.bolt -e ENGINEPATH=/tmp/influxd_test --net host -v /var/run/docker.sock:/var/run/docker.sock -v ~/project:/Litmus/result quay.io/influxdb/litmus:latest
- run:
name: Litmus Integration Tests Success
@@ -726,7 +751,7 @@ jobs:
steps:
- attach_workspace:
at: ~/project
- - run: docker login -u=$QUAY_USER -p=$QUAY_PASS quay.io
+ - quay_login
- run: docker run --entrypoint "./run_litmus_tests_oss.sh" -e TEST_LIST=tests_lists/gateway_api_tests.list -e DOCKERIMAGE=true --net host -v /var/run/docker.sock:/var/run/docker.sock -v ~/project:/Litmus/result quay.io/influxdb/litmus:latest
- run:
name: Litmus Nightly Tests Success
@@ -747,7 +772,7 @@ jobs:
steps:
- attach_workspace:
at: ~/project
- - run: docker login -u=$QUAY_USER -p=$QUAY_PASS quay.io
+ - quay_login
- run: docker run --net host -v /var/run/docker.sock:/var/run/docker.sock -e TEST_RESULTS=~/project quay.io/influxdb/grace:latest
- store_artifacts:
path: ~/project
@@ -759,7 +784,7 @@ jobs:
steps:
- attach_workspace:
at: ~/project
- - run: docker login -u=$QUAY_USER -p=$QUAY_PASS quay.io
+ - quay_login
- run:
command: ./bin/linux/influxd --store=memory --log-level=debug
background: true