Unverified Commit 83b83523 authored by Jonathan Crall's avatar Jonathan Crall
Browse files

Attempt to fix credentials

parent b3e4789a
Pipeline #248224 passed with stages
in 5 minutes and 45 seconds
U2FsdGVkX19D7XJsYjPH69Sa4uGdu04kquQPZpKdXBye8yf/EYWA53QrcV35QKHm
VRbXGd8oJPxxPVaBnHOfVq4b/o6f8y1NRRNEXJguKXAd+dGmwCNArL+1ENjx4NJ5
3gO5V4zMLNz9LeBqvLp2HaksNMJT2A2rwWOiJ4uh/Oe8M/KaTMAqxFB/WuDjk0So
nZbz3PJAV+BkVsrIxnz2CoA6xqfwx/AtkqWpaHZPy2VjQp6xboinqw8lr1kFAYa0
RtgnQ82gMDuR7SzCKfG8XJpHFh7E+h51IaH1YyqWqjprkDOdkTy1JM1VH8LaYUVN
cIwRVx4TqU0nVyHFCPVH4Z3NrDEf4YsjAvVXvemzFpfOX3wq4dsePSZKrMmQh6Vz
EjkQWbyN4ry8z9tRe58HHbIjWuol5QMJnoaH8c7jlcwTennr1JWeXyluOt+fN9ve
b4/aLYUjGL/GeGjVNSfChmX6gc8A3gYfuupQDt8e9nQX6y39XF8LJ+b+Gsnybr4Z
f6H+lLLglWae3IUXMd7/h0omE9oCcLNmb8Yjd/1qZixkKPf7O85Vn4deBkwgSpEx
V3mjglDXDK1vki/aP7/IeLH1KAMlEAS9GqlRyDBsULgEczUSB3uMU3nUvtw9B+FF
tLp2muY24lhEqqTPajnoBVrpImZPfui3K13rXiBmBCZ/CPU4jx+QJRvQYeIr3Ucu
/wR0tt4JiJDiBIcfNsdId4AY5HJy02iRUH7d75eXxc2Lq8feBIj/+hTU9QMHHT/3
L69a2kZpG0mVW0JurnqKpa2QsURUC3PoyI274W7lVMB0mvs5hLOTA4OJtcrP/HMo
vu6ej11v/uFL9i4SKn6MmOuzKOwVUCYuP+eAd04N3SwwNzhzphXCfdIkX4KJg3Sr
fmlTpGtbLrWsoE3c30ztesU2vzDh270ghUYd43aoOzX5i5grtfw7Njqklo6E3N/J
CjLmU7siMRChtjsftQ8K/VlOOF91MOzs0p8JDg1ZHQ6DnhTRkbdc1SO9Ii8XtH8b
yBleE776jUOKpFDMT0kpAM1CI/f+yIZPi/1mVcMIDZx/ivgTRd7OmUzIWhece2th
9yBN9gzvq1ple8U8wrhUoDuwhjBKMcVF/oTVLa6rQ09f7qn+SxVPGajiVqI3w6M9
EHEzNozfM4/xePxUUmIiDdBgWMOCh97XAsRIWlc86cihZvPNCmzItBip6PL10HcE
jHiJCc3bLaUf0JwEsMWuIbbsczwtXNGOT4lyV+hvgF+pRsiTIZ4OSd+PBgRwqFsy
eSntnTCcB0tSB4yx7SDgrq7hw3k86zp08tNiO8OAT7ZFN2SpqD0pKYjaw/vK6hG0
As8Ltj/dT3MIbymDyv5h3Xc/9baPRVpi16ZJph6z+mnDaQtimfiVpGBQrs6ONrne
TIzDygJBHDsqcjt+9p0f32aRnDzJrBXRRvqzfXTQhZ+fYqR19kVA4h1iRRL+h2SZ
fajJNb8PgbKWXE1Kn6m881jfFY/Q/JWbLjtzk4QX9jVtpiTfSHKgrA/+RvrKpWJb
G/O3ziHwlPm807/eqcr8MlH6gOhhQnxulxgEWlYyaRm8UYkhhJC9RsdW2+ESBM/y
s6QLys2VNozpKlUIo+vWps6edKwgrZCo1kOKKJZfT8c5GgDcL2ge3LT1V1ET34xF
A7Ku2rD+rk1V4yfZCThlchN+BnzUjvmqByDzwPZum2ztEODlGzfgZa5VKhw9ij03
/UmuGt7kMvi5C8Wve66Yl8gniWMZzzCECa+ZrRc4tV0Qk6ETsCFztML+Ea7jeXcJ
p9z1k/OdR62JVLVrMP2ekbphbpVhK48xzlpWw2boE10XRGIq32YehviPvOmNr8zC
zg1yPyGT2fWaE/7C7dcLDDNft6od9mxmKAwfqDC+Ku0VGu68kf5dlh+MWNampnHt
61krPPJpn5Pyd+YyGKc9mjyzQfys64I/tFp6JAJBRdhCiHt+ioKBTdYST6GfsAUM
k1HJURnFPPrPtFV7+RtZh5VUEDbmAWpjjxwhxRQZ/sjesWsrb2vhVnEkWuITsVgT
ZsVO43SqaXTrfQ7uZtTDNQWprzZ+xA6LeP4ebOQKcNV6WLAFS8Y9S+s2rzSn5xiF
cvnlLTY0F3ZQ56mYIAJpBrTUwCWesFjoEpoCFUGqRTF+0Qk5hu2rRMVNUkS+nt/W
6mVuB/d6grNgQNgrBx1EkA==
U2FsdGVkX19Ahcbke/t8Kf0AWlJP3OM7VINQMRa7MmLzZU64lamKjZ7aZnR5xRtv
e2DR/oxuE3Zm27awiR1Qw2HAphM4/n5VSJodx6p7x8zULUjYC+vCInOtcTX9mGtV
wAKFlKtHBuO1SgoCt0CToCtytUhA851nC+OcwpfQr7JsZXwTtcL+12k9RhUVs6Kr
6ZjhjYRLlhoK8fhS0qIeLIKAOvjHd6ZcXTZdE2t7mRhZAM7Fy0P6DD+AHzRFAvA/
eilJoykR+pwbb6qdv4x1bYoW5dbXt3uz5Xzj+NZF25PJv3D5GHPWwMf0LNZ+UPtk
1piPivER53wM/KA3NhskzRXPEP+U1UhnPm4vK7Q1xbXc6nL1wfCFgb7a4H4lTTYZ
jPcrSHct1sODYwdP6OcSfj8s79SNnAxc+iP8707IcxsQ5dqCn1p5nHOOktccF8qZ
ugYIAgOrg7EKDFPjqyHVvUV8ZfRvlr+1I4MDz2QO1jtD5xbZcyx0OUFUFmejwbBw
d0VHBGCJXVn4Jk11iclL7zHJBofTI0l2B2P8rXGRFMIiwWHCxZn90EcPZK+u7pO0
uh4GndHTnMovR1QCBN81LyQmWVkNyTCD6KtHaa/RrWgg1uI8jAE5SUz/PWszN5xj
GxXIq0n8HLsn/DMg66u7rqSm7yYEZLSRS2w67Uc9Pqs6Kw2Y9/dx1wEDC+3XWojE
+/lZ9pxxUYBmKBnSyFO/KRFqB9XEDBCEVcdNjKXJX9yYtNmQeKJCgouvMN7Bf+Kj
v0E0D6IAUUmJaaVI6c+sd6uMC+Nm0MhAQticYY3FgXitO43u4aQMXbxLTrgz7zIk
EC7TskAbsRCyMpMSrLClaWZeFDeapVV6Cyfsj08EQn2WOtrvOmE7MmCntuLHD1Ml
xLc00TDivr60qtfsoa/xp/ZrYx8j47QA78J8A+Mi8qjFOHLn1fCT+M4H76BzzFnj
088f0KteekyiJ8ZQLXbYF5CntV9on3/t51Xs5MyT2pvZu4RPgfFTdZ2C/q8D3cMH
JgBFP0TtI3q6gloKRQDVqBOt6/me35cNTTz9JXsA7z/JP4VwnI695l+f1kTkU+d7
QDtucpIZ2lfqpW3LXTw4vp3odPF1h+DelvWgD6rGfYTY+4tn5okdmROQS47LSwQ+
qXVind6JuezwWIW8rUan+5ypGbsc2i+kReDsYyQu6Ifj64Hs9irD3TUQTbwBD1kc
IG+LMtRiZW8o1NId3Fz+VPenu+BSnBr5VxFPY+5d8NQWfF0WVvPiblAsh7XxOEFd
/C035HC3PLPD6EiGPrhsX6l1j0x2Y4uP7dytVeWkN8WlDlxvoYzUSP+1C7sbdrGb
xia1aBtQnLN5gTbSeXIuwbFPaPraCaeyx8wtrHPNtOa+njzUu2+3rv6QNTrOyb6/
xcrqpsVftv/W/9x8iZEuG2jVfrAPIfSqEEdOOUvtSPw0BWBS0I+1XS8FVGXkQWT/
P6ujZyPUvDEf/UjZZqX+1s7DmET6yzp2/9vtV8PeLpiKco96ElPDBP2c7kngFDG2
Qdu4EQZzo5tQN1L8dl120K2j5YoWeNh569NHRHKI20l1gecArCYC7RVkMW0Mksgc
hZd4SJJZ701BWFYLZn3aYEdUl1Ba9sgxBYzwC/FXyE/HmzfayAVeAme20X7FE43R
s0EsL+jPLaIoCWS9YkHOUchOBoZqjbAOn+Sxz1l58kUhEM5WN21w0s26HHosH1X0
04ca6UKgisJ0Wyv6lVIzIxVIQxkMEZSpTmw8rjYxdIWGElVrXRRfET7foTpabneM
1SINF0ikID3da7ZK4EIKYI+ua+zBviKBkP0+GLvqZZhTn+4cpH6q2qLVtRMYZFN/
i6i1+wTH31ARB8HF1VHO7LhfI6PB71ku7qo9B9T0JQGxz/7T/nYflInUpHxAxSxO
cDoY+QC6uoW+tMkLPc2kW9eMOuODYNsKxaGM4VzI1L9c4kqK6nZSqNeFFFlAKkw7
UwYAWmVrEOUSGSzQNztqEF1lDEj8fZXFpdUeLjaPpYCjoT2hX0eirSLveAQkmlWz
UYEvqX67FJiEctAYoF2yh+ET1I95GfVKCOhrqVnLBCUIs2xLFsFtxWQ9dKfTrp4J
iExHlumcHVVgiDTzyETSSOhG9NmRLgBNSKiadoI0MJOaAuFypTgK/pi5gg4YfWW2
dIBuMfdGV9WtN4Qt0o8iXw==
U2FsdGVkX1+RuY3zx9MCEeCMcj0NhVZ+bYiLh1o+MVZUNIzJS38GcEg2wFxmqCjU
fOlbJMintFNrVit/UEWUqZuUmFpb8NL3sHURs7AUPz0dyXHKmSDrNvmpAs3zK6zH
1qDqhMw8BRVI+ZO775FFEgELV7flHaD5ZNYtP8rIIqsYfzlSSlbgMeBdN102xP5T
JlyuYF1HdAhcNXb8Ke5Ln6TiCtk8IhQ/O5NvTfjorC2Yu62h0zHwyOZwlwRoPT48
f7OLjId0hr4OKmEadEyfqn8PiiVdueqRYVJI5QOrsjF1GgE89BBqNd4lA4LUzEM0
0K0S9E1onzcnAnRiaFqkeHCyU5KJWva9jNbfQpRS7c9maBGQmOdqfBwve9P0cjQb
m1/UNv1ml4Mzesdb9b6Quoe6qC3GI7f00owODVOJlDwEP1dlRg6webeOFPiMT5tF
dGvX0ONEaoYGRVMGVYtzg2mZZO+1difR+qTiUFtmh/jGGXmjlrhLeoiKYe+e90mw
Jcu/6MgesSfrb35VN6ehgGcPkbuyD+q49L4wEH4ZXxvnVnFqAOvSFVGD/AW0h6yY
Xmr6ftFh3Xly0jpUe+eiG6+UW+iUh3zT6+w03YBn3PV6m5aXf1MEyS6FQ2XlyQAH
w/EF9Yui3sFIWUci8yezpBaIHexZY3vwdeW6tmqnXwLA/kYx8ZandPQoBSATD7YU
V6ioSyhAXZXMEA6hIOUWX5yzMwtL6Qz0wO2yZVrOX8CuJFPoP/d+vtm+cQzhFVVH
s0eQekSVEcvTBewrJJOdoXCU0akxoIDrtgqp0fS8Eb1hTh7f65aB5DefHsNonaBw
AzZ6qsBDkC9sTy+VJJVToDIPI22wzZ0aBl94kjO+BjTSZVTW9XTRXETzspfnVzd9
yZPHqnyQFmn0763h+cHTTPh+7iJgBCXugcEGK9lqtvUIGAqcJI6DgGR4T8k68SGf
yIGpsE66x/s0cC0vFlIis7PWiQ+TlnDCmOEZAx5QMQSAI970rTApWppY6JcX4Ptf
Jfd1PTLGNUcN8rrY6TXxvBHTbtGHsRSwPE46aGveZIrx7ItzGfvLRv86cFGZmzKj
B3UFQxQuXmfoYIHyXHFQqm3MHUchU+XHN3TePx520ZOatsPbu1WjoFuYgW6SfYX1
MQ7ZKV8EuXgWAMIbOIjSiby48aYKrYwTVvPViYqUuCuMZVXq92b3CO1SyOspsCXP
IzQp0SYism+rL+MBmAPd1FXpMhYgkW3NVKcGqRVyT8yZFpbeBff6iTpIl2sB7sx6
0nUmIHE/gcVFd6VvhY1t/aVPsgZ3611aFMjAuS6ayzjjtd7PUBJfX0JhGeyfCMhg
QlsdCHILlPI3PcuHVPp2bB1wuBdpfHDbuNkEqYs20vNElx41nR1i9nWR7mwps60D
x4RZjWSpl/+2QMzizBk+ck2obuDf816Z714BPU3MisCCptuXK+jVaEtX0LXFI+4p
LIRd/YqLEhApN1St/xU8+iZn9D1EnefKkIPNLPn6s4aibeEAlrO5NYvrOgWGaQ/S
C9EJLABNmVE2OS9W5plAOKkbTLM7uZHG2yiBjD338VVRRLGddtD4zBXGoRPGX0P4
+hSXtfNaIG0hM0nfDDJlEY3XxVAjELh7ZH5MTNk112WY/JCTajLXdic2OCDVL0Yj
xGnISerOmLgwU1872DXSV3bUwieTAxtAdAcNvQ32t5z/aPubBLBxArEX23kz8byx
U2FsdGVkX19n6ClkgZW2p5vffceRuOp9jyTZyG4EOlwAuS3DT5U1fAT9fPcf1AJi
pa299cO8hwls39tXIBf1nN+MIOzZxjTEy83q/8K1BXYMk/xTaP4436D7tjy9zH5m
S0SxSQRnwFgroFX0ynaxl5t9uTj0cYjLAir1rWq/nSQKzo7+KIBKMglrWqer8cfO
QW2vQMP8ZIAnb9Giw05AeqMLg1aWU+2YxoPXG0Kg/vEeCGEV+pxfCDRC0b7i9Zu5
tsEl/4IC23anhJE2W1Q5hChyOJTfrwmjUedt0DoUGP/YGJytP4T+PmG/0ekXu0n0
g2x6X+jJ/hCRMkEGJpY5hJm3ZS1KcQXvPkn1zJhw9dPwjwW0wMzND1Mn8gP9l86c
Epr5lt2pTA/1ETF2/p9O/isVsxwMhizz1nNjYPiSBJ1FUjzvjHv6PbpVJVM70r4r
XgBQE7GfQ1RmDKJlxkCsEjuUieFP0PfvWEl/xt9WwPZnzMg1l2dq/wBJr0p5vrhs
Tr23aKQ8SURqg1IB06A2HXdYE2heJMeBFr1Ps2VI+ZiiTjA0HkGai7JK+tQ7Gpvv
RRLnxExgFfaTo7F8FEdKv3GqXIJHEs/EymY1IWAN+7VeAvHoV8uUhXigoez42wfL
0iyQgtfs9lXaAKw87h6EJ3edcXS4iW498kjb4+VPTdGMVbskDqeCdeit6ZHbPQu+
za1vGDSTbkAn+J9UdaDyTQ1tc33pHNMABdXqfXe4oxayvi5kY/byohyu2O1C3/Cg
g/G4wCBBOO3Q+zOesAuBez6uxPdRFcr3Ys3aKXdX2YKjV2Uc6XjjxjdW2234vKsd
aBS0GL+jvnX3ijoj0uw39ojlMuv9bWULQFxVcFmRKBhk5nbaroj6YM8i4ykij74F
DT+3iiBEJ+2+6aa34Pu+l2Jy4K8emhGOIQWRLHhwKiTVTSjh2n+oYZT9OWqex1Dq
JXStUQXZdgfn9tGlVcf/r1/AfFJ0xxzfHgg4CbgTF3Y/4DYWkQ3jnp10iDpxUcwS
VO2KJxzRR4f5bjDx7AhBnynxhPaRUbOld/WJvbsg/Xao6f8Fx8l9DnVfotTmqUCy
Ffw27K/EVooeKaq8KoIelsH99ezAtOoFZQFLf2ATRP/in8B7b3DBS7p3xajMoXo+
u5uSaBwv4r5TbQFQiCORRPfjUyvZdCKEVBphGNks45L74oNZQ1i+4yfRh7xV9tcl
kjANKvA8tL2uYOrzVNBHOHj9qA3Z4Ij9xpE5unPB0xmK1wxYhOuHNhMV1Tp1a+0e
eJ4Oyg8808vkp8sTQNhCUJUQTQ0cgYZdyRqWmjXjI761Ml82pZV9FepM8QIPQT1z
Tq/Xc15DdDvNmmI+2Pi5gIMsF9TAGRrXruahk4KDwZuoh5nU7S7piAvRPADFqP3e
ou9y5m+lS8tGkhtbhVNOQx0WQXM4S+Kxj3WkiSlN9/+LcNaJwvmYMH2UmjZOfbcJ
BE2vfk8QHQaJOakJOVCiY8rMY2/cK99SX8Ll9Iepl5vCPXiy0B4gpHe70VPVWqxw
+oDE0tRRvGj8bwL/dzhtt777HTRzZHTsuEwUjhwJ69OQbMnAJdotlyayY9nsllKU
iM7A1CNWzwH4A3uDy5HeqBK89uGBsUlDhK2tguiu2yDQM5WQDii8eh+3rbDkADYT
wQJ5quGNXK7nfZWodY12tpzYlY9WkTBaVtXooEiel16doi7VbY43K5g1lxmfi7/T
U2FsdGVkX1/TNy3Lat4L1xxhLE7Db7SzxFUViEVPYaDGw3jWy0h/SYEK2ugh97aR
h872XyIbtlyaDd2K/5R4Su74dBfB4o73f5nLdynU8RVxPz774CfEUVEuRsemME/V
kD7NLNWv+/rjZ60cGyP6b8KgLoH52jS21S02GFr8O3MDZ4wQyO+3Pl6z+HabX1e7
wu7+Y+KNZgEk4J6VwZf0LCbm1ZUCabyTGX0rz1yQqTznOu91uGrb6S1c8mYveWPf
frj+7VccrFQbAXkvViByK68OV7tdHVba9gc8N4q0J2b/Pa5GNmxv7+1MFtqjD80H
CMzs4g/YTs/ZN7vX7bBnH6QTTd2buxj3jJkVFRykYmrTGhSyatprR7sLX74MKaUy
Hn28uZs/Z1E7qkkXYb3FsgonkjCI6jNt4yMdOLIflwOqT49mwyJHhGWTE3KlnPZ3
Q6uPzq44NT2M+Wox6l+BMwA+3g05MdJ+dpZp2ZwhbuybzCUffPo5KPPrtrHr0oM/
5ZHoc2Uzkle83CjD1vZTII53cZY1+beohWZZhCpOvtEPd9rf9Mj31BtR86cy7w/p
U9DxgFECveQ1MKe1hJRVMA==
U2FsdGVkX1/VhwGKuxb1ja4ZSoVKCVWHZxkgfL0HLtg5hJU6570onI3xeGEvemiQ
9XgTZdT1htpWtKd9RgBEb0ieKr40jMJ09UtLUGXHSscQbtPbU9dEHfWG/a/SaXIb
ksvYiARhY1SIGwDYwvnRWy2ckq0JE44GBwVCFFu7enuzC65Ld/B9mRT1J5iy8tJZ
IUHOwSLsO7ZiMmH4PDaKb8b+V4xZfZqfYCI6S9SvQcLf4K89Dr7Ul1G+U4N/oPHT
RyBe4UkbldbYs8OcDBUZgtmyY66ykD3o+4z/Kj+7gmYoy9TicXd8n+xWN4CuhNMr
Gnbj2dKnurll2wa/Tu+TvrtbYPz9OJeoxuWY7diAk0a7IIJ1/srclJQOMVK+N2tD
0GHmbJyxv+RJKeQKH1yW8N8drnm9fYIxbbVQA5b1OqAe36KUBTnZMBWq7UnhcA5O
vtfTMaA2YwKXJUa7gFpEQMw3Ho/60GGPP2ISDfnwHxa0Vj+snF7evyeLdnuXmVOW
xZvFnGqCY0xpsSq+5nUnUAGLt9S+SI0Z1mbNi1LSAitnQWEIo9VtgATIqcDwS6WY
WXgeydjGpfeX4iO4Tqq9nA==
export VARNAME_CI_SECRET="CI_KITWARE_SECRET"
export GPG_IDENTIFIER="=Erotemic-CI <erotemic@gmail.com>"
__doc__='
============================
SETUP CI SECRET INSTRUCTIONS
============================
The original template file should be:
~/misc/templates/PYPKG/dev/setup_secrets.sh
Development script for updating secrets when they rotate
=========================
GITHUB ACTION INSTRUCTIONS
=========================
* `PERSONAL_GITHUB_PUSH_TOKEN` -
This is only needed if you want to automatically git-tag release branches.
To make a API token go to:
https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token
=========================
GITLAB ACTION INSTRUCTIONS
=========================
```bash
cat .setup_secrets.sh | \
sed "s|utils|<YOUR-GROUP>|g" | \
sed "s|PYPKG|<YOUR-REPO>|g" | \
sed "s|travis-ci-Erotemic|<YOUR-GPG-ID>|g" | \
sed "s|CI_SECRET|<YOUR_CI_SECRET>|g" | \
sed "s|GITLAB_ORG_PUSH_TOKEN|<YOUR_GIT_ORG_PUSH_TOKEN>|g" | \
sed "s|gitlab.org.com|gitlab.your-instance.com|g" | \
tee /tmp/repl && colordiff .setup_secrets.sh /tmp/repl
```
* Make sure you add Runners to your project
https://gitlab.org.com/utils/PYPKG/-/settings/ci_cd
in Runners-> Shared Runners
and Runners-> Available specific runners
* Ensure that you are auto-cancel redundant pipelines.
Navigate to https://gitlab.kitware.com/utils/PYPKGS/-/settings/ci_cd and ensure "Auto-cancel redundant pipelines" is checked.
More details are here https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines
* TWINE_USERNAME - this is your pypi username
twine info is only needed if you want to automatically publish to pypi
* TWINE_PASSWORD - this is your pypi password
* CI_SECRET - We will use this as a secret key to encrypt/decrypt gpg secrets
This is only needed if you want to automatically sign published
wheels with a gpg key.
* GITLAB_ORG_PUSH_TOKEN -
This is only needed if you want to automatically git-tag release branches.
Create a new personal access token in User->Settings->Tokens,
You can name the token GITLAB_ORG_PUSH_TOKEN_VALUE
Give it api and write repository permissions
SeeAlso: https://gitlab.org.com/profile/personal_access_tokens
Take this variable and record its value somewhere safe. I put it in my secrets file as such:
export GITLAB_ORG_PUSH_TOKEN_VALUE=<paste-the-value-here>
I also create another variable with the prefix "git-push-token", which is necessary
export GITLAB_ORG_PUSH_TOKEN=git-push-token:$GITLAB_ORG_PUSH_TOKEN_VALUE
Then add this as a secret variable here: https://gitlab.org.com/groups/utils/-/settings/ci_cd
Note the value of GITLAB_ORG_PUSH_TOKEN will look something like: "{token-name}:{token-password}"
For instance it may look like this: "git-push-token:62zutpzqga6tvrhklkdjqm"
References:
https://stackoverflow.com/questions/51465858/how-do-you-push-to-a-gitlab-repo-using-a-gitlab-ci-job
# ADD RELEVANT VARIABLES TO GITLAB SECRET VARIABLES
# https://gitlab.kitware.com/computer-vision/kwcoco/-/settings/ci_cd
# Note that it is important to make sure that these variables are
# only decrpyted on protected branches by selecting the protected
# and masked option. Also make sure you have master and release
# branches protected.
# https://gitlab.kitware.com/computer-vision/kwcoco/-/settings/repository#js-protected-branches-settings
'
setup_package_environs(){
__doc__="
Setup environment variables specific for this project. The remainder of
this script should ideally be general to any repo.
"
#REPO_DPATH=$HOME/code/xdoctest
REPO_DPATH=$HOME/code/kwcoco
VARNAME_CI_SECRET="CI_KITWARE_SECRET"
GPG_IDENTIFIER="=Erotemic-CI <erotemic@gmail.com>"
#VARNAME_TWINE_USERNAME="TWINE_USERNAME"
#VARNAME_TWINE_PASSWORD="TWINE_PASSWORD"
#TWINE_USERNAME_VARNAME="PYUTILS_TWINE_USERNAME"
#TWINE_PASSWORD_VARNAME="PYUTILS_TWINE_USERNAME"
#CI_SECRET_VARNAME="EROTEMIC_CI_SECRET"
}
export_encrypted_code_signing_keys(){
setup_package_environs
cd $REPO_DPATH
# Load or generate secrets
load_secrets
CI_SECRET="${!VARNAME_CI_SECRET}"
echo "CI_SECRET = $CI_SECRET"
# ADD RELEVANT VARIABLES TO THE CI SECRET VARIABLES
# HOW TO ENCRYPT YOUR SECRET GPG KEY
# You need to have a known public gpg key for this to make any sense
MAIN_GPG_KEYID=$(gpg --list-keys --keyid-format LONG "$GPG_IDENTIFIER" | head -n 2 | tail -n 1 | awk '{print $1}')
GPG_SIGN_SUBKEY=$(gpg --list-keys --with-subkey-fingerprints "$GPG_IDENTIFIER" | grep "\[S\]" -A 1 | tail -n 1 | awk '{print $1}')
echo "MAIN_GPG_KEYID = $MAIN_GPG_KEYID"
echo "GPG_SIGN_SUBKEY = $GPG_SIGN_SUBKEY"
# Only export the signing secret subkey
# Export plaintext gpg public keys, private sign key, and trust info
mkdir -p dev
gpg --armor --export-options export-backup --export-secret-subkeys "${GPG_SIGN_SUBKEY}!" > dev/ci_secret_gpg_subkeys.pgp
gpg --armor --export ${GPG_SIGN_SUBKEY} > dev/ci_public_gpg_key.pgp
gpg --export-ownertrust > dev/gpg_owner_trust
# Encrypt gpg keys and trust with CI secret
GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -e -a -in dev/ci_public_gpg_key.pgp > dev/ci_public_gpg_key.pgp.enc
GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -e -a -in dev/ci_secret_gpg_subkeys.pgp > dev/ci_secret_gpg_subkeys.pgp.enc
GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -e -a -in dev/gpg_owner_trust > dev/gpg_owner_trust.enc
echo $MAIN_GPG_KEYID > dev/public_gpg_key
# Test decrpyt
GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_public_gpg_key.pgp.enc | gpg --list-packets --verbose
GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_secret_gpg_subkeys.pgp.enc | gpg --list-packets --verbose
GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/gpg_owner_trust.enc | gpg --list-packets --verbose
cat dev/public_gpg_key
unload_secrets
# Look at what we did, clean up, and add it to git
ls dev/*.enc
rm dev/*.pgp
rm dev/gpg_owner_trust
git status
git add dev/*.enc
git add dev/gpg_owner_trust
git add dev/public_gpg_key
}
_test_gnu(){
export GNUPGHOME=$(mktemp -d -t)
ls -al $GNUPGHOME
chmod 700 -R $GNUPGHOME
gpg -k
load_secrets
CI_SECRET="${!VARNAME_CI_SECRET}"
echo "CI_SECRET = $CI_SECRET"
cat dev/public_gpg_key
GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_public_gpg_key.pgp.enc
GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_secret_gpg_subkeys.pgp.enc
GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_public_gpg_key.pgp.enc | gpg --import
GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_secret_gpg_subkeys.pgp.enc | gpg --import
gpg -k
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment