mirror of
https://gitlab.com/openstapps/openstapps.git
synced 2026-01-11 12:12:55 +00:00
refactor: handle ssh secrets as base64 encoded
This commit is contained in:
Rainer Killinger
@@ -26,6 +26,7 @@ web:
|
|||||||
- >
|
- >
|
||||||
if [ "$RELEASE_TYPE" == "staging" ]; then
|
if [ "$RELEASE_TYPE" == "staging" ]; then
|
||||||
# USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA!
|
# USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA!
|
||||||
|
# THUS $STAGING_TARGET_SSH_PRIVATE_KEY HAS TO BE BASE64 ENCODED
|
||||||
# USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY
|
# USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY
|
||||||
# example: $STAGING_SCP_TARGET = deployuser@staging.environment.com:/path/for/web/data
|
# example: $STAGING_SCP_TARGET = deployuser@staging.environment.com:/path/for/web/data
|
||||||
sh static/scripts/ssh_deploy.sh $STAGING_SCP_TARGET $STAGING_TARGET_SSH_PRIVATE_KEY
|
sh static/scripts/ssh_deploy.sh $STAGING_SCP_TARGET $STAGING_TARGET_SSH_PRIVATE_KEY
|
||||||
@@ -33,6 +34,7 @@ web:
|
|||||||
|
|
||||||
if [ "$RELEASE_TYPE" == "production" ]; then
|
if [ "$RELEASE_TYPE" == "production" ]; then
|
||||||
# USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA!
|
# USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA!
|
||||||
|
# THUS $PRODUCTION_TARGET_SSH_PRIVATE_KEY HAS TO BE BASE64 ENCODED
|
||||||
# USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY
|
# USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY
|
||||||
# example: $PRODUCTION_SCP_TARGET = deployuser@production.environment.com:/path/for/web/data
|
# example: $PRODUCTION_SCP_TARGET = deployuser@production.environment.com:/path/for/web/data
|
||||||
sh static/scripts/ssh_deploy.sh $PRODUCTION_SCP_TARGET $PRODUCTION_TARGET_SSH_PRIVATE_KEY
|
sh static/scripts/ssh_deploy.sh $PRODUCTION_SCP_TARGET $PRODUCTION_TARGET_SSH_PRIVATE_KEY
|
||||||
|
|||||||
@@ -13,38 +13,38 @@
|
|||||||
# Uncomment the line if you want fastlane to automatically update itself
|
# Uncomment the line if you want fastlane to automatically update itself
|
||||||
# update_fastlane
|
# update_fastlane
|
||||||
|
|
||||||
require 'json'
|
require 'json'
|
||||||
require 'base64'
|
require 'base64'
|
||||||
|
|
||||||
default_platform(:ios)
|
default_platform(:ios)
|
||||||
|
|
||||||
current_build_number = 1
|
current_build_number = 1
|
||||||
package_json = JSON.parse(File.read('../../../package.json'))
|
package_json = JSON.parse(File.read('../../../package.json'))
|
||||||
|
|
||||||
api_key = app_store_connect_api_key(
|
api_key = app_store_connect_api_key(
|
||||||
key_id: ENV['APPLE_API_KEY_ID'],
|
key_id: ENV['APPLE_API_KEY_ID'],
|
||||||
issuer_id: ENV['APPLE_API_KEY_ISSUER_ID'],
|
issuer_id: ENV['APPLE_API_KEY_ISSUER_ID'],
|
||||||
key_content: "#{Base64.decode64(ENV['APPLE_API_KEY_CONTENT'])}".gsub('\n', '\\n'),
|
key_content: "#{Base64.decode64(ENV['APPLE_API_KEY_CONTENT'])}".gsub('\n', '\\n'),
|
||||||
in_house: false
|
in_house: false
|
||||||
)
|
)
|
||||||
|
|
||||||
platform :ios do
|
platform :ios do
|
||||||
|
|
||||||
lane :fetch_highest_build_number do
|
lane :fetch_highest_build_number do
|
||||||
build_number_candidates = [1]
|
build_number_candidates = [1]
|
||||||
build_number_candidates << latest_testflight_build_number(
|
build_number_candidates << latest_testflight_build_number(
|
||||||
version: package_json['version'],
|
version: package_json['version'],
|
||||||
initial_build_number: 1,
|
initial_build_number: 1,
|
||||||
app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'],
|
app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'],
|
||||||
api_key: api_key
|
api_key: api_key
|
||||||
)
|
)
|
||||||
build_number_candidates << app_store_build_number(
|
build_number_candidates << app_store_build_number(
|
||||||
version: package_json['version'],
|
version: package_json['version'],
|
||||||
initial_build_number: 1,
|
initial_build_number: 1,
|
||||||
app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'],
|
app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'],
|
||||||
api_key: api_key
|
api_key: api_key
|
||||||
)
|
)
|
||||||
current_build_number = build_number_candidates.max
|
current_build_number = build_number_candidates.max
|
||||||
end
|
end
|
||||||
|
|
||||||
lane :configure do
|
lane :configure do
|
||||||
|
|||||||
@@ -1,12 +1,12 @@
|
|||||||
#!/usr/bin/env bash
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
SSH_DEPLOY_TARGET=$1
|
SSH_DEPLOY_TARGET=$1
|
||||||
SSH_DEPLOY_TARGET="${SSH_DEPLOY_TARGET:-"missingtarget"}"
|
SSH_DEPLOY_TARGET="${SSH_DEPLOY_TARGET:-'missingtarget'}"
|
||||||
|
|
||||||
SSH_PRIVATE_KEY=$2
|
SSH_PRIVATE_KEY=$2
|
||||||
SSH_PRIVATE_KEY="${SSH_PRIVATE_KEY:-"missingkey"}"
|
SSH_PRIVATE_KEY="${SSH_PRIVATE_KEY:-'missingkey'}"
|
||||||
|
|
||||||
GOTO_FAIL=false
|
GOTO_FAIL=false
|
||||||
|
|
||||||
@@ -24,28 +24,32 @@ if [ "$GOTO_FAIL" = true ]; then
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
IFS='@' read -ra TARGET_COMPONENTS <<< "$SSH_DEPLOY_TARGET"
|
|
||||||
|
|
||||||
SSH_DEPLOY_TARGET_USER="${TARGET_COMPONENTS[0]:-"missinguser"}"
|
TARGET_COMPONENTS=$(echo "$SSH_DEPLOY_TARGET" | tr '@' "\n")
|
||||||
|
TARGET_COMPONENTS=$(echo "$TARGET_COMPONENTS" | tr ':' "\n")
|
||||||
|
|
||||||
IFS=':' read -ra TARGET_COMPONENTS <<< "$TARGET_COMPONENTS"
|
SSH_DEPLOY_TARGET_USER=$(echo "$TARGET_COMPONENTS" | head -n 1 | tail -n 1)
|
||||||
|
SSH_DEPLOY_TARGET_HOST=$(echo "$TARGET_COMPONENTS" | head -n 2 | tail -n 1)
|
||||||
|
SSH_DEPLOY_TARGET_PATH=$(echo "$TARGET_COMPONENTS" | head -n 3 | tail -n 1)
|
||||||
|
|
||||||
SSH_DEPLOY_TARGET_HOST="${TARGET_COMPONENTS[0]:-"missinghost"}"
|
SSH_DEPLOY_TARGET_USER="${SSH_DEPLOY_TARGET_USER:-'missinguser'}"
|
||||||
SSH_DEPLOY_TARGET_PATH="${TARGET_COMPONENTS[1]:-"missingpath"}"
|
SSH_DEPLOY_TARGET_HOST="${SSH_DEPLOY_TARGET_HOST:-'missinghost'}"
|
||||||
|
SSH_DEPLOY_TARGET_PATH="${SSH_DEPLOY_TARGET_PATH:-'missingpath'}"
|
||||||
|
|
||||||
## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
|
## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
|
||||||
## We're using tr to fix line endings which makes ed25519 keys work
|
## We're using tr to fix line endings which makes ed25519 keys work
|
||||||
## without extra base64 encoding.
|
## without extra base64 encoding.
|
||||||
## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
|
## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
|
||||||
##
|
##
|
||||||
echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
|
mkdir -p ~/.ssh
|
||||||
|
chmod 700 ~/.ssh
|
||||||
|
eval `ssh-agent -s`
|
||||||
|
echo "$SSH_PRIVATE_KEY" | base64 -d | tr -d '\r' | ssh-add -
|
||||||
##
|
##
|
||||||
## Use ssh-keyscan to scan the keys of your private server. Replace gitlab.com
|
## Use ssh-keyscan to scan the keys of your private server. Replace gitlab.com
|
||||||
## with your own domain name. You can copy and repeat that command if you have
|
## with your own domain name. You can copy and repeat that command if you have
|
||||||
## more than one server to connect to.
|
## more than one server to connect to.
|
||||||
|
|
||||||
mkdir -p ~/.ssh
|
|
||||||
chmod 700 ~/.ssh
|
|
||||||
ssh-keyscan $SSH_DEPLOY_TARGET_HOST >> ~/.ssh/known_hosts
|
ssh-keyscan $SSH_DEPLOY_TARGET_HOST >> ~/.ssh/known_hosts
|
||||||
chmod 644 ~/.ssh/known_hosts
|
chmod 644 ~/.ssh/known_hosts
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user