From f5fdc70e84fbf826bc5775fb23418b916be10f93 Mon Sep 17 00:00:00 2001 From: Matthieu Gautier Date: Wed, 11 Jul 2018 15:13:50 +0200 Subject: [PATCH 1/2] Revert "Try to decrypt the secret key only if we will do a deployement." `travis/compile_all.py` may need the secret key to upload dependencies cache to our server. So, just decrypt the key before the upload is not good enough (and breaks PR building new version of base dependencies) This reverts commit 74efad49e2e3bd3f767a2faf0a913d1944ba12de. --- .travis.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 3a5c60c..ecd641b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,6 +13,9 @@ if: type != push OR tag IS present before_install: - PATH=$PATH:${HOME}/bin - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then PATH=$PATH:$(brew --prefix)/opt/gettext/bin; fi +- openssl aes-256-cbc -K $encrypted_eba2f7543984_key -iv $encrypted_eba2f7543984_iv + -in travis/travisci_builder_id_key.enc -out travis/travisci_builder_id_key -d +- chmod 600 travis/travisci_builder_id_key before_cache: - rm -f $HOME/.gradle/caches/modules-2/modules-2.lock - rm -fr $HOME/.gradle/caches/*/plugin-resolution/ @@ -34,10 +37,6 @@ script: travis/compile_all.py fi after_failure: travis/upload_all_log.sh -before_deploy: -- openssl aes-256-cbc -K $encrypted_eba2f7543984_key -iv $encrypted_eba2f7543984_iv - -in travis/travisci_builder_id_key.enc -out travis/travisci_builder_id_key -d -- chmod 600 travis/travisci_builder_id_key deploy: - provider: script skip_cleanup: true From cd0d075def384fc8b48e92348278607955d114f2 Mon Sep 17 00:00:00 2001 From: Matthieu Gautier Date: Wed, 11 Jul 2018 15:27:12 +0200 Subject: [PATCH 2/2] Do not try to decrypt the ssh_key if we cannot. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we are building a PR comming from a fork, the secret key will not be available and we cannot decrypt the ssh key. And if the ssh key cannot be decrypted, we should not try to use it to upload base dependencies. `cron` and deployement are made only on "secured environment" so we don't need to test for existance of the key because we are sure that we have been able to decrypt it. --- .travis.yml | 5 +++-- travis/compile_all.py | 16 +++++++++------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/.travis.yml b/.travis.yml index ecd641b..47a79fe 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,8 +13,9 @@ if: type != push OR tag IS present before_install: - PATH=$PATH:${HOME}/bin - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then PATH=$PATH:$(brew --prefix)/opt/gettext/bin; fi -- openssl aes-256-cbc -K $encrypted_eba2f7543984_key -iv $encrypted_eba2f7543984_iv - -in travis/travisci_builder_id_key.enc -out travis/travisci_builder_id_key -d +- '[ -n "$encrypted_eba2f7543984_iv" ] && openssl aes-256-cbc + -K $encrypted_eba2f7543984_key -iv $encrypted_eba2f7543984_iv + -in travis/travisci_builder_id_key.enc -out travis/travisci_builder_id_key -d' - chmod 600 travis/travisci_builder_id_key before_cache: - rm -f $HOME/.gradle/caches/modules-2/modules-2.lock diff --git a/travis/compile_all.py b/travis/compile_all.py index d332044..40c72dd 100755 --- a/travis/compile_all.py +++ b/travis/compile_all.py @@ -32,7 +32,10 @@ NIGHTLY_ZIM_ARCHIVES_DIR = HOME/'NIGHTLY_ZIM_ARCHIVES'/NIGHTLY_DATE RELEASE_ZIM_ARCHIVES_DIR = HOME/'RELEASE_ZIM_ARCHIVES' DIST_KIWIX_ARCHIVES_DIR = HOME/'DIST_KIWIX_ARCHIVES' DIST_ZIM_ARCHIVES_DIR = HOME/'DIST_ZIM_ARCHIVES' -SSH_KEY = environ.get('TRAVISCI_SSH_KEY', Path(environ['TRAVIS_BUILD_DIR'])/'travis'/'travisci_builder_id_key') +if 'TRAVISCI_SSH_KEY' in environ: + SSH_KEY = Path(environ['TRAVISCI_SSH_KEY']) +else: + SSH_KEY = Path(environ['TRAVIS_BUILD_DIR'])/'travis'/'travisci_builder_id_key' # We have build everything. Now create archives for public deployement. BINARIES = { @@ -225,12 +228,11 @@ try: except URLError: print_message("Cannot get archive. Build dependencies") run_kiwix_build('alldependencies', platform=PLATFORM) - archive = make_deps_archive('alldependencies', full=True) - destination = 'nightlybot@download.kiwix.org:/var/www/tmp.kiwix.org/ci/{}' - destination = destination.format(base_dep_archive_name) - scp(archive, destination) - - + if SSH_KEY.exists(): + archive = make_deps_archive('alldependencies', full=True) + destination = 'nightlybot@download.kiwix.org:/var/www/tmp.kiwix.org/ci/{}' + destination = destination.format(base_dep_archive_name) + scp(archive, destination) # A basic compilation to be sure everything is working (for a PR)