[buildkite] Fix env leakage of signed tokens (JuliaLang#42526)

After a few days of debugging, the buildkite people figured out that the reason our "unprivileged" jobs were getting privileges was because of an obscure behavior of top-level `env:` blocks. To fix it, we should always scope our `env:` mappings to a particular step, and so that's exactly what this does. We also add a `.gitignore` mapping for the new, more convenient way that `cryptic` likes to store keys in the repository.
LilithHafner · Mar 8, 2022 · a1800a9 · a1800a9
1 parent 7794a06
commit a1800a9
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 8 deletions.
diff --git a/.buildkite/cryptic_repo_keys/.gitignore b/.buildkite/cryptic_repo_keys/.gitignore
@@ -0,0 +1,5 @@
+# Ignore the unencrypted repo_key
+repo_key
+
+# Ignore any agent keys (public or private) we have stored
+agent_key*
diff --git a/.buildkite/pipelines/main/misc/signed_pipeline_test.yml b/.buildkite/pipelines/main/misc/signed_pipeline_test.yml
@@ -5,13 +5,14 @@ agents:
 ## pipeline that showcases decryption of environment variable
 steps:
   - label: ":lock: :rocket: Signed pipeline test"
+    # We must accept the signed job id secret in order to propagate secrets
+    env:
+      BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET: ${BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET?}
+    depends_on:
     plugins:
       - staticfloat/cryptic#v1:
           variables:
             - SECRET_KEY="U2FsdGVkX18tb7st0SuQAvh4Yv4xENxOAu8q9XkmOeDVKBNY4FngEwK3xmiKUqaS"
     commands: |
       echo "SECRET_KEY: $${SECRET_KEY}"
 
-# We must accept the signed job id secret in order to propagate secrets
-env:
-  BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET: ${BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET?}
diff --git a/.buildkite/pipelines/main/misc/signed_pipeline_test.yml.signature b/.buildkite/pipelines/main/misc/signed_pipeline_test.yml.signature
diff --git a/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml b/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml
@@ -5,6 +5,10 @@ agents:
   os: "linux"
 steps:
   - label: ":unlock: :coverage: Run coverage test"
+    # We must accept the signed job id secret in order to propagate secrets
+    env:
+      BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET: ${BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET?}
+    depends_on:
     plugins:
       - staticfloat/cryptic:
           variables:
@@ -39,6 +43,3 @@ steps:
       ./julia .buildkite/pipelines/scheduled/coverage/upload_coverage.jl
     timeout_in_minutes: 240 # 240 minutes = 4 hours
 
-# We must accept the signed job id secret in order to propagate secrets
-env:
-  BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET: ${BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET?}
diff --git a/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml.signature b/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml.signature
@@ -1,2 +1 @@
-Salted__bU�,l-!FGw��(�WA�I��r�l��4��q�# R�})(�w��r��=;yEsI�FO}�H$��FEb���
-3��uU�f
+Salted__��@P=j���R���U(�,~�p @Q������'h7����OMJ���g���t<�A�(�v?ɴ<,:�j���Y'o��ڥσdٛ