Skip to content

Commit

Permalink
Try actually logging in...
Browse files Browse the repository at this point in the history
  • Loading branch information
rcoh committed Jan 31, 2023
1 parent 2124e98 commit 4ae1e29
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 3 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/ci-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
id: set-token
run: |
ENCRYPTED_PAYLOAD=$(
gpg --symmetric --batch --passphrase "(AWS_REGION=us-east-1 aws secretsmanager get-secret-value --secret-id github-pgp-key --query SecretString --output text)" --output - <(echo "not-a-real-token") | base64 -w0
gpg --symmetric --batch --passphrase "{{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(echo "not-a-real-token") | base64 -w0
)
echo "payload: $ENCRYPTED_PAYLOAD"
echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT
Expand All @@ -48,6 +48,7 @@ jobs:
runs-on: ubuntu-latest
env:
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
DOCKER_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
steps:
- name: debug token
run: echo $ENCRYPTED_DOCKER_PASSWORD
Expand Down
22 changes: 20 additions & 2 deletions tools/ci-build/acquire-build-image
Original file line number Diff line number Diff line change
Expand Up @@ -154,17 +154,35 @@ def run(command, cwd=None):


# Returns (status, output) from a shell command
def get_cmd_output(command, cwd=None, check=True):
def get_cmd_output(command, cwd=None, check=True, **kwargs):
result = subprocess.run(
shlex.split(command),
capture_output=True,
check=check,
cwd=cwd
cwd=cwd,
**kwargs
)
return (result.returncode, result.stdout.decode("utf-8").strip(), result.stderr.decode("utf-8").strip())


def decrypt_and_login(secret):
import base64
decoded = base64.b64decode(secret, validate=True)
token = os.getenv("DOCKER_PASSPHRASE")
if token is None:
print('no passphrase')
return
(_, password, _) = (get_cmd_output(f"gpg --decrypt --batch --quiet --passphrase {token} --output -", check=True,
input=decoded))
(_, output, _) = get_cmd_output("docker login --username AWS --password-stdin public.ecr.aws", input=password.encode('utf-8'))
print(output)


def acquire_build_image(context=Context.default(), shell=Shell()):
import os
docker_password = os.getenv("ENCRYPTED_DOCKER_PASSWORD")
if docker_password is not None:
decrypt_and_login(docker_password)
# If the image doesn't already exist locally, then look remotely
if not shell.docker_image_exists_locally(LOCAL_BASE_IMAGE_NAME, context.image_tag):
announce("Base image not found locally.")
Expand Down

0 comments on commit 4ae1e29

Please sign in to comment.