Skip to content

Commit cb032f7

Browse files
ambushworkambushwork
committed
wip
1 parent ba0a340 commit cb032f7

File tree

3 files changed

+52
-53
lines changed

3 files changed

+52
-53
lines changed

ci/pipelines/default-pipeline.yml

Lines changed: 50 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ include:
44
# SETUP
55

66
stages:
7-
- fetch-secrets
7+
- source-secrets
88
- ci-image
99
- security
1010
- analysis
@@ -14,9 +14,9 @@ stages:
1414
- notify
1515

1616
.snippets:
17-
fetch-secrets:
18-
- mkdir -p ./ci/pipelines/secrets
19-
- ./ci/scripts/fetch-secrets.sh
17+
source-secrets:
18+
- source ./ci/scripts/vault_config.sh
19+
- source ./ci/scripts/get-secret.sh
2020

2121
# macOS AMI will already have cmdline-tools installed
2222
install-android-api-components:
@@ -44,26 +44,23 @@ stages:
4444
- if [[ "$exit_code" -ne 0 ]]; then exit 1; fi
4545
- exit 0
4646
set-publishing-credentials:
47-
- cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
48-
- export GPG_PRIVATE_KEY=$(cat ./ci/pipelines/secrets/gpg_private_key)
49-
- export GPG_PASSWORD=$(cat ./ci/pipelines/secrets/gpg_passphrase)
50-
- export CENTRAL_PUBLISHER_USERNAME=$(cat ./ci/pipelines/secrets/central_username)
51-
- export CENTRAL_PUBLISHER_PASSWORD=$(cat ./ci/pipelines/secrets/central_password)
52-
- export GPG_PUBLIC_FINGERPRINT=$(cat ./ci/pipelines/secrets/gpg_public_key | gpg --import --import-options show-only | grep -E -o -e "[A-F0-9]{40}")
47+
- get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
48+
- export GPG_PRIVATE_KEY=$(get_secret $DD_ANDROID_SECRET__SIGNING_GPG_PRIVATE_KEY)
49+
- export GPG_PASSWORD=$(get_secret $DD_ANDROID_SECRET__SIGNING_GPG_PASSPHRASE)
50+
- export CENTRAL_PUBLISHER_USERNAME=$(get_secret $DD_ANDROID_SECRET__PUBLISHING_CENTRAL_USERNAME)
51+
- export CENTRAL_PUBLISHER_PASSWORD=$(get_secret $DD_ANDROID_SECRET__PUBLISHING_CENTRAL_PWD)
52+
- export GPG_PUBLIC_FINGERPRINT=$(get_secret $DD_ANDROID_SECRET__SIGNING_GPG_PUBLIC_KEY | gpg --import --import-options show-only | grep -E -o -e "[A-F0-9]{40}")
5353

5454
# CI IMAGE
5555

56-
fetch-secrets:
57-
stage: fetch-secrets
58-
tags: ["macos:sonoma","specific:true"]
56+
source-secrets:
57+
stage: source-secrets
58+
tags: [ "arch:amd64" ]
5959
image: $CI_IMAGE_DOCKER
6060
script:
61-
- !reference [.snippets, fetch-secrets]
62-
artifacts:
63-
paths:
64-
- ./ci/pipelines/secrets/
65-
expire_in: 1 hour
66-
when: always
61+
- !reference [.snippets, source-secrets]
62+
- echo $(get_secret $DD_ANDROID_SECRET__TEST_SECRET)
63+
- vault token lookup
6764

6865
ci-image:
6966
stage: ci-image
@@ -199,12 +196,14 @@ test:kover:
199196
- cache/caches/
200197
- cache/notifications/
201198
script:
199+
- !reference [.snippets, source-secrets]
202200
- pip3 install datadog
203201
- rm -rf ~/.gradle/daemon/
204202
- export DD_AGENT_HOST="$BUILDENV_HOST_IP"
205-
- export DD_API_KEY=$(cat ./ci/pipelines/secrets/api_key)
206-
- export DD_APP_KEY=$(cat ./ci/pipelines/secrets/app_key)
207-
- CODECOV_TOKEN=$(cat ./ci/pipelines/secrets/codecov_token)
203+
- export DD_API_KEY=$(get_secret $DD_ANDROID_SECRET__API_KEY)
204+
- vault token lookup
205+
- export DD_APP_KEY=$(get_secret $DD_ANDROID_SECRET__APP_KEY)
206+
- CODECOV_TOKEN=$(get_secret $DD_ANDROID_SECRET__CODECOV_TOKEN)
208207
- GRADLE_OPTS="-Xmx3072m" DD_TAGS="test.configuration.variant:release" ./gradlew :dd-sdk-android-core:koverXmlReportRelease --no-daemon --build-cache --gradle-user-home cache/ -Dorg.gradle.jvmargs=-javaagent:$DD_TRACER_FOLDER/dd-java-agent.jar=$DD_COMMON_AGENT_CONFIG
209208
- GRADLE_OPTS="-Xmx3072m" DD_TAGS="test.configuration.variant:release" ./gradlew :dd-sdk-android-internal:koverXmlReportRelease --no-daemon --build-cache --gradle-user-home cache/ -Dorg.gradle.jvmargs=-javaagent:$DD_TRACER_FOLDER/dd-java-agent.jar=$DD_COMMON_AGENT_CONFIG
210209
- GRADLE_OPTS="-Xmx3072m" DD_TAGS="test.configuration.variant:release" ./gradlew :koverReportFeatures --no-daemon --build-cache --gradle-user-home cache/ -Dorg.gradle.jvmargs=-javaagent:$DD_TRACER_FOLDER/dd-java-agent.jar=$DD_COMMON_AGENT_CONFIG
@@ -390,7 +389,7 @@ test-pyramid:detekt-api-coverage:
390389
timeout: 1h
391390
script:
392391
- mkdir -p ./config/
393-
- cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
392+
- get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
394393
- GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesDebug --stacktrace --no-daemon
395394
- GRADLE_OPTS="-Xmx4096M" ./gradlew printSdkDebugRuntimeClasspath --stacktrace --no-daemon
396395
- GRADLE_OPTS="-Xmx4096M" ./gradlew :tools:detekt:jar --stacktrace --no-daemon
@@ -408,13 +407,13 @@ test-pyramid:publish-e2e-synthetics:
408407
- develop
409408
script:
410409
- mkdir -p ./config/
411-
- cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
412-
- cp ./ci/pipelines/secrets/keystore ./sample-android.keystore
413-
- cp ./ci/pipelines/secrets/e2e_config.json ./config/us1.json
414-
- export E2E_STORE_PASSWD=$(cat ./ci/pipelines/secrets/keystore_password)
415-
- export E2E_DD_API_KEY=$(cat ./ci/pipelines/secrets/e2e_api_key)
416-
- export E2E_DD_APP_KEY=$(cat ./ci/pipelines/secrets/e2e_app_key)
417-
- export E2E_MOBILE_APP_ID=$(cat ./ci/pipelines/secrets/e2e_mobile_app_id)
410+
- get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
411+
- get_secret $DD_ANDROID_SECRET__KEYSTORE > ./sample-android.keystore
412+
- get_secret $DD_ANDROID_SECRET__E2E_CONFIG_JSON > ./config/us1.json
413+
- export E2E_STORE_PASSWD=$(get_secret $DD_ANDROID_SECRET__KEYSTORE_PWD)
414+
- export E2E_DD_API_KEY=$(get_secret $DD_ANDROID_SECRET__E2E_API_KEY)
415+
- export E2E_DD_APP_KEY=$(get_secret $DD_ANDROID_SECRET__E2E_APP_KEY)
416+
- export E2E_MOBILE_APP_ID=$(get_secret $DD_ANDROID_SECRET__E2E_MOBILE_APP_ID)
418417
- GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
419418
- GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:kotlin:packageUs1Release --stacktrace --no-daemon
420419
- npm update -g @datadog/datadog-ci
@@ -435,13 +434,13 @@ test-pyramid:publish-webview-synthetics:
435434
- develop
436435
script:
437436
- mkdir -p ./config/
438-
- cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
439-
- cp ./ci/pipelines/secrets/keystore ./sample-android.keystore
440-
- cp ./ci/pipelines/secrets/webview_config.json ./config/us1.json
441-
- export E2E_STORE_PASSWD=$(cat ./ci/pipelines/secrets/keystore_password)
442-
- export E2E_DD_API_KEY=$(cat ./ci/pipelines/secrets/webview_api_key)
443-
- export E2E_DD_APP_KEY=$(cat ./ci/pipelines/secrets/webview_app_key)
444-
- export E2E_MOBILE_APP_ID=$(cat ./ci/pipelines/secrets/webview_mobile_app_id)
437+
- get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
438+
- get_secret $DD_ANDROID_SECRET__KEYSTORE > ./sample-android.keystore
439+
- get_secret $DD_ANDROID_SECRET__WEBVIEW_CONFIG_JSON > ./config/us1.json
440+
- export E2E_STORE_PASSWD=$(get_secret $DD_ANDROID_SECRET__KEYSTORE_PWD)
441+
- export E2E_DD_API_KEY=$(get_secret $DD_ANDROID_SECRET__WEBVIEW_API_KEY)
442+
- export E2E_DD_APP_KEY=$(get_secret $DD_ANDROID_SECRET__WEBVIEW_APP_KEY)
443+
- export E2E_MOBILE_APP_ID=$(get_secret $DD_ANDROID_SECRET__WEBVIEW_MOBILE_APP_ID)
445444
- GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
446445
- GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:kotlin:packageUs1Release --stacktrace --no-daemon
447446
- npm update -g @datadog/datadog-ci
@@ -462,13 +461,13 @@ test-pyramid:publish-staging-synthetics:
462461
- develop
463462
script:
464463
- mkdir -p ./config/
465-
- cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
466-
- cp ./ci/pipelines/secrets/keystore ./sample-android.keystore
467-
- cp ./ci/pipelines/secrets/e2e_staging_config.json ./config/staging.json
468-
- export E2E_STORE_PASSWD=$(cat ./ci/pipelines/secrets/keystore_password)
469-
- export E2E_DD_API_KEY=$(cat ./ci/pipelines/secrets/e2e_staging_api_key)
470-
- export E2E_DD_APP_KEY=$(cat ./ci/pipelines/secrets/e2e_staging_app_key)
471-
- export E2E_MOBILE_APP_ID=$(cat ./ci/pipelines/secrets/e2e_staging_app_id)
464+
- get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
465+
- get_secret $DD_ANDROID_SECRET__KEYSTORE > ./sample-android.keystore
466+
- get_secret $DD_ANDROID_SECRET__E2E_STAGING_CONFIG_JSON > ./config/staging.json
467+
- export E2E_STORE_PASSWD=$(get_secret $DD_ANDROID_SECRET__KEYSTORE_PWD)
468+
- export E2E_DD_API_KEY=$(get_secret $DD_ANDROID_SECRET__E2E_STAGING_API_KEY)
469+
- export E2E_DD_APP_KEY=$(get_secret $DD_ANDROID_SECRET__E2E_STAGING_APP_KEY)
470+
- export E2E_MOBILE_APP_ID=$(get_secret $DD_ANDROID_SECRET__E2E_STAGING_APP_ID)
472471
- GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
473472
- GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:kotlin:packageStagingRelease --stacktrace --no-daemon
474473
- npm update -g @datadog/datadog-ci
@@ -489,13 +488,13 @@ test-pyramid:publish-benchmark-synthetics:
489488
- develop
490489
script:
491490
- mkdir -p ./config/
492-
- cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
493-
- cp ./ci/pipelines/secrets/keystore ./sample-benchmark.keystore
494-
- cp ./ci/pipelines/secrets/benchmark_config.json ./config/benchmark.json
495-
- export BM_STORE_PASSWD=$(cat ./ci/pipelines/secrets/keystore_password)
496-
- export BM_DD_API_KEY=$(cat ./ci/pipelines/secrets/benchmark_api_key)
497-
- export BM_DD_APP_KEY=$(cat ./ci/pipelines/secrets/benchmark_app_key)
498-
- export BM_MOBILE_APP_ID=$(cat ./ci/pipelines/secrets/benchmark_mobile_app_id)
491+
- get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
492+
- get_secret $DD_ANDROID_SECRET__KEYSTORE > ./sample-benchmark.keystore
493+
- get_secret $DD_ANDROID_SECRET__BENCHMARK_CONFIG_JSON > ./config/benchmark.json
494+
- export BM_STORE_PASSWD=$(get_secret $DD_ANDROID_SECRET__KEYSTORE_PWD)
495+
- export BM_DD_API_KEY=$(get_secret $DD_ANDROID_SECRET__BENCHMARK_API_KEY)
496+
- export BM_DD_APP_KEY=$(get_secret $DD_ANDROID_SECRET__BENCHMARK_APP_KEY)
497+
- export BM_MOBILE_APP_ID=$(get_secret $DD_ANDROID_SECRET__BENCHMARK_MOBILE_APP_ID)
499498
- GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
500499
- GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:benchmark:packageRelease --stacktrace --no-daemon
501500
- npm update -g @datadog/datadog-ci

ci/scripts/get-secret.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ get_secret() {
2222

2323
if [ "$CI" = "true" ]; then
2424
echo "Login as CI"
25-
vault login -method=aws -no-print
25+
vault login -method=oidc -no-print
2626
else
2727
if vault token lookup &>/dev/null; then
2828
echo "Reading '$secret_name' secret in local env. You are already authenticated with 'vault'." >&2

ci/scripts/vault_config.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
#
88

99
DD_VAULT_ADDR=https://vault.us1.ddbuild.io
10-
DD_ANDROID_SECRETS_PATH_PREFIX='kv/aws/arn:aws:iam::486234852809:role/ci-dd-sdk-android/'
10+
DD_ANDROID_SECRETS_PATH_PREFIX='kv/k8s/gitlab-runner/dd-sdk-android/'
1111

1212
DD_ANDROID_SECRET__TEST_SECRET="test.secret"
1313
DD_ANDROID_SECRET__GRADLE_PROPERTIES="gradle.properties"

0 commit comments

Comments
 (0)