buildkite: update references to the new env variables that are masked (#208)

v1v · web-flow · commit bee35ac86663 · 2023-02-16T11:48:53.000Z
diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
@@ -8,7 +8,7 @@
 
 set -eo pipefail
 
-echo "--- Prepare vault context"
+echo "--- Prepare vault context :vault:"
 VAULT_ROLE_ID_SECRET=$(vault read -field=role-id secret/ci/elastic-ecs-logging-java/internal-ci-approle)
 export VAULT_ROLE_ID_SECRET
 
@@ -23,10 +23,7 @@ PREVIOUS_VAULT_TOKEN=$VAULT_TOKEN
 export PREVIOUS_VAULT_TOKEN
 unset VAULT_TOKEN
 
-echo "--- Prepare keys context"
-VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID_SECRET" secret_id="$VAULT_SECRET_ID_SECRET")
-export VAULT_TOKEN
-
+echo "--- Prepare a secure temp :closed_lock_with_key:"
 # Prepare a secure temp folder not shared between other jobs to store the key ring
 export TMP_WORKSPACE=/tmp/secured
 export KEY_FILE=$TMP_WORKSPACE"/private.key"
@@ -36,6 +33,16 @@ export GNUPGHOME=$TMP_WORKSPACE"/keyring"
 mkdir -p $GNUPGHOME
 chmod -R 700 $TMP_WORKSPACE
 
+echo "--- Prepare keys context :key:"
+VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID_SECRET" secret_id="$VAULT_SECRET_ID_SECRET")
+export VAULT_TOKEN
+
+# Nexus credentials
+SERVER_USERNAME=$(vault read -field username secret/release/nexus)
+export SERVER_USERNAME
+SERVER_PASSWORD=$(vault read -field password secret/release/nexus)
+export SERVER_PASSWORD
+
 # Signing keys
 vault read -field=key secret/release/signing >$KEY_FILE
 KEYPASS_SECRET=$(vault read -field=passphrase secret/release/signing)
@@ -45,11 +52,7 @@ export KEY_ID_SECRET=D88E42B4
 # Import the key into the keyring
 echo "$KEYPASS_SECRET" | gpg --batch --import "$KEY_FILE"
 
-# Export secring
-export SECRING_FILE=$GNUPGHOME"/secring.gpg"
-gpg --pinentry-mode=loopback --passphrase "$KEYPASS_SECRET" --export-secret-key $KEY_ID_SECRET > "$SECRING_FILE"
-
-echo "--- Configure git context"
+echo "--- Configure git context :git:"
 # Configure the committer since the maven release requires to push changes to GitHub
 # This will help with the SLSA requirements.
 git config --global user.email "infra-root+apmmachine@elastic.co"
@@ -65,4 +68,3 @@ tar --extract --file /tmp/jdk.tar.gz --directory "$JAVA_HOME" --strip-components
 
 export JAVA_HOME
 export PATH=$JAVA_HOME/bin:$PATH
-
diff --git a/.ci/release.sh b/.ci/release.sh
@@ -22,7 +22,7 @@ trap clean_up EXIT
 git checkout -f "${branch_specifier}"
 
 set +x
-echo "--- Release the binaries to Maven Central"
+echo "--- Release the binaries to Maven Central :maven:"
 if [[ "$dry_run" == "true" ]] ; then
   echo './mvnw release:prepare release:perform --settings .ci/settings.xml --batch-mode'
 else
diff --git a/.ci/settings.xml b/.ci/settings.xml
@@ -22,7 +22,8 @@
                 <activeByDefault>true</activeByDefault>
             </activation>
             <properties>
-                <gpg.passphrase>${env.KEYPASS}</gpg.passphrase>
+                <!-- this env variable is defined in .buildkite/hooks/pre-command -->
+                <gpg.passphrase>${env.KEYPASS_SECRET}</gpg.passphrase>
             </properties>
         </profile>
     </profiles>
diff --git a/.ci/snapshot.sh b/.ci/snapshot.sh
@@ -19,7 +19,7 @@ clean_up () {
 trap clean_up EXIT
 
 set +x
-echo "--- Deploy the snapshot"
+echo "--- Deploy the snapshot :package:"
 if [[ "$dry_run" == "true" ]] ; then
   echo './mvnw -s .ci/settings.xml -Pgpg clean deploy --batch-mode'
 else
