Be explicit about the secret env vars used in CI

pimterry · pimterry · commit 82714d32f1b9 · 2019-01-07T13:06:59.000+01:00
diff --git a/.travis.yml b/.travis.yml
@@ -21,13 +21,18 @@ addons:
 before_script:
 - >
     if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then
+      # On OSX, pull the cert from a base64 env var
       export CERTIFICATE_P12=certificates/Certificate.p12;
       echo $CERTIFICATE_OSX_P12 | base64 --decode > $CERTIFICATE_P12;
+      # Create a new OSX keychain (we can't access the travis default)
       export KEYCHAIN=httptoolkit-build.keychain;
-      export KEYCHAIN_PASSWORD=mysupersecretpassword
+      export KEYCHAIN_PASSWORD=mynotverysecretpassword
       security create-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN;
       security default-keychain -s $KEYCHAIN;
       security unlock-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN;
+      # Try and make code signing work reliably, see
+      # https://docs.travis-ci.com/user/common-build-problems/#mac-os-x-mavericks-109-code-signing-errors
+      # https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sierra-1012-code-signing-errors
       security set-keychain-settings -t 3600 -u $KEYCHAIN
       security import $CERTIFICATE_P12 -k $KEYCHAIN -P $CERTIFICATE_OSX_PASSWORD -T /usr/bin/codesign;
       security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASSWORD $KEYCHAIN
diff --git a/appveyor.yml b/appveyor.yml
@@ -3,6 +3,12 @@ platform:
 
 environment:
   nodejs_version: "10"
+  # Github token, used to pull the latest httptoolkit-server release
+  GITHUB_TOKEN: PASSWORD
+  # Password to decrypt the cert pfx (set in CI config)
+  CERTIFICATE_FILE_KEY: PASSWORD
+  # Password to use the code signing cert (set in CI config)
+  ELECTRON_FORGE_ELECTRON_WINSTALLER_CONFIG_CERTIFICATE_PASSWORD: PASSWORD
 
 cache:
 - '%APPDATA%\npm-cache'
@@ -20,6 +26,7 @@ branches:
 
 install:
 - ps: iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/appveyor/secure-file/master/install.ps1'))
+# Decrypt the raw cert - arguably unnecessary (cert has its own key), but nice to have since it's committed & public
 - cmd: appveyor-tools\secure-file -decrypt certificates/encrypted-win-cert.pfx.enc -secret %CERTIFICATE_FILE_KEY%
 - ps: Install-Product node $env:nodejs_version $env:platform
 - set PATH=%APPDATA%\npm;%PATH%
