This diff forward ports ea44e99451f345474738b9010ff791759a1f1367. Original commit message: - - - This change allows for producing cloud builds using the psiphon config files. We will add those files as build secrets. Only people in the organization and collaborators with at least "write" access could trigger builds containing such secrets. Before this change, `./mk` unconditionally attempted to clone github.com/ooni/probe-private. Now, it only checks whether we need to clone _if_ files are not already there. This allows us to use GitHub actions and secrets to copy the files in there _without_ needing to clone a private repo. Cloning a private repo would require us to include as repository secret an access token with full `repo` scope, which is a very broad scope. Instead, by using secrets to include psiphon config, we are narrowing down the secrets required to make a release build. See https://github.com/ooni/probe/issues/1878 This diff WILL require forward porting to the master branch.
This commit is contained in:
Simone Basso
GitHub
@@ -637,13 +637,31 @@ search/for/zip:
|
||||
@command -v zip || { echo "not found"; exit 1; }
|
||||
|
||||
#help:
|
||||
#help: The `./mk maybe/copypsiphon` command copies the private psiphon config
|
||||
#help: file into the current tree unless `$(OONI_PSIPHON_TAGS)` is empty.
|
||||
#help: The `./mk maybe/copypsiphon` command checks whether we want
|
||||
#help: to embed the Psiphon config file into the build. To this end,
|
||||
#help: this command checks whether OONI_PSIPHON_TAGS is set. In
|
||||
#help: such a case, this command checks whether the required files
|
||||
#help: are already in place. If not, this command fetches them
|
||||
#help: by cloning the github.com/ooni/probe-private repo.
|
||||
#
|
||||
# Note: we check for files being already there before attempting
|
||||
# to clone _because_ we put files in there using secrets when
|
||||
# running cloud builds. This saves us from including a token with
|
||||
# `repo` scope as a build secret, which is a very broad scope.
|
||||
#
|
||||
# Cloning the private repository, instead, is the way in which
|
||||
# local builds get access to the psiphon config files.
|
||||
.PHONY: maybe/copypsiphon
|
||||
maybe/copypsiphon: search/for/git
|
||||
test -z "$(OONI_PSIPHON_TAGS)" || $(MAKE) -f mk $(OONIPRIVATE)
|
||||
test -z "$(OONI_PSIPHON_TAGS)" || cp $(OONIPRIVATE)/psiphon-config.key ./internal/engine
|
||||
test -z "$(OONI_PSIPHON_TAGS)" || cp $(OONIPRIVATE)/psiphon-config.json.age ./internal/engine
|
||||
@if test "$(OONI_PSIPHON_TAGS)" = "ooni_psiphon_config"; then \
|
||||
if test ! -f ./internal/engine/psiphon-config.json.age -a \
|
||||
! -f ./internal/engine/psiphon-config.key; then \
|
||||
echo "copying psiphon configuration file into ./internal/engine"; \
|
||||
$(MAKE) -f mk $(OONIPRIVATE) || exit 1; \
|
||||
cp $(OONIPRIVATE)/psiphon-config.key ./internal/engine || exit 1; \
|
||||
cp $(OONIPRIVATE)/psiphon-config.json.age ./internal/engine || exit 1; \
|
||||
fi; \
|
||||
fi
|
||||
|
||||
# OONIPRIVATE is the directory where we clone the private repository.
|
||||
OONIPRIVATE = $(GIT_CLONE_DIR)/github.com/ooni/probe-private
|
||||
|
||||
Reference in New Issue
Block a user