I try to convert a "standard" build to a workflow build. In the the original build we use the SSH-Agent plugin to access SSH-keys we need for deploying the artifacts in the builds shell-script. How can I do something like this in workflow? Is this even possible?
Pending JENKINS-28689 this would be tricky. You could save the private key as a Secret Text credentials item (pending JENKINS-28399), then use the withCredentials step (Credentials Binding plugin) to get a variable with a file location of a copy of the private key, and then authenticate with that.
Related
I am using Azure CI/CD pipelines for Flutter build. In my Pubspec yaml file, I have dependencies that are private to my project and the code is hosted in same azure devops project but in different repository. During Build (i.e. Flutter Packages get) it gives me error saying Authentication failed?. I tried with PAT token where in prior to flutter build task i used git command to set that token, but it didn't solve the issue. Can anyone help me out?
I am open to being shown a better way but these are the steps I took to solve this issue a little while ago.
Assuming you are referencing the package in your pubspec.yaml using git over ssh on azure devops like:
repo_name:
git:
ref: 'tag or other identifier'
url: you#vs-ssh.visualstudio.com:v3/you/project/repo_name
Generate a new ssh key pair on your machine.
Upload the private key to the library secure files section on azure devops.
Add the install ssh key task to your azure pipelines build, using the key pair generated in the previous steps and referencing the private key uploaded to the secure files library. link
Upload the public key to your list of public keys. (This step I'm not 100% sure is necessary but I did it initially and things have worked so I haven't changed removed it)
So in my azure-pipelines.yaml the install ssh key step looks kinda like this where id_rsa is the name of the private key in my secure files.
- task: InstallSSHKey#0
inputs:
knownHostsEntry: 'vs-ssh.visualstudio.com, ...etc'
sshPublicKey: 'ssh-rsa ...etc'
sshKeySecureFile: id_rsa
A private feed is created with permissions such that only you have access.
The build agent run with user(build service account), give to this user permissions in the feed. From Feed settings->Permissions, assign your build service account owner permission.
Also verify the token is working, make sure you have selected sufficient scopes for this token to authorize for your specific tasks.
Besides try adding a variable system.debug with a value of true you’ll get more information in the failure. That might help pinpoint the problem.
I am working on an Android project. I have a few files under version control that git-crypt encrypt them for me. The content of some of them is important to be decrypted before running the build process.
I have no problem at all with building the project on my laptop. The problem is on the the CI side. When I push the code to the Origin, the pipeline (I am using Azure) triggers a pipeline and after a few seconds, the build fails. That's because the build system is looking for the information I have in keys.properties file and it's encrypted.
Based on my understanding, git-crypt uses public/private keys in order to encrypt/decrypt files. The public key is already under the version control, root/.git-crypt/keys/default/0/7F64F6C566153F29E4D9D44070C2A1QW029CE338.gpg. Therefore, I think I need to move the private key somewhere. Am I right? If I am right then my question is where to put it? Is it still under the root of the computer (macOS Image/VM on CI) or I can put it under the root of the project?
Note: Azure lets me upload secure files under its Libraries and then I am able to reference it from the azure-piplines.yaml file.
where to put it?
Based on my understanding on git-crypt and azure devops, compare with storing the private key in root of PC, I'd suggest you put it under the root of project.
Because if you store it at root of PC, it would has no trouble while you run the pipeline with Private agent. BUT, what the issue is if someone using Hosted agent but the private key is in local. As you know, Hosted agent is the one which located at cloud, and it is loaded very dynamically. So, it's hard to get the private key from local computer.
In one word, keeping it in the repository remove the hassle of storing it somewhere else and using it between developers.
However, above is just the suggest choice between store at root of PC and store at root of project.
Although, it would much convenient if put the private key into the root of project.
But on personal suggestion and info security, I strongly stand by the method that you mentioned at last: Store the private key in Library, and reference it during the build/release. Azure DevOps library store the secrets in a safe way and use them as and when needed without making it visible to anyone.
In my node project I would like to use both NPM and Github registries. The reason is that I use some packages as request or async, but I've made my own packages which are stored on Github Packges Registry.
I've tried to add #USERNAME:registry=https://npm.pkg.github.com/ in .npmrc, but I still need an authtoken. There is the problem: as it's for a continuous integration I don't want to use a token linked to a specific user.
So what could I do ?
Edit: I'm using Circle CI for my workflows.
You can use the default GITHUB_TOKEN associated with the repository that your workflow runs in.
If you are using a GitHub Actions workflow, you can use a GITHUB_TOKEN to publish and consume packages in the GitHub Package Registry without needing to store and manage a personal access token.
ref: https://help.github.com/en/github/managing-packages-with-github-package-registry/configuring-npm-for-use-with-github-package-registry#authenticating-to-github-package-registry
If you are not using GitHub Actions and running your build in a different CI tool then I don't think you have any choice but to use a Personal Access Token tied to a user account.
When pushing I see this:
nuget push blah.1.0.0.nupkg -source repo
WARNING: No API Key was provided and no API Key could be found for 'https://meeee.jfrog.io/meeee/api/nuget/repo'. To save an API Key for a source use the 'setApiKey' command.
Pushing blah.1.0.0.nupkg to 'https://meeee.jfrog.io/meeeee/api/nuget/repo'...
PUT https://meeee.jfrog.io/meeee/api/nuget/repo/
Created https://meeee.jfrog.io/meeee/api/nuget/repo/ 8585ms
Still works and it has to be using the API key because otherwise I'd get access denied - so I'm not sure what it's warning me about. Maybe because I don't have a default machine wide API key? I had to add the nuget source with user name and password because nuget is a mess and won't pull the default API key for it without setting it for each source.
Also I noticed even if I upload the same exact package a bunch of times in a row it still uploads it - I thought maybe Artifactory would see it was the same and not upload or tell me that?
You probably have your credentials specified in your nuget.config file for repo to authenticate.
To get rid of the warning, simply specify a dummy API key using --api-key 0 in your request.
The warning went away for me after using the following nuget command:
nuget setapikey YOUR_API_KEY -source YOUR_SOURCE_NAME
I have OpenShift set up to build a ASP.NET Core application. I've succeeded in configuring OpenShift so it pulls in the latest source code. I see in the logs that it starts to build, but it immediately stops on the restore step.
OpenShift doesn't have access to our private NuGet feeds.
I know I can add credentials to the NuGet.config file, but that would mean committing sensitive information to the repository, which we don't want.
I've tried adding Input Secrets, as mentioned in the docs. I did this by creating a secret that contains the NuGet.config contents and adding the secret to my BuildConfig. I still get the same error (a HTTP 401).
Can I somehow tell OpenShift how to connect to the private NuGet feeds? Maybe using the secrets feature perhaps?
In the case of nuget configuration, you will need to specify where the NuGet.Config build input secret gets mounted into. This can be done by setting the destinationDir parameter to a valid configuration location.
As for being able to add the config file in your repository itself, you can do this by making use of environment variable references in the config, for example <add key="ClearTextPassword" value="%NUGET_REPO_PASSWORD%" />. The NUGET_REPO_PASSWORD environment variable can then be configured in your build configuration and value referenced from an OpenShift secret.
Hope this gets you going. If all else fails, you can definitely override the s2i assemble script with your own by adding an executable script at .s2i/bin/assemble of your project repository.