fix(ci): Secrets unavailable for deploy jobs #4215

khvn26 · 2024-06-24T09:16:44Z

Thanks for submitting a PR! Please check the boxes below:

I have run pre-commit to check linting
I have added information to docs/ if required so people know about the feature!
I have filled in the "Changes" section below?
I have filled in the "How did you test this code" section below?
I have used a Conventional Commit title for this Pull Request

Changes

Fixes deploy jobs.

How did you test this code?

This is a CI change.

vercel · 2024-06-24T09:16:47Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

3 Ignored Deployments

Name	Status	Preview	Updated (UTC)
docs	⬜️ Ignored (Inspect)	Visit Preview	Jun 24, 2024 0:45am
flagsmith-frontend-preview	⬜️ Ignored (Inspect)	Visit Preview	Jun 24, 2024 0:45am
flagsmith-frontend-staging	⬜️ Ignored (Inspect)	Visit Preview	Jun 24, 2024 0:45am

github-actions · 2024-06-24T09:19:13Z

Uffizzi Preview deployment-53396 was deleted.

codecov · 2024-06-24T09:25:33Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.53%. Comparing base (5e87f39) to head (d5162f9).
Report is 6 commits behind head on main.

❗ Current head d5162f9 differs from pull request most recent head 8d16f3f

Please upload reports for the commit 8d16f3f to get more accurate results.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4215      +/-   ##
==========================================
+ Coverage   96.51%   96.53%   +0.01%     
==========================================
  Files        1177     1177              
  Lines       38307    38368      +61     
==========================================
+ Hits        36973    37037      +64     
+ Misses       1334     1331       -3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

.github/workflows/.reusable-deploy-ecs.yml

matthewelwell · 2024-06-24T10:54:48Z

Dockerfile

-  mv /root/.gnupg /app/; \
-  chown -R nobody /app/.gnupg
+  mv /root/.gnupg/ /app/


I'm keen to get @gagantrivedi's review here as well to make sure we know what we need to test.

Sure. The image has been deployed to staging so we just need to verify SSE there.

Yeah, we have to make sure sse events are still reaching influx

gagantrivedi · 2024-06-24T12:24:25Z

Dockerfile

@@ -167,8 +167,8 @@ FROM api-runtime-private as saas-api
 RUN --mount=type=secret,id=sse_pgp_pkey \
  apt-get update && apt-get install -y gnupg && \
  gpg --import /run/secrets/sse_pgp_pkey && \
-  mv /root/.gnupg /app/; \
-  chown -R nobody /app/.gnupg
+  mv /root/.gnupg/ /app/ && \


Are you able to build this image without any GPG key?

Are you able to build this image without any GPG key?

There's no need as saas-api target is only intended for building with the key.

Are you able to build this image without any GPG key?

There's no need as saas-api target is only intended for building with the key.

Hmm, I am little confused… Is this file not used for private cloud? What if we want to build an image locally to test something?

This file is used for all of our targets now. To build the private-cloud target, you don't need the key; the GPG import is the only layer added by the saas-api target stage.

I'd love to make the key a runtime dependency and shave off one target, though! Let me know if you have an idea how to do that.

See Dockerfile comments and the PR description for details.

khvn26 added 2 commits June 24, 2024 10:15

fix: Secrets unavailable for deploy jobs

76cd41f

test

3a413e3

github-actions bot added the fix label Jun 24, 2024

avoid chown

8e54858