This document describes how we manage secret values for use in automated builds.
In order to work with these values, you will need:
- Composer, for local builds
- Access to the Actions secrets and variables page for this Github repository, for builds managed by Github Actions.
- The Terminus CLI tool, including the Secrets Manager plugin, for builds managed by Pantheon.
In order to build the network correctly, all build systems will need to have access to two values:
- The license code for the Advanced Custom Fields plugin.
- A Github "classic" token with repository scope, managed by the
mitlib-wp-network-deployuser, for access to some private repositories.
Both current values can be found in the MIT Libraries' shared LastPass account, in the Shared-Product-Pantheon folder.
The user credentials for the deploy user are also in that folder.
The Github token is currently set to expire every 90 days. New values can be generated by logging into that account and going to the Classic Tokens page within the Developer settings.
When you make a new token, your first step should be to save the new value in LastPass, before updating anything else.
For builds on Github, the following additional values are needed:
- A known_hosts file for deploying from Github to Pantheon.
- An SSH private key for deploying from Github to Pantheon.
- The SSH-format address of the Pantheon git repository.
Working with the WordPress network involves a few different automated build processes, and each requires these two values to be stored in slightly different ways.
Your local Composer installation will build the network when you are working locally. Composer stores its secrets in an
auth.json file within your user profile, and it will manage the file on its own. If updates are needed, it will prompt
you for the new value.
We have a handful of automated checks within Github Actions, which run for every pull request. Additionally, there is a
deploy workflow which pushes the master branch to the Dev tier within Pantheon when a PR merges.
These workflows require the following secrets to be defined:
ACF_PRO_KEY- The license file on its own.COMPOSER_AUTH- A JSON structure which combines the ACF key and the token (the format for this value is provided in LastPass).DEPLOY_SSH_KNOWN_HOSTS- The known_hosts file to allow Github's CI to trust the Pantheon git server.DEPLOY_SSH_PRIVATE_KEY- The private key (with blank passphrase) used to connect to Pantheon's git server. The public key is added to your personal settings within Pantheon.PANTHEON_REPOSITORY- The SSH-format address of the git repository in Pantheon.
These values can be defined, but not read, using the Actions secrets and variables page within this repository.
The Pantheon platform builds the WordPress application when deploying changes to any tier, including setting up new multidev instances and promoting changes to production.
Managing these values within Pantheon is done via the Terminus Secrets Manager plugin. Please see the readme for that project for installation and usage instructions.
There are three values defined by this plugin.
ACF_PRO_KEY- The license file on its own. This is anenvtype secret, with a scope ofic.COMPOSER_AUTH- A JSON structure which combines the ACF key and the token (the format for this value is provided in LastPass). This is anenvtype secret, with a scope ofic, user.github-oauth.github.com- The Github classic token on its own. This is acomposertype secret, with a scope ofuser, ic.
The current configuration of these values can be seen via:
% terminus secret:list mitlib-wp-network
------------- ------------- ------------------------------------------------------------------------- ---------------
Secret name Secret type Secret value Secret scopes
------------- ------------- ------------------------------------------------------------------------- ---------------
... ... ... ...
------------- ------------- ------------------------------------------------------------------------- ---------------