From c608955532ed8491a18cbcdd05f584bda6675511 Mon Sep 17 00:00:00 2001
From: Paul Gschwendtner <paulgschwendtner@gmail.com>
Date: Thu, 5 Jan 2023 14:56:14 +0000
Subject: [PATCH] ci: use snapshot deploy secret directly

Instead of encoding the GitHub snapshot robot access token in a file that needs to be decoded by an
ambiguously named secret called `KEY`, the token can be directly stored in the secrets of CircleCI
given easier maintenance and the same risk.

The leakage of the secret still means the GitHub token file could be decoded. We are switching to a
similar model as in the components repo, which also simplifies key rotations etc.
---
 .circleci/dynamic_config.yml | 10 +---------
 .circleci/github_token       |  1 -
 scripts/snapshots.ts         |  7 +------
 3 files changed, 2 insertions(+), 16 deletions(-)
 delete mode 100644 .circleci/github_token

diff --git a/.circleci/dynamic_config.yml b/.circleci/dynamic_config.yml
index 836d01ea0e..83a0ddc916 100644
--- a/.circleci/dynamic_config.yml
+++ b/.circleci/dynamic_config.yml
@@ -317,17 +317,9 @@ jobs:
     steps:
       - custom_attach_workspace
       - install_python
-      - run:
-          name: Decrypt Credentials
-          # Note: when changing the image, you might have to re-encrypt the credentials with a
-          # matching version of openssl.
-          # See https://stackoverflow.com/a/43847627/2116927 for more info.
-          command: |
-            openssl aes-256-cbc -d -in .circleci/github_token -k "${KEY}" -out ~/github_token -md md5
       - run:
           name: Deployment to Snapshot
-          command: |
-            yarn admin snapshots --verbose --githubTokenFile=${HOME}/github_token
+          command: yarn admin snapshots --verbose
       - fail_fast
 
   publish_artifacts:
diff --git a/.circleci/github_token b/.circleci/github_token
deleted file mode 100644
index 450cb2c93f..0000000000
--- a/.circleci/github_token
+++ /dev/null
@@ -1 +0,0 @@
-Salted__zÈùº¬ö"Bõ¾Y¾’|‚Û¢V”QÖ³UzWò±/G…îR¡e}j‘%þÿ¦<%öáÉÿ–¼
\ No newline at end of file
diff --git a/scripts/snapshots.ts b/scripts/snapshots.ts
index 37a97f3b42..46b0f204c6 100644
--- a/scripts/snapshots.ts
+++ b/scripts/snapshots.ts
@@ -130,7 +130,6 @@ async function _publishSnapshot(
 
 export interface SnapshotsOptions {
   force?: boolean;
-  githubTokenFile?: string;
   githubToken?: string;
   branch?: string;
 }
@@ -151,11 +150,7 @@ export default async function (opts: SnapshotsOptions, logger: logging.Logger) {
     branch = '' + process.env['CIRCLE_BRANCH'];
   }
 
-  const githubToken = (
-    opts.githubToken ||
-    (opts.githubTokenFile && fs.readFileSync(opts.githubTokenFile, 'utf-8')) ||
-    ''
-  ).trim();
+  const githubToken = (opts.githubToken || process.env.SNAPSHOT_BUILDS_GITHUB_TOKEN || '').trim();
 
   if (githubToken) {
     logger.info('Setting up global git name.');