From 3c119f14b22c7b6ec7bade0438e78186946da6e2 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 5 May 2022 17:53:33 +0200 Subject: [PATCH] ci-automation: Fix secret file handling It can't be done in a subshell, because the file will be gone after subshell quits. --- ci-automation/ci_automation_common.sh | 17 +++++++++++++---- ci-automation/vendor-testing/digitalocean.sh | 3 ++- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/ci-automation/ci_automation_common.sh b/ci-automation/ci_automation_common.sh index 35a9c93bc5..3a21f177da 100644 --- a/ci-automation/ci_automation_common.sh +++ b/ci-automation/ci_automation_common.sh @@ -275,17 +275,26 @@ function url_from_template() { # -- # Puts a secret into a file, while trying for the secret to not end up -# on a filesystem at all. Prints a path to a file with the secret in -# /proc. +# on a filesystem at all. A path to the file with the secret in +# /proc in put into the chosen variable. +# +# Typical use: +# secret_file='' +# secret_to_file secret_file "${some_secret}" +# +# Parameters: +# 1 - name of the variable where the path is stored +# 2 - the secret to store in the file function secret_to_file() { + local config_var_name="${1}"; shift local secret="${1}"; shift local tmpfile=$(mktemp) + local -n config_ref="${config_var_name}" local fd exec {fd}<>"${tmpfile}" rm -f "${tmpfile}" echo "${secret}" >&${fd} - - echo "/proc/${$}/fd/${fd}" + config_ref="/proc/${$}/fd/${fd}" } # -- diff --git a/ci-automation/vendor-testing/digitalocean.sh b/ci-automation/vendor-testing/digitalocean.sh index a8d870bd14..3ca82ac2e4 100755 --- a/ci-automation/vendor-testing/digitalocean.sh +++ b/ci-automation/vendor-testing/digitalocean.sh @@ -25,7 +25,8 @@ fi image_name="ci-${CIA_VERNUM//+/-}" image_url="$(url_from_template "${DIGITALOCEAN_IMAGE_URL_TEMPLATE}" "${CIA_ARCH}" "${CIA_CHANNEL}" 'https' "${CIA_VERNUM}")" -config_file="$(secret_to_file "${DIGITALOCEAN_TOKEN_JSON}")" +config_file='' +secret_to_file config_file "${DIGITALOCEAN_TOKEN_JSON}" ore do create-image \ --config-file="${config_file}" \