Use secrets from the context to authenticate with Docker Hub

2025-04-08 03:14:21 +00:00 · 2020-10-22 12:08:30 -04:00 · 2020-10-22 12:08:30 -04:00 · 22921e2b1d
commit 22921e2b1d
parent bc8c2c4689
1 changed files with 48 additions and 53 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -127,9 +127,28 @@ workflows:


 jobs:
-  lint:
+  dockerhub-auth-template:
+    # This isn't a real job.  It doesn't get scheduled as part of any
+    # workhlow.  Instead, it's just a place we can hang a yaml anchor to
+    # finish the Docker Hub authentication configuration.  Workflow jobs using
+    # the DOCKERHUB_CONTEXT anchor will have access to the environment
+    # variables used here.  These variables will allow the Docker Hub image
+    # pull to be authenticated and hopefully avoid hitting and rate limits.
    docker:
-      - image: "circleci/python:2"
+      - image: "null"
+        auth: &DOCKERHUB_AUTH
+          username: $DOCKERHUB_USERNAME
+          password: $DOCKERHUB_PASSWORD
+
+    steps:
+      - run:
+          name: "Schema conformity"
+          command: |
+
+ lint:
+    docker:
+      - <<: *DOCKERHUB_AUTH
+        image: "circleci/python:2"

    steps:
      - "checkout"
@ -146,7 +165,8 @@ jobs:

  pyinstaller:
    docker:
-      - image: "circleci/python:2"
+      - <<: *DOCKERHUB_AUTH
+        image: "circleci/python:2"

    steps:
      - "checkout"
@ -171,7 +191,8 @@ jobs:

  debian-9: &DEBIAN
    docker:
-      - image: "tahoelafsci/debian:9-py2.7"
+      - <<: *DOCKERHUB_AUTH
+        image: "tahoelafsci/debian:9-py2.7"
        user: "nobody"

    environment: &UTF_8_ENVIRONMENT
@ -252,14 +273,16 @@ jobs:
  debian-8:
    <<: *DEBIAN
    docker:
-      - image: "tahoelafsci/debian:8-py2.7"
+      - <<: *DOCKERHUB_AUTH
+        image: "tahoelafsci/debian:8-py2.7"
        user: "nobody"


  pypy27-buster:
    <<: *DEBIAN
    docker:
-      - image: "tahoelafsci/pypy:buster-py2"
+      - <<: *DOCKERHUB_AUTH
+        image: "tahoelafsci/pypy:buster-py2"
        user: "nobody"

    environment:
@ -320,21 +343,24 @@ jobs:
  ubuntu-16-04:
    <<: *DEBIAN
    docker:
-      - image: "tahoelafsci/ubuntu:16.04-py2.7"
+      - <<: *DOCKERHUB_AUTH
+        image: "tahoelafsci/ubuntu:16.04-py2.7"
        user: "nobody"


  ubuntu-18-04: &UBUNTU_18_04
    <<: *DEBIAN
    docker:
-      - image: "tahoelafsci/ubuntu:18.04-py2.7"
+      - <<: *DOCKERHUB_AUTH
+        image: "tahoelafsci/ubuntu:18.04-py2.7"
        user: "nobody"


  python36:
    <<: *UBUNTU_18_04
    docker:
-      - image: "tahoelafsci/ubuntu:18.04-py3"
+      - <<: *DOCKERHUB_AUTH
+        image: "tahoelafsci/ubuntu:18.04-py3"
        user: "nobody"

    environment:
@ -349,13 +375,15 @@ jobs:
  ubuntu-20-04:
    <<: *DEBIAN
    docker:
-      - image: "tahoelafsci/ubuntu:20.04"
+      - <<: *DOCKERHUB_AUTH
+        image: "tahoelafsci/ubuntu:20.04"
        user: "nobody"


  centos-8: &RHEL_DERIV
    docker:
-      - image: "tahoelafsci/centos:8-py2"
+      - <<: *DOCKERHUB_AUTH
+        image: "tahoelafsci/centos:8-py2"
        user: "nobody"

    environment: *UTF_8_ENVIRONMENT
@ -377,21 +405,24 @@ jobs:
  fedora-28:
    <<: *RHEL_DERIV
    docker:
-      - image: "tahoelafsci/fedora:28-py"
+      - <<: *DOCKERHUB_AUTH
+        image: "tahoelafsci/fedora:28-py"
        user: "nobody"


  fedora-29:
    <<: *RHEL_DERIV
    docker:
-      - image: "tahoelafsci/fedora:29-py"
+      - <<: *DOCKERHUB_AUTH
+        image: "tahoelafsci/fedora:29-py"
        user: "nobody"


  nixos-19-09:
    docker:
      # Run in a highly Nix-capable environment.
-      - image: "nixorg/nix:circleci"
+      - <<: *DOCKERHUB_AUTH
+        image: "nixorg/nix:circleci"

    environment:
      NIX_PATH: "nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-19.09-small.tar.gz"
@ -448,7 +479,8 @@ jobs:
    #
    # https://circleci.com/blog/how-to-build-a-docker-image-on-circleci-2-0/
    docker:
-      - image: "docker:17.05.0-ce-git"
+      - <<: *DOCKERHUB_AUTH
+        image: "docker:17.05.0-ce-git"

    environment:
      DISTRO: "tahoelafsci/<DISTRO>:foo-py2"
@ -458,47 +490,10 @@ jobs:
    steps:
      - "checkout"
      - "setup_remote_docker"
-      - run:
-          name: "Get openssl"
-          command: |
-            apk add --no-cache openssl
-      - run:
-          name: "Get Dockerhub secrets"
-          command: |
-            # If you create an encryption key like this:
-            #
-            #   openssl enc -aes-256-cbc -k secret -P -md sha256
-
-            # From the output that looks like:
-            #
-            #  salt=...
-            #  key=...
-            #  iv =...
-            #
-            # extract just the value for ``key``.
-
-            # then you can re-generate ``secret-env-cipher`` locally using the
-            # command:
-            #
-            #   openssl aes-256-cbc -e -md sha256 -in secret-env-plain -out .circleci/secret-env-cipher -pass env:KEY
-            #
-            # Make sure the key is set as the KEY environment variable in the
-            # CircleCI web interface.  You can do this by visiting
-            # <https://circleci.com/gh/tahoe-lafs/tahoe-lafs/edit#env-vars>
-            # after logging in to CircleCI with an account in the tahoe-lafs
-            # CircleCI team.
-            #
-            # Then you can recover the environment plaintext (for example, to
-            # change and re-encrypt it) like just like CircleCI recovers it
-            # here:
-            #
-            openssl aes-256-cbc -d -md sha256 -in .circleci/secret-env-cipher -pass env:KEY >> ~/.env
      - run:
          name: "Log in to Dockerhub"
          command: |
-            . ~/.env
-            # TAHOELAFSCI_PASSWORD come from the secret env.
-            docker login -u tahoelafsci -p ${TAHOELAFSCI_PASSWORD}
+            docker login -u ${DOCKERHUB_USERNAME} -p ${DOCKERHUB_PASSWORD}
      - run:
          name: "Build image"
          command: |