Call git-crypt unlock in CI

AliSoftware · AliSoftware · commit 703d2971eb53 · 2025-11-14T22:27:59.000+01:00
To replace calls to `configure_apply`
diff --git a/.buildkite/commands/diff-merged-manifest.sh b/.buildkite/commands/diff-merged-manifest.sh
@@ -15,7 +15,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/git-crypt-unlock
 
 echo "--- 💾 Diff Merged Manifest (Module: WooCommerce, Build Variant: ${BUILD_VARIANT})"
 comment_with_manifest_diff "WooCommerce" ${BUILD_VARIANT}
diff --git a/.buildkite/commands/gradle-cache-build.sh b/.buildkite/commands/gradle-cache-build.sh
@@ -14,7 +14,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/git-crypt-unlock
 
 echo "--- :hammer_and_wrench: Building"
 ./gradlew assembleWasabiDebug
diff --git a/.buildkite/commands/prototype-build.sh b/.buildkite/commands/prototype-build.sh
@@ -13,7 +13,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/git-crypt-unlock
 
 echo "--- :hammer_and_wrench: Building ${APP_TO_BUILD}"
 bundle exec fastlane build_and_upload_prototype_build app:"${APP_TO_BUILD}"
diff --git a/.buildkite/commands/release-build.sh b/.buildkite/commands/release-build.sh
@@ -6,7 +6,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/git-crypt-unlock
 
 echo "--- :hammer_and_wrench: Building ${APP_TO_BUILD}"
 bundle exec fastlane build_and_upload_google_play app:"${APP_TO_BUILD}"
diff --git a/.buildkite/commands/run-instrumented-tests.sh b/.buildkite/commands/run-instrumented-tests.sh
@@ -12,7 +12,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/git-crypt-unlock
 
 echo "--- 🧪 Testing"
 set +e
diff --git a/.buildkite/commands/run-unit-tests.sh b/.buildkite/commands/run-unit-tests.sh
@@ -12,7 +12,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/git-crypt-unlock
 
 echo "+++ 🧪 Testing"
 set +e
diff --git a/.buildkite/git-crypt/Dockerfile b/.buildkite/git-crypt/Dockerfile
@@ -0,0 +1,21 @@
+FROM alpine:edge
+
+ENV VERSION=0.8.0
+
+RUN apk --update add \
+   bash \
+   curl \
+   git \
+   g++ \
+   make \
+   openssh \
+   openssl \
+   openssl-dev \
+   && rm -rf /var/cache/apk/*
+
+RUN curl -L https://github.com/AGWA/git-crypt/archive/$VERSION.tar.gz | tar zxv -C /var/tmp
+RUN cd /var/tmp/git-crypt-$VERSION && make && make install PREFIX=/usr/local
+
+WORKDIR /repo
+VOLUME /repo
+CMD ["/bin/bash"]
diff --git a/.buildkite/git-crypt/git-crypt-unlock b/.buildkite/git-crypt/git-crypt-unlock
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [ -z "$GIT_CRYPT_ENCRYPTION_KEY" ]; then
+  echo "GIT_CRYPT_ENCRYPTION_KEY is not set"
+  exit 1
+fi
+
+echo "Building Docker image..."
+docker build --quiet -t git-crypt:0.8.0 "$(dirname "${BASH_SOURCE[0]}")"
+
+echo "🔓 Decrypting repository..."
+repo_root=$(git rev-parse --show-toplevel)
+key_file=.git/git-crypt/keys/default
+mkdir -p "$(dirname "${repo_root}"/"${key_file}")"
+echo "${GIT_CRYPT_ENCRYPTION_KEY}" | base64 -d >"${repo_root}/${key_file}"
+docker run --rm -v "${repo_root}":/repo git-crypt:0.8.0 git-crypt unlock "/repo/${key_file}"
+echo "✅ git-crypt unlocked"
diff --git a/.buildkite/release-pipelines/download-release-translations.yml b/.buildkite/release-pipelines/download-release-translations.yml
@@ -13,6 +13,9 @@ steps:
       echo '--- :ruby: Setup Ruby Tools'
       install_gems
 
+      echo '--- :closed_lock_with_key: Installing Secrets'
+      .buildkite/git-crypt/git-crypt-unlock
+
       echo '--- :globe_with_meridians: Download Release Translations'
       bundle exec fastlane download_release_translations skip_confirm:true include_wear_app:"${INCLUDE_WEAR_APP:-false}"
     agents:
diff --git a/.buildkite/release-pipelines/finalize-release.yml b/.buildkite/release-pipelines/finalize-release.yml
@@ -13,6 +13,9 @@ steps:
       echo '--- :ruby: Setup Ruby Tools'
       install_gems
 
+      echo '--- :closed_lock_with_key: Installing Secrets'
+      .buildkite/git-crypt/git-crypt-unlock
+
       echo '--- :shipit: Finalize Release'
       bundle exec fastlane finalize_release skip_confirm:true include_wear_app:"${INCLUDE_WEAR_APP:-false}"
     agents:
diff --git a/fastlane/Fastfile b/fastlane/Fastfile
@@ -458,8 +458,6 @@ platform :android do
     UI.important("Downloading latest translations for release: #{release_version_current}")
     UI.user_error!("Terminating as requested. Don't forget to run the remainder of this automation manually.") unless skip_confirm || UI.confirm('Do you want to continue?')
 
-    configure_apply(force: is_ci)
-
     # Don't check translation coverage in CI
     check_translation_progress_all unless is_ci
     download_translations
@@ -493,8 +491,6 @@ platform :android do
     UI.important("Finalizing release: #{release_version_current}")
     UI.user_error!("Terminating as requested. Don't forget to run the remainder of this automation manually.") unless skip_confirm || UI.confirm('Do you want to continue?')
 
-    configure_apply(force: is_ci)
-
     # Bump the release version and build code
     UI.message 'Bumping final release version and build code...'
     VERSION_FILE.write_version(
