Switch from using GOV.UK Jenkins to Travis #267
Conversation
|
I've deleted the webhook and disabled the Jenkins job. |
alexmuller
force-pushed
the
switch-jenkins-to-travis
branch
5 times, most recently
from
9bea3c5 to
9db368c
Compare
|
Yay, it's working now I think. Had some trouble with encrypting multiple files for a while. |
alexmuller
force-pushed
the
switch-jenkins-to-travis
branch
from
9db368c to
7a0c95a
Compare
alexmuller
changed the title
|
Add "DO NOT MERGE" so that this stops notifying my team's Slack until somebody is ready to review it. |
.travis.yml
Outdated
| global: | ||
| - secure: "gxjwgl9l9ZP/1t86odZyMzWyiVBkG1oFzeL+Kb6z9Dtfu954l9RbytlenTTcnRw1KtaDBZVBs0ix3K45b8T2S6JFzLQ88Z/36DmXGIN6vxctfnVD9sqbbyOuP++RhibK+qUqbPRHo6a3wBsMQ87DMj5S6pJe3dxbCKRXa8zcMd0=" | ||
| before_install: | ||
| - openssl aes-256-cbc -K $encrypted_df4ab1bff570_key -iv $encrypted_df4ab1bff570_iv -in .travis/secrets.tar.enc -out .travis/secrets.tar -d |
There was a problem hiding this comment.
This will need to move the deploy steps from before_install to before_deploy, as ENV vars won't be available when running CI for forked PRs, which are common on this repo.
There was a problem hiding this comment.
Turns out before_deploy is run per deploy provider, and running this setup twice will cause an error, as we discovered on govuk_elements.
The most reliable way to limit decryption to situations where deployment is required is using if [ "$TRAVIS_PULL_REQUEST_BRANCH" = "master" ];, but this may not work well for multi-liners. See alphagov/govuk_elements#415.
.travis.yml
Outdated
| - tar xvf .travis/secrets.tar | ||
| - mkdir -p ~/.gem/ | ||
| - mv secrets/gem_credentials ~/.gem/credentials | ||
| - mv secrets/npmrc ~/.npmrc |
There was a problem hiding this comment.
I can't see the decrypted version of npmrc, but I suspect it might have the same npm v1 vs v2 issue as in alphagov/govuk_frontend_toolkit_npm#16 (comment).
This project isn't owned by GOV.UK Publishing anymore so it needs to stop using Jenkins to publish changes. Ideally I'd use a deploy key for this, but it turns out that you can't attach the same deploy key to more than one repo. This means that we're going to use a GitHub token attached to the govuk-ci user - this should be moved to a different user in the future. To make that happen: - Add the personal access token as a secure Heroku env var - Change the Git URLs to push over HTTPS, not SSH The gem_publisher gem expects there to be a file at `.gem/credentials`. I've encrypted that file for Travis and added that file to the Travis worker. Same deal for the `npm publish` command. It turns out you can only encrypt one file at a time which means that we need to create a tar archive and then move things around afterwards which is a little bit horrible. In order to do this I made a secrets directory and added 2 files: gem_credentials: ``` --- :rubygems_api_key: redacted ``` npmrc: ``` _auth = redacted email = [email protected] ``` And then ran: ``` tar cvf secrets.tar secrets/npmrc secrets/gem_credentials ``` And encrypted that file following these docs: https://docs.travis-ci.com/user/encrypting-files/
This copies the before_install step into a new script deploy provider.
This is the default for Ruby projects. Travis will run bundle install --jobs=3 --retry=3 by default when a Gemfile is found in the project’s root directory.
Caching the bundle between builds drastically reduces the time a build takes to run.
gemmaleigh
force-pushed
the
switch-jenkins-to-travis
branch
from
7a0c95a to
19b715d
Compare
| env: | ||
| global: | ||
| - secure: "gxjwgl9l9ZP/1t86odZyMzWyiVBkG1oFzeL+Kb6z9Dtfu954l9RbytlenTTcnRw1KtaDBZVBs0ix3K45b8T2S6JFzLQ88Z/36DmXGIN6vxctfnVD9sqbbyOuP++RhibK+qUqbPRHo6a3wBsMQ87DMj5S6pJe3dxbCKRXa8zcMd0=" | ||
| before_install: |
There was a problem hiding this comment.
I think both of these commands were specific to how Jenkins worked, and we shouldn't need them for Travis.
| - echo "Not running Travis installation" | ||
| env: | ||
| global: | ||
| - secure: "gxjwgl9l9ZP/1t86odZyMzWyiVBkG1oFzeL+Kb6z9Dtfu954l9RbytlenTTcnRw1KtaDBZVBs0ix3K45b8T2S6JFzLQ88Z/36DmXGIN6vxctfnVD9sqbbyOuP++RhibK+qUqbPRHo6a3wBsMQ87DMj5S6pJe3dxbCKRXa8zcMd0=" |
There was a problem hiding this comment.
Could we add a comment to show what gets set here? I'm assuming it's the GH_TOKEN env variable, but it's not obvious from the Travis file alone.
dsingleton
changed the title
Should move from Otherwise, i think we're happy with the changes and the next step is to merge and test the various deployment setup/providers - as we have with other repos. |
Add information about the contents of this folder and how to update it.
Update the `npmrc` file to use the NPM v2+ auth format. See: https://docs.travis-ci.com/user/deployment/npm/ The NPM 2+ format looks like: ``` //registry.npmjs.org/:_authToken=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX ``` The rubygems auth/API key should not have changed.
gemmaleigh
force-pushed
the
switch-jenkins-to-travis
branch
from
264ec10 to
b43c1e2
Compare
This project isn't owned by GOV.UK Publishing anymore so it needs to stop using Jenkins to publish changes.
Ideally I'd use a deploy key for this, but it turns out that you can't attach the same deploy key to more than one repo. This means that we're going to use a GitHub token attached to the govuk-ci user - this should be moved to a different user in the future. To make that happen:
The gem_publisher gem expects there to be a file at
.gem/credentials. I've encrypted that file for Travis and added that file to the Travis worker.Same deal for the npm publish step.