ci: Use ci-fairy minio login via token file

For every CI job, put JWT content into a file and unset CI_JOB_JWT environment var ======= * virgl jobs: - Share JWT token file to crosvm instance - Keep using `export -p` due to high complexity in the scripts of these jobs. At least, the CI_JOB_JWT will not be leaked, since it is being unset at the `before_script` phase of each Mesa CI job. * iris jobs: Update lava_job_submitter to take token file as argument - generate-env with CI_JOB_JWT_TOKEN_FILE - create token file during baremetal init stage * baremetal jobs: Copy token file to bare-metal NFS Signed-off-by: Guilherme Gallo <guilherme.gallo@collabora.com> Reviewed-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/14004>
2021-12-02 10:13:10 -03:00
parent cdf8a14bff
commit dabc068e6c
11 changed files with 80 additions and 30 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,6 +16,22 @@ variables:
  # running on a particular CI farm (ie. for outages, etc):
  FD_FARM: "online"

+default:
+  before_script:
+    - echo -e "\e[0Ksection_start:$(date +%s):unset_env_vars_section[collapsed=true]\r\e[0KUnsetting vulnerable environment variables"
+    - export CI_JOB_JWT_FILE="${CI_JOB_JWT_FILE:-$(mktemp)}"
+    - echo -n "${CI_JOB_JWT}" > "${CI_JOB_JWT_FILE}"
+    - unset CI_JOB_JWT
+    - echo -e "\e[0Ksection_end:$(date +%s):unset_env_vars_section\r\e[0K"
+
+  after_script:
+    - >
+      set +x
+
+      test -e "${CI_JOB_JWT_FILE}" &&
+      export CI_JOB_JWT="$(<${CI_JOB_JWT_FILE})" &&
+      rm "${CI_JOB_JWT_FILE}"
+
 include:
  - project: 'freedesktop/ci-templates'
    ref: 34f4ade99434043f88e164933f570301fd18b125