BUILD-2179 Use Vault

Co-authored-by: Tom <thomas.verin@sonarsource.com>

.cirrus.yml

@@ -1,10 +1,14 @@
 gcp_credentials: ENCRYPTED[!149d4005ecdba4cdd78bb5ba22756ebb98bf8e3367ee2e9ab08c5a1608c0d3e3b501904b67a1d67c0b63085e469d7dde!]
 
 env:
-  GITHUB_TOKEN: ENCRYPTED[!f458126aa9ed2ac526f220c5acb51dd9cc255726b34761a56fc78d4294c11089502a882888cef0ca7dd4085e72e611a5!]
-  SONAR_TOKEN: ENCRYPTED[!4e5894b7b32f763db69e70fb56188d3f42539db36374b1f97c425f37a7ecd441c28a9da267c461b9cc8fb53124f14c22!]
-  REPOX_CLI_CONFIG_QA_DEPLOYER: ENCRYPTED[!07d065a3727e6f270943618078b68718ff229941f1133c92e587f8e258c086f50f61a75f99496a8b2d7045da177b3ad1!]
-  REPOX_CLI_CONFIG_BUILD_PROMOTER: ENCRYPTED[!a4c9e5455d42b4395387b7489c47bb4c70e85cae5641b77b3b7e53b68ae57bc7b2e591ca4dd640138e15551f2915b08f!]
+  CIRRUS_VAULT_URL: https://vault.sonar.build:8200
+  CIRRUS_VAULT_AUTH_PATH: jwt-cirrusci
+  CIRRUS_VAULT_ROLE: cirrusci-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}
+
+  SONAR_TOKEN: VAULT[development/kv/data/sonarcloud data.token]
+  ARTIFACTORY_URL: https://repox.jfrog.io/
+  ARTIFACTORY_DEPLOY_ACCESS_TOKEN : VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
+  ARTIFACTORY_PROMOTE_ACCESS_TOKEN : VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promoter access_token]
   # Use bash (instead of sh on linux or cmd.exe on windows)
   CIRRUS_SHELL: bash
 
@@ -33,9 +37,9 @@ build_task:
     CIRRUS_CLONE_DEPTH: 10
     SONARSOURCE_QA: true
   script:
-    - jfrog config import $REPOX_CLI_CONFIG_QA_DEPLOYER
+    - jfrog config add repox --url $ARTIFACTORY_URL --access-token $ARTIFACTORY_DEPLOY_ACCESS_TOKEN
     - jfrog rt npm-config --repo-resolve npm --repo-deploy sonarsource-npm-public-qa
-    - init_git_submodules -r
+    - git submodule update --init --depth 1 -r
     - jfrog rt npm-ci
     - npm run typecheck
     - npm run build
@@ -56,7 +60,7 @@ ws_scan_task:
   # run only on master and long-term branches
   only_if: $CIRRUS_USER_COLLABORATOR == 'true' && ($CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*")
   env:
-    WS_APIKEY: ENCRYPTED[!3929c6148b9dfc751a2d17c590b15d755f82cd9c108f2de5f24a5b32f2a0c26144e921fab7e2c959fc2824d6d6d1550d!]
+    WS_APIKEY: VAULT[development/kv/data/mend data.apikey]
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
   whitesource_script:

.github/workflows/release.yml

@@ -1,9 +1,9 @@
-on: 
+on:
   release:
     types:
       - published
 
-jobs:  
+jobs:
   publish:
     runs-on: ubuntu-latest
     env:
@@ -12,26 +12,39 @@ jobs:
       NPM_REPOSITORY: "sonarsource-npm-public"
       SCOPE: ""
       PACKAGE: "eslint-plugin-sonarjs"
-    steps:  
-      - name: Setup JFrog CLI
-        uses: jfrog/setup-jfrog-cli@v2
-        env:
-          JF_ENV_1: ${{ secrets.REPOX_CLI_CONFIG_QA_DEPLOYER_LT }}
+    steps:
+      - name: Vault
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@d1c1ab4ca5ad07fd9cdfe1eff038a39673dfca64  # tag=2.4.2-1
+        with:
+          url: ${{ inputs.vaultAddr }}
+          secrets:
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-qa-deployer access_token  | qa_deployer_access_token;
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-promoter access_token  | promoter_access_token;
+            development/kv/data/npmjs sonartech_npm_token  | npm_token;
+      - name: Setup JFrog for deploy
+        uses: SonarSource/jfrog-setup-wrapper@eb712d76540e5d1f3756303f30387657fb204e52  # tag=2.4.1-1
+        with:
+          jfrogAccessToken: ${{ fromJSON(steps.secrets.outputs.vault).qa_deployer_access_token }}
       - uses: actions/checkout@v1
       - uses: actions/setup-node@v1
         with:
-          node-version: 12      
-      - run: mv .github/workflows/.npmrc .npmrc       
-      - name: Publish npm package            
+          node-version: 12
+      - run: mv .github/workflows/.npmrc .npmrc
+      - name: Publish npm package
         env:
-          NPM_TOKEN: ${{ secrets.SONARTECH_NPM_TOKEN }}
-          REPOX_CLI_CONFIG_BUILD_PROMOTER_LT: ${{ secrets.REPOX_CLI_CONFIG_BUILD_PROMOTER_LT }}
+          NPM_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).npm_token }}
         run: |
           jfrog rt npm-config --repo-resolve npm --repo-deploy sonarsource-npm-public-qa
-          jfrog rt npm-ci          
+          jfrog rt npm-ci
           npm publish
           jfrog rt npm-publish --build-name=eslint-plugin-sonarjs --build-number=${{ github.event.release.tag_name }}
           jfrog rt build-publish eslint-plugin-sonarjs ${{ github.event.release.tag_name }}
-          jfrog config import $REPOX_CLI_CONFIG_BUILD_PROMOTER_LT
+      - name: Setup JFrog for promotion
+        uses: SonarSource/jfrog-setup-wrapper@eb712d76540e5d1f3756303f30387657fb204e52  # tag=2.4.1-1
+        with:
+          jfrogAccessToken: ${{ fromJSON(steps.secrets.outputs.vault).promoter_access_token }}
+      - name: Promote npm package
+        run: |
           jfrog rt bpr --status it-passed eslint-plugin-sonarjs ${{ github.event.release.tag_name }} sonarsource-npm-public-builds
           jfrog rt bpr --status released eslint-plugin-sonarjs ${{ github.event.release.tag_name }} sonarsource-npm-public-releases

scripts/analyze_and_publish.sh

@@ -23,6 +23,6 @@ jfrog rt npm-publish --build-name=eslint-plugin-sonarjs --build-number=$BUILD_NU
 jfrog rt build-publish eslint-plugin-sonarjs $BUILD_NUMBER
 #QA tests could be run now to validate the artifacts and on success we promote.
 #configure jfrog cli to be able to promote build
-jfrog config import $REPOX_CLI_CONFIG_BUILD_PROMOTER
-#promote form QA to public builds
-jfrog rt bpr --status it-passed eslint-plugin-sonarjs $BUILD_NUMBER sonarsource-npm-public-builds
+jfrog config edit repox --url $ARTIFACTORY_URL --access-token $ARTIFACTORY_PROMOTE_ACCESS_TOKEN
+#promote from QA to public builds
+jfrog rt bpr --status it-passed eslint-plugin-sonarjs $BUILD_NUMBER sonarsource-npm-public-builds