Google Git
Sign in
bazel / continuous-integration / 5e3998f2cfbee59f9290447c45c78eea4008f8e5^! / . / buildkite / bazelci.py
commit5e3998f2cfbee59f9290447c45c78eea4008f8e5[log] [tgz]
authorChi Wang <chiwang@google.com>Wed May 10 11:51:02 2023 +0000
committerGitHub <noreply@github.com>Wed May 10 13:51:02 2023 +0200
tree8cf956c589ded9a512575c033490ecbde2275ec3
parentaf6d5b133d57c3a0f268b8ba5302a63d59ea9062 [diff] [blame]
Decode Test Analytics token before running tests (#1656)

so that bazelci-agent can upload test results to Test Analytics.

Tokens can be acquired from Buildkite's Test Suite and are different for
every Test Suite. We want to supply the token when configuring the
pipelines with Terraform which mean we need to check in the token. We
need to encrypt the token first with command:

```
echo TOKEN | gcloud kms encrypt --project bazel-untrusted --location global --keyring buildkite --key buildkite-untrusted-api-token --ciphertext-file=- --plaintext-file=- | base64
```

The encrypted token can then be checked in with Terraform with env
`ENCRYPTED_BUILDKITE_ANALYTICS_TOKEN`.

This CL allows BazelCI to decrypt the token if is set, before running
the tests.

Working towards Test Analytics integration.
diff --git a/buildkite/bazelci.py b/buildkite/bazelci.py
index 216c90f..f187685 100755
--- a/buildkite/bazelci.py
+++ b/buildkite/bazelci.py

@@ -914,7 +914,7 @@
         return build_info
 
 
-def decrypt_token(encrypted_token, kms_key):
+def decrypt_token(encrypted_token, kms_key, project="bazel-untrusted"):
     return (
         subprocess.check_output(
             [
@@ -922,7 +922,7 @@
                 "kms",
                 "decrypt",
                 "--project",
-                "bazel-untrusted",
+                project,
                 "--location",
                 "global",
                 "--keyring",
@@ -1412,6 +1412,23 @@
                 os.makedirs(bazelisk_cache_dir, mode=0o755, exist_ok=True)
                 test_flags.append("--sandbox_writable_path={}".format(bazelisk_cache_dir))
 
+            # Set BUILDKITE_ANALYTICS_TOKEN so that bazelci-agent can upload test results to Test Analytics
+            if "ENCRYPTED_BUILDKITE_ANALYTICS_TOKEN" in os.environ:
+                if THIS_IS_TESTING:
+                    kms_key = "buildkite-testing-api-token"
+                    project = "bazel-untrusted"
+                elif THIS_IS_TRUSTED:
+                    kms_key = "buildkite-trusted-api-token"
+                    project = "bazel-public"
+                else:
+                    kms_key = "buildkite-untrusted-api-token"
+                    project = "bazel-untrusted"
+                os.environ["BUILDKITE_ANALYTICS_TOKEN"] = decrypt_token(
+                    encrypted_token=os.environ["ENCRYPTED_BUILDKITE_ANALYTICS_TOKEN"],
+                    kms_key=kms_key,
+                    project=project,
+                )
+
             test_bep_file = os.path.join(tmpdir, "test_bep.json")
             upload_thread = threading.Thread(
                 target=upload_test_logs_from_bep,