Remove more secrets from drone#73554
Merged
Merged
Conversation
8b0e14a to
87f66c3
Compare
…alues for CI, DTT and Development
87f66c3 to
37a4f49
Compare
sureshc
reviewed
Jun 30, 2026
| puma_control_server_token: !Secret | ||
| redshift_cluster_id: !Secret | ||
| device_farm_desktop_project_arn: !Secret | ||
| device_farm_desktop_project_arn: 'DTT Project ARN to be inserted after code review' |
Contributor
There was a problem hiding this comment.
ARN's contain an AWS Account ID, which is not super sensitive, but we typically avoid committing to our repository or disclosing publicly. Can we maybe store just the Device Farm project id and then build the ARN from that, substituting in the Region and Account ID with Ruby code?
sureshc
reviewed
Jun 30, 2026
| cloudfront_private_key: "<%= ENV['CLOUDFRONT_PRIVATE_KEY'] %>" | ||
| contentful_cs_for_all_access_token: <%= ENV['CONTENTFUL_CS_FOR_ALL_ACCESS_TOKEN'] %> | ||
| device_farm_desktop_project_arn: <%= ENV['DEVICE_FARM_DESKTOP_PROJECT_ARN'] %> | ||
| device_farm_desktop_project_arn: 'CI Project ARN to be inserted after code review' |
Contributor
There was a problem hiding this comment.
same comment as above about preferring to avoid disclosing our AWS Account IDs.
The desktop TestGrid ARN embedded the AWS account id, so it was checked in as a secret. Replace it with device_farm_desktop_project_id (the bare project UUID, not secret) and assemble the full ARN at runtime in project_arn_for from the region and the executing account id (EC2 metadata, STS fallback) -- mirroring AiDiffBedrockHelper.account_id. The account id differs between the prod account (DTT/development) and the codeorg-dev account (CI), so it resolves per-environment. Mobile ARN is unchanged (still secret); converting it is future work. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
davidsbailey
commented
Jun 30, 2026
Comment on lines
+208
to
+216
| # AWS account id of the compute resource we're executing in, used to build | ||
| # Device Farm ARNs without exposing the account id. Prefer EC2 instance | ||
| # metadata (DTT runs on chef-managed test instances, CI on drone workers), | ||
| # falling back to STS for off-instance callers such as a developer laptop | ||
| # with assumed-role credentials. Raises if neither source yields an account. | ||
| def self.account_id | ||
| @account_id ||= AWS::EC2.account_id || | ||
| ::Aws::STS::Client.new(region: REGION).get_caller_identity.account | ||
| end |
Member
Author
There was a problem hiding this comment.
I could take or leave the memoization, but we do need the fallback logic because it needs to work in local development:
[development] dashboard > AWS::EC2.account_id
=> nil
[development] dashboard > ::Aws::STS::Client.new(region: 'us-west-2').get_caller_identity.account
=> "..."
sureshc
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Background
We are trying to remove secrets from Drone. For background, see remove drone secrets proposal.
Secrets are passed to Drone via the following steps:
Description
This PR whittles away at Drone secret usage in the following ways:
CDO.device_farm_desktop_project_arntoCDO.device_farm_desktop_project_id, and store it in the public repo. the AWS account ID is inserted into the ARN programmatically in device_farm.rbTesting story
@cloudfront_keyscenarios indance_party.featureandmix_move_ai.featurebeing skippedtestsystem that AWS account ID lookup works via:Deployment notes
device_farm_desktop_project_arnfrom AWS Secrets Manager