Skip to content

Remove more secrets from drone#73554

Merged
davidsbailey merged 7 commits into
stagingfrom
remove-some-secrets-from-drone
Jun 30, 2026
Merged

Remove more secrets from drone#73554
davidsbailey merged 7 commits into
stagingfrom
remove-some-secrets-from-drone

Conversation

@davidsbailey

@davidsbailey davidsbailey commented Jun 29, 2026

Copy link
Copy Markdown
Member

Background

We are trying to remove secrets from Drone. For background, see remove drone secrets proposal.

Secrets are passed to Drone via the following steps:

Description

This PR whittles away at Drone secret usage in the following ways:

  • stop providing any secrets to the drone unit test container, which already does not depend on any secrets
  • stop providing cloudfront key to ui test container, and skip any UI tests which depend on it in CI
  • UPDATED: extract non-secret project id from CDO.device_farm_desktop_project_arn to CDO.device_farm_desktop_project_id, and store it in the public repo. the AWS account ID is inserted into the ARN programmatically in device_farm.rb

Testing story

  • All unit tests ran and passed in drone
  • UI test run is passing in CI with @cloudfront_key scenarios in dance_party.feature and mix_move_ai.feature being skipped
  • passing Drone run verifies Device Farm config changes in CI
  • verified that I can still run UI tests locally against device farm via:
bundle exec ./runner.rb --device-farm -c Chrome -f features/foundations/markdown_rendering.feature --html
  • verified on the managed test system that AWS account ID lookup works via:
[test] dashboard > AWS::EC2.account_id

Deployment notes

  • during DTT, keep an eye on Chrome, Firefox, and Eyes tests, since Device Farm has not been verified end-to-end in that environment yet
  • after DTT, remove device_farm_desktop_project_arn from AWS Secrets Manager
  • after DTT, remove cloudfront keys and DEVICE_FARM_DESKTOP_PROJECT_ARN from drone settings page: https://drone.cdn-code.org/code-dot-org/code-dot-org/settings

@davidsbailey davidsbailey force-pushed the remove-some-secrets-from-drone branch from 8b0e14a to 87f66c3 Compare June 30, 2026 17:33
@davidsbailey davidsbailey force-pushed the remove-some-secrets-from-drone branch from 87f66c3 to 37a4f49 Compare June 30, 2026 17:34
@davidsbailey davidsbailey marked this pull request as ready for review June 30, 2026 17:37
@davidsbailey davidsbailey requested a review from a team as a code owner June 30, 2026 17:37
Comment thread config/test.yml.erb Outdated
puma_control_server_token: !Secret
redshift_cluster_id: !Secret
device_farm_desktop_project_arn: !Secret
device_farm_desktop_project_arn: 'DTT Project ARN to be inserted after code review'

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ARN's contain an AWS Account ID, which is not super sensitive, but we typically avoid committing to our repository or disclosing publicly. Can we maybe store just the Device Farm project id and then build the ARN from that, substituting in the Region and Account ID with Ruby code?

Comment thread config/test.yml.erb Outdated
cloudfront_private_key: "<%= ENV['CLOUDFRONT_PRIVATE_KEY'] %>"
contentful_cs_for_all_access_token: <%= ENV['CONTENTFUL_CS_FOR_ALL_ACCESS_TOKEN'] %>
device_farm_desktop_project_arn: <%= ENV['DEVICE_FARM_DESKTOP_PROJECT_ARN'] %>
device_farm_desktop_project_arn: 'CI Project ARN to be inserted after code review'

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment as above about preferring to avoid disclosing our AWS Account IDs.

The desktop TestGrid ARN embedded the AWS account id, so it was checked
in as a secret. Replace it with device_farm_desktop_project_id (the bare
project UUID, not secret) and assemble the full ARN at runtime in
project_arn_for from the region and the executing account id (EC2
metadata, STS fallback) -- mirroring AiDiffBedrockHelper.account_id. The
account id differs between the prod account (DTT/development) and the
codeorg-dev account (CI), so it resolves per-environment.

Mobile ARN is unchanged (still secret); converting it is future work.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment on lines +208 to +216
# AWS account id of the compute resource we're executing in, used to build
# Device Farm ARNs without exposing the account id. Prefer EC2 instance
# metadata (DTT runs on chef-managed test instances, CI on drone workers),
# falling back to STS for off-instance callers such as a developer laptop
# with assumed-role credentials. Raises if neither source yields an account.
def self.account_id
@account_id ||= AWS::EC2.account_id ||
::Aws::STS::Client.new(region: REGION).get_caller_identity.account
end

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could take or leave the memoization, but we do need the fallback logic because it needs to work in local development:

[development] dashboard > AWS::EC2.account_id
=> nil
[development] dashboard > ::Aws::STS::Client.new(region: 'us-west-2').get_caller_identity.account
=> "..."

@davidsbailey davidsbailey merged commit 3713202 into staging Jun 30, 2026
8 checks passed
@davidsbailey davidsbailey deleted the remove-some-secrets-from-drone branch June 30, 2026 22:55
@davidsbailey davidsbailey added the drone secrets remove the need for secrets in Drone CI label Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

drone secrets remove the need for secrets in Drone CI

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants