ci: validate secrets refactor #18772

siddarthkay · 2025-09-04T13:52:43Z

Summary

Introduces --verify-credentials flag which can be passed to status app and it will check for all the necessary credentials provided by status-jenkins-lib.
related changes are here : https://github.com/status-im/status-jenkins-lib/pull/120

Adds an Audit stage in jenkins which checks for these credentials, this is an integration test in CI to ensure that bundled app has all the necessary secrets.

status-im-auto · 2025-09-04T14:01:21Z

Jenkins Builds

Click to see older builds (137)

❔	Commit	#️⃣	Finished (UTC)	Duration	Platform	Result
✔️	`2a71da2`	#1	2025-09-04 14:01:21	~8 min	`tests/nim`	📄`log`
✔️	`2a71da2`	#1	2025-09-04 14:07:23	~14 min	`tests/ui`	📄`log`
✔️	`2a71da2`	#1	2025-09-04 14:10:06	~17 min	`linux/x86_64`	📦`tgz`
✔️	`2a71da2`	#1	2025-09-04 14:12:16	~19 min	`macos/aarch64`	🍎`dmg`
✔️	`2a71da2`	#1	2025-09-04 14:16:57	~23 min	`macos/aarch64-nwaku`	🍎`dmg`
✔️	`2a71da2`	#1	2025-09-04 14:17:18	~24 min	`linux/x86_64-nwaku`	📦`tgz`
✔️	`2a71da2`	#1	2025-09-04 14:21:42	~28 min	`windows/x86_64`	💿`exe`
✔️	`2a71da2`	pr18772	2025-09-04 14:21:53	~11 min	`tests/e2e`	📊`rpt`

✔️	26fab567	#1	2025-09-10 06:16:30	~7 min	`android/arm64`	🤖`apk` 📲

✔️	`e0b5773`	#2	2025-09-10 12:52:03	~6 min	`android/arm64`	🤖`apk` 📲
✔️	`e0b5773`	#2	2025-09-10 12:53:03	~7 min	`tests/nim`	📄`log`
✔️	`e0b5773`	#2	2025-09-10 12:58:56	~13 min	`tests/ui`	📄`log`
✔️	`e0b5773`	#2	2025-09-10 13:03:01	~17 min	`linux/x86_64`	📦`tgz`
✔️	`e0b5773`	#2	2025-09-10 13:07:51	~22 min	`linux/x86_64-nwaku`	📦`tgz`
✔️	`e0b5773`	#2	2025-09-10 13:10:35	~24 min	`macos/aarch64-nwaku`	🍎`dmg`
✔️	`e0b5773`	#2	2025-09-10 13:12:57	~27 min	`windows/x86_64`	💿`exe`
✔️	`e0b5773`	pr18772	2025-09-10 13:16:57	~13 min	`tests/e2e`	📊`rpt`

❌	`48fb258`	#3	2025-09-10 14:23:26	~2 min	`linux/x86_64`	📄`log`
❌	`48fb258`	#3	2025-09-10 14:23:45	~3 min	`macos/aarch64`	📄`log`
✔️	`48fb258`	#3	2025-09-10 14:28:04	~7 min	`tests/nim`	📄`log`
❌	`48fb258`	#3	2025-09-10 14:29:51	~9 min	`macos/aarch64-nwaku`	📄`log`
❌	`48fb258`	#3	2025-09-10 14:30:31	~9 min	`linux/x86_64-nwaku`	📄`log`
❌	`48fb258`	#3	2025-09-10 14:32:30	~11 min	`windows/x86_64`	📄`log`
✔️	`48fb258`	#3	2025-09-10 14:33:35	~12 min	`tests/ui`	📄`log`
✔️	`48fb258`	#4	2025-09-10 14:41:18	~12 min	`linux/x86_64`	📦`tgz`
✖️	`48fb258`	pr18772	2025-09-10 14:56:20	~14 min	`tests/e2e`	📊`rpt`

❌	`ef89cfd`	#5	2025-09-11 06:46:15	~2 min	`linux/x86_64`	📄`log`
❌	`ef89cfd`	#4	2025-09-11 06:46:32	~3 min	`macos/aarch64`	📄`log`
❌	`ef89cfd`	#4	2025-09-11 06:46:49	~3 min	`android/arm64`	📄`log`
✔️	`ef89cfd`	#4	2025-09-11 06:49:22	~5 min	`tests/nim`	📄`log`
❌	`ef89cfd`	#4	2025-09-11 06:52:33	~9 min	`macos/aarch64-nwaku`	📄`log`
❌	`ef89cfd`	#4	2025-09-11 06:52:51	~9 min	`linux/x86_64-nwaku`	📄`log`
❌	`ef89cfd`	#6	2025-09-11 06:55:22	~3 min	`linux/x86_64`	📄`log`
✔️	`ef89cfd`	#4	2025-09-11 06:56:23	~12 min	`tests/ui`	📄`log`
❌	`ef89cfd`	#4	2025-09-11 06:56:48	~13 min	`windows/x86_64`	📄`log`
❌	`ef89cfd`	#7	2025-09-11 07:21:41	~6 min	`linux/x86_64`	📄`log`
❌	`ef89cfd`	#5	2025-09-11 07:40:28	~1 min	`android/arm64`	📄`log`
❌	`ef89cfd`	#8	2025-09-11 07:42:10	~6 min	`linux/x86_64`	📄`log`
❌	`ef89cfd`	#5	2025-09-11 07:48:47	~9 min	`macos/aarch64`	📄`log`
❌	`ef89cfd`	#5	2025-09-11 07:52:13	~12 min	`windows/x86_64`	📄`log`
❌	`ef89cfd`	#5	2025-09-11 07:52:43	~13 min	`linux/x86_64-nwaku`	📄`log`
❌	`ef89cfd`	#5	2025-09-11 07:53:21	~13 min	`macos/aarch64-nwaku`	📄`log`

❌	`fff62b2`	#6	2025-09-11 08:05:26	~1 min	`android/arm64`	📄`log`
❌	`fff62b2`	#6	2025-09-11 08:09:56	~5 min	`macos/aarch64`	📄`log`
✔️	`fff62b2`	#5	2025-09-11 08:11:37	~7 min	`tests/nim`	📄`log`
❌	`fff62b2`	#9	2025-09-11 08:15:12	~11 min	`linux/x86_64`	📄`log`
❌	`fff62b2`	#6	2025-09-11 08:16:16	~12 min	`macos/aarch64-nwaku`	📄`log`
✔️	`fff62b2`	#5	2025-09-11 08:16:52	~12 min	`tests/ui`	📄`log`
❌	`fff62b2`	#6	2025-09-11 08:17:23	~13 min	`windows/x86_64`	📄`log`
❌	`fff62b2`	#6	2025-09-11 08:21:23	~17 min	`linux/x86_64-nwaku`	📄`log`

❌	`49eb2aa`	#7	2025-09-11 08:44:26	~1 min	`android/arm64`	📄`log`
✔️	`49eb2aa`	#6	2025-09-11 08:48:48	~5 min	`tests/nim`	📄`log`
❌	`49eb2aa`	#7	2025-09-11 08:49:00	~5 min	`macos/aarch64`	📄`log`
❌	`49eb2aa`	#10	2025-09-11 08:50:33	~7 min	`linux/x86_64`	📄`log`

❌	`0373db0`	#8	2025-09-11 08:55:46	~1 min	`android/arm64`	📄`log`
✔️	`0373db0`	#7	2025-09-11 09:00:26	~6 min	`tests/nim`	📄`log`
❌	`0373db0`	#11	2025-09-11 09:01:40	~7 min	`linux/x86_64`	📄`log`
❌	`0373db0`	#8	2025-09-11 09:01:52	~7 min	`macos/aarch64`	📄`log`
✔️	`0373db0`	#7	2025-09-11 09:07:17	~12 min	`tests/ui`	📄`log`
❌	`0373db0`	#8	2025-09-11 09:07:56	~13 min	`linux/x86_64-nwaku`	📄`log`
❌	`0373db0`	#8	2025-09-11 09:08:45	~14 min	`macos/aarch64-nwaku`	📄`log`

❌	`6594eba`	#9	2025-09-11 09:12:10	~1 min	`android/arm64`	📄`log`
❌	`6594eba`	#9	2025-09-11 09:16:41	~5 min	`macos/aarch64`	📄`log`
✔️	`6594eba`	#8	2025-09-11 09:16:41	~5 min	`tests/nim`	📄`log`
❌	`6594eba`	#12	2025-09-11 09:18:04	~7 min	`linux/x86_64`	📄`log`
❌	`6594eba`	#9	2025-09-11 09:23:38	~12 min	`macos/aarch64-nwaku`	📄`log`
❌	`6594eba`	#9	2025-09-11 09:24:07	~13 min	`windows/x86_64`	📄`log`
✔️	`6594eba`	#8	2025-09-11 09:24:31	~13 min	`tests/ui`	📄`log`
❌	`6594eba`	#9	2025-09-11 09:25:06	~14 min	`linux/x86_64-nwaku`	📄`log`

❌	`f539bd7`	#10	2025-09-11 09:28:19	~1 min	`android/arm64`	📄`log`
❌	`f539bd7`	#10	2025-09-11 09:32:41	~5 min	`macos/aarch64`	📄`log`
✔️	`f539bd7`	#9	2025-09-11 09:33:04	~6 min	`tests/nim`	📄`log`
❌	`f539bd7`	#13	2025-09-11 09:34:40	~7 min	`linux/x86_64`	📄`log`
❌	`f539bd7`	#10	2025-09-11 09:39:08	~12 min	`macos/aarch64-nwaku`	📄`log`
✔️	`f539bd7`	#9	2025-09-11 09:39:32	~12 min	`tests/ui`	📄`log`
❌	`f539bd7`	#10	2025-09-11 09:40:15	~13 min	`windows/x86_64`	📄`log`
❌	`f539bd7`	#10	2025-09-11 09:41:14	~14 min	`linux/x86_64-nwaku`	📄`log`

❌	`54c72e7`	#11	2025-09-11 09:50:27	~1 min	`android/arm64`	📄`log`
✔️	`54c72e7`	#10	2025-09-11 09:54:42	~5 min	`tests/nim`	📄`log`
❌	`54c72e7`	#11	2025-09-11 09:54:52	~5 min	`macos/aarch64`	📄`log`
❌	`54c72e7`	#14	2025-09-11 09:55:55	~7 min	`linux/x86_64`	📄`log`
❌	`54c72e7`	#11	2025-09-11 10:01:08	~12 min	`macos/aarch64-nwaku`	📄`log`
✔️	`54c72e7`	#10	2025-09-11 10:01:24	~12 min	`tests/ui`	📄`log`
❌	`54c72e7`	#11	2025-09-11 10:02:03	~13 min	`linux/x86_64-nwaku`	📄`log`
❌	`54c72e7`	#11	2025-09-11 10:02:17	~13 min	`windows/x86_64`	📄`log`

✔️	`8393403`	#12	2025-09-11 10:17:56	~2 min	`android/arm64`	🤖`apk` 📲
✔️	`8393403`	#11	2025-09-11 10:21:14	~6 min	`tests/nim`	📄`log`
✔️	`8393403`	#12	2025-09-11 10:24:35	~9 min	`macos/aarch64`	🍎`dmg`
❌	`8393403`	#15	2025-09-11 10:27:00	~11 min	`linux/x86_64`	📄`log`
✔️	`8393403`	#11	2025-09-11 10:28:14	~13 min	`tests/ui`	📄`log`
❌	`8393403`	#12	2025-09-11 10:33:23	~18 min	`linux/x86_64-nwaku`	📄`log`
✔️	`8393403`	#12	2025-09-11 10:35:12	~20 min	`macos/aarch64-nwaku`	🍎`dmg`
✔️	`8393403`	#12	2025-09-11 10:38:33	~23 min	`windows/x86_64`	💿`exe`

✔️	`1b56958`	#13	2025-09-11 10:47:13	~3 min	`android/arm64`	🤖`apk` 📲
✔️	`1b56958`	#12	2025-09-11 10:50:01	~6 min	`tests/nim`	📄`log`
✔️	`1b56958`	#13	2025-09-11 10:55:03	~11 min	`macos/aarch64`	🍎`dmg`
✔️	`1b56958`	#16	2025-09-11 10:55:59	~12 min	`linux/x86_64`	📦`tgz`
✔️	`1b56958`	#12	2025-09-11 10:56:26	~12 min	`tests/ui`	📄`log`
✔️	`1b56958`	#13	2025-09-11 11:00:02	~16 min	`macos/aarch64-nwaku`	🍎`dmg`
✖️	`1b56958`	pr18772	2025-09-11 11:10:54	~14 min	`tests/e2e`	📊`rpt`

✔️	`bb06a49`	#14	2025-09-11 11:04:52	~3 min	`android/arm64`	🤖`apk` 📲

✔️	`0991af4`	#15	2025-09-11 11:09:36	~3 min	`android/arm64`	🤖`apk` 📲
✔️	`0991af4`	#14	2025-09-11 11:12:55	~6 min	`tests/nim`	📄`log`
✔️	`0991af4`	#15	2025-09-11 11:18:27	~12 min	`macos/aarch64`	🍎`dmg`
✔️	`0991af4`	#18	2025-09-11 11:18:50	~12 min	`linux/x86_64`	📦`tgz`
✔️	`0991af4`	#14	2025-09-11 11:21:54	~15 min	`tests/ui`	📄`log`
✔️	`0991af4`	#15	2025-09-11 11:26:30	~20 min	`linux/x86_64-nwaku`	📦`tgz`
✔️	`0991af4`	pr18772	2025-09-11 11:32:14	~13 min	`tests/e2e`	📊`rpt`

✔️	`374a4c0`	#16	2025-09-11 11:29:54	~2 min	`android/arm64`	🤖`apk` 📲
❌	`374a4c0`	#16	2025-09-11 11:29:54	~2 min	`macos/aarch64-nwaku`	📄`log`
❌	`374a4c0`	#16	2025-09-11 11:29:54	~2 min	`macos/aarch64`	📄`log`
✔️	`374a4c0`	#15	2025-09-11 11:32:59	~5 min	`tests/nim`	📄`log`
❌	`374a4c0`	#17	2025-09-11 11:39:25	~8 min	`macos/aarch64`	📄`log`
✔️	`374a4c0`	#19	2025-09-11 11:39:32	~12 min	`linux/x86_64`	📦`tgz`
✔️	`374a4c0`	#15	2025-09-11 11:39:41	~12 min	`tests/ui`	📄`log`
✖️	`374a4c0`	pr18772	2025-09-11 11:53:29	~13 min	`tests/e2e`	📊`rpt`

✔️	`edff596`	#17	2025-09-11 11:44:38	~3 min	`android/arm64`	🤖`apk` 📲

✔️	`4543c69`	#18	2025-09-11 11:48:04	~3 min	`android/arm64`	🤖`apk` 📲

✔️	`a4ce223`	#19	2025-09-11 11:52:55	~3 min	`android/arm64`	🤖`apk` 📲
✔️	`a4ce223`	#18	2025-09-11 11:55:47	~6 min	`tests/nim`	📄`log`
✔️	`a4ce223`	#22	2025-09-11 12:01:58	~12 min	`linux/x86_64`	📦`tgz`
✔️	`a4ce223`	#18	2025-09-11 12:02:29	~12 min	`tests/ui`	📄`log`
✔️	`a4ce223`	#20	2025-09-11 12:03:07	~13 min	`macos/aarch64`	🍎`dmg`
❌	`a4ce223`	#19	2025-09-11 12:03:27	~13 min	`macos/aarch64-nwaku`	📄`log`
✔️	`a4ce223`	#19	2025-09-11 12:11:59	~22 min	`linux/x86_64-nwaku`	📦`tgz`
✔️	`a4ce223`	pr18772	2025-09-11 12:15:14	~13 min	`tests/e2e`	📊`rpt`
❌	`a4ce223`	#19	2025-09-11 12:16:50	~27 min	`windows/x86_64`	📄`log`

✔️	`7c9e24c`	#20	2025-09-11 12:43:00	~2 min	`android/arm64`	🤖`apk` 📲
✔️	`7c9e24c`	#19	2025-09-11 12:46:01	~5 min	`tests/nim`	📄`log`
❌	`7c9e24c`	#21	2025-09-11 12:50:53	~10 min	`macos/aarch64`	📄`log`
✔️	`7c9e24c`	#19	2025-09-11 12:52:34	~12 min	`tests/ui`	📄`log`
✔️	`7c9e24c`	#23	2025-09-11 12:52:45	~12 min	`linux/x86_64`	📦`tgz`
❌	`7c9e24c`	#20	2025-09-11 12:55:41	~15 min	`macos/aarch64-nwaku`	📄`log`
✔️	`7c9e24c`	#20	2025-09-11 12:58:06	~17 min	`linux/x86_64-nwaku`	📦`tgz`
❌	`7c9e24c`	#20	2025-09-11 13:01:18	~21 min	`windows/x86_64`	📄`log`
✔️	`7c9e24c`	pr18772	2025-09-11 13:07:59	~15 min	`tests/e2e`	📊`rpt`

✔️	ca4f8697	#24	2025-09-18 09:22:59	~7 min	`android/arm64`	🤖`apk` 📲

❔	Commit	#️⃣	Finished (UTC)	Duration	Platform	Result
✔️	b4d388d0	#25	2025-09-19 09:23:09	~7 min	`android/arm64`	🤖`apk` 📲

✔️	e9a5a80a	#28	2025-09-24 17:25:54	~10 min	`android/arm64`	🤖`apk` 📲

Introduces --verify-credentials flag which can be passed to status app and it will check for all the necessary credentials provided by status-jenkins-lib. related changes are here : status-im/status-jenkins-lib#120 Adds an Audit stage in jenkins which checks for these credentials, this is an integration test in CI to ensure that bundled app has all the necessary secrets. Shorten existing stage names in Jenkins for better readability.

jakubgs · 2025-09-11T13:05:33Z

src/app/core/credential_verifier.nim

+  let thingsToCheck = getEnv("THINGS_TO_CHECK")
+  if thingsToCheck.len == 0:
+    echo "ERROR: THINGS_TO_CHECK environment variable not set"
+    return 1


This seem way to complicated to me. Why can't we write a wrapper around getEnv() in src/env_cli_vars.nim:

status-desktop/src/env_cli_vars.nim

Lines 46 to 48 in ac2ac73

const

DEFAULT_INFURA_TOKEN = "220a1abb4b6943a093c35d0ce4fb0732"

BUILD_INFURA_TOKEN = getEnv(BUILD_TIME_PREFIX & BASE_NAME_INFURA_TOKEN, DEFAULT_INFURA_TOKEN)

And just check if it's an empty string and fail on that with an assert or something.

I thought we could use existsEnv() but empty string is an invalid value so just checking that is better.

According to docs static blocks are executed at built time:
https://nim-lang.org/docs/manual.html#statements-and-expressions-static-statementslashexpression

But I don't see any usage of static in src/env_cli_vars.nim or src/constants.nim.

The key point is that we want a way that live closest to where the vars are sourced, that way we have a better chance of developers also maintaining that. We could define a mustGetEnv() that is used only for secrets, or even more explicit ciMustGetEnv() that only fails on missing value when CI=true.

siddarthkay self-assigned this Sep 4, 2025

siddarthkay requested a review from a team as a code owner September 4, 2025 13:52

siddarthkay force-pushed the secrets-refactor branch from 2a71da2 to e0b5773 Compare September 10, 2025 12:45

siddarthkay marked this pull request as draft September 10, 2025 14:24

siddarthkay force-pushed the secrets-refactor branch 15 times, most recently from 4543c69 to a4ce223 Compare September 11, 2025 11:49

siddarthkay marked this pull request as ready for review September 11, 2025 11:49

siddarthkay requested a review from a team as a code owner September 11, 2025 11:49

siddarthkay requested review from iurimatias and removed request for a team September 11, 2025 11:49

siddarthkay force-pushed the secrets-refactor branch from a4ce223 to 7c9e24c Compare September 11, 2025 12:39

jakubgs reviewed Sep 11, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ci: validate secrets refactor #18772

ci: validate secrets refactor #18772

Uh oh!

siddarthkay commented Sep 4, 2025 •

edited

Loading

Uh oh!

status-im-auto commented Sep 4, 2025 •

edited

Loading

Uh oh!

jakubgs Sep 11, 2025 •

edited

Loading

Uh oh!

jakubgs Sep 11, 2025

Uh oh!

jakubgs Sep 11, 2025

Uh oh!

Uh oh!

	const
	DEFAULT_INFURA_TOKEN = "220a1abb4b6943a093c35d0ce4fb0732"
	BUILD_INFURA_TOKEN = getEnv(BUILD_TIME_PREFIX & BASE_NAME_INFURA_TOKEN, DEFAULT_INFURA_TOKEN)

ci: validate secrets refactor #18772

Are you sure you want to change the base?

ci: validate secrets refactor #18772

Uh oh!

Conversation

siddarthkay commented Sep 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Uh oh!

status-im-auto commented Sep 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Jenkins Builds

Uh oh!

jakubgs Sep 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

jakubgs Sep 11, 2025

Choose a reason for hiding this comment

Uh oh!

jakubgs Sep 11, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

siddarthkay commented Sep 4, 2025 •

edited

Loading

status-im-auto commented Sep 4, 2025 •

edited

Loading

jakubgs Sep 11, 2025 •

edited

Loading