ci: Stop JWT leakage in jobs logs
There are some sensitive variables set by Gitlab as environment variables.
Some jobs uses them for running some scripts. Unfortunately, they are prone to be leaked via obvious ways, such as printing the entire environment for debugging reasons or not-so-obvious approaches, like executing set -x
and using some sensitive variables in the same script block.
We have set some CI variables to be masked by Gitlab, however this mechanism fails sometimes.
This MR targets to stop the leakage of CI_JOB_JWT
environment variable without relying on Gitlab variable masking tool.
CI_JOB_JWT
is used to access the MinIO repository in bare-metal/iris/virgl jobs.
Essentially, this MR achieves this goal via two main steps:
- Transferring the
CI_JOB_JWT
content to a file located atCI_JOB_JWT_FILE
at the very beginning of each Mesa CI job.- The necessary tools (
piglit
andci-fairy
) have been adapted to accept JWT tokens as file.
- The necessary tools (
- Doing the inverse operation of 1. as the last step of every job.