NAS-134870 / 25.10 / Allow specifying secret env variables in the build (#842)

* Allow specifying secret_env in build manifest * Get secret env initialized when initializing package * Add logic to read secrets file * Make sure secrets are properly set for package when building the package * Expose scale release version variable as well * Fix typo * Make sure env variables are actually passed to the package itself * Add secrets yaml file to git ignore * Do not expose build env variables in ps output
2025-12-20 02:49:28 +00:00 · 2025-04-18 20:34:12 +05:00
parent 6aa7077964
commit 76b930d18c
5 changed files with 40 additions and 5 deletions
--- a/scale_build/packages/build.py
+++ b/scale_build/packages/build.py
@@ -1,13 +1,14 @@
 import contextlib
 import json
 import os
+import shlex
 import shutil

 from datetime import datetime
 from scale_build.config import BUILD_TIME, VERSION
 from scale_build.exceptions import CallError
 from scale_build.utils.environment import APT_ENV
-from scale_build.utils.manifest import get_truenas_train, get_release_code_name
+from scale_build.utils.manifest import get_truenas_train, get_release_code_name, get_secret_env
 from scale_build.utils.run import run
 from scale_build.utils.paths import PKG_DIR

@@ -16,8 +17,9 @@ class BuildPackageMixin:

    def run_in_chroot(self, command, exception_message=None):
        run(
-            f'chroot {self.dpkg_overlay} /bin/bash -c "{command}"', shell=True, exception_msg=exception_message,
-            env=self._get_build_env()
+            f'chroot {self.dpkg_overlay} /bin/bash -c {shlex.quote(command)}', shell=True,
+            exception_msg=exception_message,
+            env=self._get_build_env() | self._get_chroot_env()
        )

    @property
@@ -61,6 +63,15 @@ class BuildPackageMixin:
        env.update(self.ccache_env(env))
        return env

+    def _get_chroot_env(self):
+        env = {
+            'RELEASE_VERSION': VERSION,
+        }
+        secrets = get_secret_env()
+        for k in filter(lambda k: k in secrets, self.secret_env):
+            env[k] = secrets[k]
+        return env
+
    def _build_impl(self):
        shutil.copytree(self.source_path, self.source_in_chroot, dirs_exist_ok=True, symlinks=True)
        if os.path.exists(os.path.join(self.dpkg_overlay_packages_path, 'Packages.gz')):
@@ -160,7 +171,8 @@ class BuildPackageMixin:
            return self.buildcmd
        else:
            build_env = f'DEB_BUILD_OPTIONS={self.deoptions} ' if self.deoptions else ''
-            return [f'{build_env} debuild {" ".join(self.deflags)}']
+            env_flags = [f'-e{k}' for k in self._get_chroot_env()]
+            return [f'{build_env} debuild {" ".join(env_flags + self.deflags)}']

    @property
    def debug_command(self):