Skip to content

Commit 4930a5c

Browse files
devversiondevversion
committed
build: do not reserve GOOGLE_APPLICATION_CREDENTIALS for RBE auth
We currently configure RBE by setting `GOOGLE_APPLICATION_CREDENTIALS` into the `$BASH_ENV` variable, ensuring RBE is configured everywhere on CI. This worked nicely but now with automatic docs deployment turned out to be problematic since it prevents scripts from defining `GOOGLE_APPLICATION_CREDENTIALS` themselves/overriding it. the reason is that `$BASH_ENV` always runs in new child processes (like when firebase is initialized) and then overrides the credentials back to the RBE service key. We can simplify this code by using a dedicated Bazel flag.
1 parent 277acaf commit 4930a5c

File tree

1 file changed

+2
-13
lines changed

1 file changed

+2
-13
lines changed

scripts/bazel/setup-remote-execution.sh

Lines changed: 2 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -11,21 +11,10 @@ fi
1111

1212
# Decode the GCP token that is needed to authenticate the Bazel remote execution.
1313
openssl aes-256-cbc -d -in scripts/bazel/gcp_token -md md5 -k ${GCP_DECRYPT_TOKEN} \
14-
-out $HOME/.gcp_credentials
15-
16-
# Set the "GOOGLE_APPLICATION_CREDENTIALS" environment variable. It should point to the GCP credentials
17-
# file. Bazel will then automatically picks up the credentials from that variable.
18-
# https://docs.bazel.build/versions/main/command-line-reference.html#flag--google_default_credentials
19-
# https://cloud.google.com/docs/authentication/production.
20-
if [[ ! -z "${BASH_ENV}" ]]; then
21-
# CircleCI uses the `BASH_ENV` variable for environment variables.
22-
echo "export GOOGLE_APPLICATION_CREDENTIALS=${HOME}/.gcp_credentials" >> ${BASH_ENV}
23-
elif [[ ! -z "${GITHUB_ENV}" ]]; then
24-
# Github actions use the `GITHUB_ENV` variable for environment variables.
25-
echo "GOOGLE_APPLICATION_CREDENTIALS=${HOME}/.gcp_credentials" >> ${GITHUB_ENV}
26-
fi
14+
-out $HOME/.gcp_rbe_credentials
2715

2816
# Update the project Bazel configuration to always use remote execution.
2917
# Note: We add the remote config flag to the user bazelrc file that is not tracked
3018
# by Git. This is necessary to avoid stamping builds with `.with-local-changes`.
3119
echo "build --config=remote" >> .bazelrc.user
20+
echo "build:remote --google_credentials=\"$HOME/.gcp_rbe_credentials\"" >> .bazelrc.user

0 commit comments

Comments
 (0)