From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 27 Jan 2023 14:57:49 +0000 (+0100)
Subject: Try harder not to leak the coverity tokens
X-Git-Tag: dnsdist-1.8.0-rc1~71^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df23d4bf400c67dbcf8cde6dd572a011711c7b2f;p=thirdparty%2Fpdns.git

Try harder not to leak the coverity tokens
---

diff --git a/.github/workflows/misc-dailies.yml b/.github/workflows/misc-dailies.yml
index 1934930344..1747ff01fa 100644
--- a/.github/workflows/misc-dailies.yml
+++ b/.github/workflows/misc-dailies.yml
@@ -38,6 +38,7 @@ jobs:
     name: coverity scan of the auth
     runs-on: ubuntu-20.04
     env:
+      COVERITY_TOKEN: ${{ secrets.coverity_auth_token }}
       FUZZING_TARGETS: no
       SANITIZERS:
       UNIT_TESTS: no
@@ -50,18 +51,19 @@ jobs:
       - run: build-scripts/gh-actions-setup-inv  # this runs apt update+upgrade
       - run: inv install-clang
       - run: inv install-auth-build-deps
-      - run: inv install-coverity-tools ${{ secrets.coverity_auth_token }} PowerDNS
+      - run: inv install-coverity-tools PowerDNS
       - run: inv coverity-clang-configure
       - run: inv ci-autoconf
       - run: inv ci-auth-configure
       - run: inv coverity-make
       - run: inv coverity-tarball auth.tar.bz2
-      - run: inv coverity-upload ${{ secrets.coverity_auth_token }} ${{ secrets.coverity_email }} PowerDNS auth.tar.bz2
+      - run: inv coverity-upload ${{ secrets.coverity_email }} PowerDNS auth.tar.bz2
 
   coverity-dnsdist:
     name: coverity scan of dnsdist
     runs-on: ubuntu-20.04
     env:
+      COVERITY_TOKEN: ${{ secrets.coverity_dnsdist_token }}
       SANITIZERS:
       UNIT_TESTS: no
     steps:
@@ -73,7 +75,7 @@ jobs:
       - run: build-scripts/gh-actions-setup-inv  # this runs apt update+upgrade
       - run: inv install-clang
       - run: inv install-dnsdist-build-deps
-      - run: inv install-coverity-tools ${{ secrets.coverity_dnsdist_token }} dnsdist
+      - run: inv install-coverity-tools dnsdist
       - run: inv coverity-clang-configure
       - run: inv ci-autoconf
         working-directory: ./pdns/dnsdistdist/
@@ -83,13 +85,14 @@ jobs:
         working-directory: ./pdns/dnsdistdist/
       - run: inv coverity-tarball dnsdist.tar.bz2
         working-directory: ./pdns/dnsdistdist/
-      - run: inv coverity-upload ${{ secrets.coverity_dnsdist_token }} ${{ secrets.coverity_email }} dnsdist dnsdist.tar.bz2
+      - run: inv coverity-upload ${{ secrets.coverity_email }} dnsdist dnsdist.tar.bz2
         working-directory: ./pdns/dnsdistdist/
 
   coverity-rec:
     name: coverity scan of the rec
     runs-on: ubuntu-20.04
     env:
+      COVERITY_TOKEN: ${{ secrets.coverity_rec_token }}
       SANITIZERS:
       UNIT_TESTS: no
     steps:
@@ -101,7 +104,7 @@ jobs:
       - run: build-scripts/gh-actions-setup-inv  # this runs apt update+upgrade
       - run: inv install-clang
       - run: inv install-rec-build-deps
-      - run: inv install-coverity-tools ${{ secrets.coverity_rec_token }} 'PowerDNS+Recursor'
+      - run: inv install-coverity-tools 'PowerDNS+Recursor'
       - run: inv coverity-clang-configure
       - run: inv ci-autoconf
         working-directory: ./pdns/recursordist/
@@ -111,5 +114,5 @@ jobs:
         working-directory: ./pdns/recursordist/
       - run: inv coverity-tarball recursor.tar.bz2
         working-directory: ./pdns/recursordist/
-      - run: inv coverity-upload ${{ secrets.coverity_rec_token }} ${{ secrets.coverity_email }} 'PowerDNS+Recursor' recursor.tar.bz2
+      - run: inv coverity-upload ${{ secrets.coverity_email }} 'PowerDNS+Recursor' recursor.tar.bz2
         working-directory: ./pdns/recursordist/
diff --git a/tasks.py b/tasks.py
index 755756feaf..3686718cc0 100644
--- a/tasks.py
+++ b/tasks.py
@@ -616,8 +616,9 @@ def swagger_syntax_check(c):
     c.run('api-spec-converter docs/http-api/swagger/authoritative-api-swagger.yaml -f swagger_2 -t openapi_3 -s json -c')
 
 @task
-def install_coverity_tools(c, token, project):
-    c.sudo(f'curl -s https://scan.coverity.com/download/linux64 --data "token={token}&project={project}" | gunzip | sudo tar xvf /dev/stdin --strip-components=1 --no-same-owner -C /usr/local')
+def install_coverity_tools(c, project):
+    token = os.getenv('COVERITY_TOKEN')
+    c.run(f'curl -s https://scan.coverity.com/download/linux64 --data "token={token}&project={project}" | gunzip | sudo tar xvf /dev/stdin --strip-components=1 --no-same-owner -C /usr/local', hide=True)
 
 @task
 def coverity_clang_configure(c):
@@ -632,13 +633,14 @@ def coverity_tarball(c, tarball):
     c.run(f'tar caf {tarball} cov-int')
 
 @task
-def coverity_upload(c, token, email, project, tarball):
+def coverity_upload(c, email, project, tarball):
+    token = os.getenv('COVERITY_TOKEN')
     c.run(f'curl --form token={token} \
             --form email="{email}" \
             --form file=@{tarball} \
             --form version="$(./builder-support/gen-version)" \
             --form description="master build" \
-            https://scan.coverity.com/builds?project={project}')
+            https://scan.coverity.com/builds?project={project}', hide=True)
 
 # this is run always
 def setup():