recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e8e52cf4c6dba5dfd7c8a2b1438bc0a3cce303fe
cc-ci/tests/bluesky-pds/install_steps.sh
autonomic-bot 9a7772563a style: repo-wide lint pass — make the lint gate green again 
Push builds have been RED on the lint step since ~build 209 from accumulated
formatting drift. This is the mechanical cleanup: ruff format + ruff --fix
(UP038 isinstance unions, SIM105 contextlib.suppress, UP031 f-strings, SIM115
tempfile context manager), shfmt -i 2 -ci, nixpkgs-fmt/statix/deadnix (merged
attrsets, dropped unused lib args), yamllint, and shell quoting fixes in
tests/lasuite-docs/setup_custom_tests.sh. No behaviour changes intended;
lint: PASS, unit tests: 138 passed.
2026-06-09 21:56:15 +00:00

34 lines
1.8 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# bluesky-pds — install-steps hook (Phase 1d DG5).
#
# bluesky-pds's `pds_plc_rotation_key` secret is marked `generate=false` in the recipe (the PLC
# rotation key is a secp256k1 private key that the deploy WILL reject if not pre-inserted). Run
# this hook AFTER `abra app secret generate` (which handles the recipe's auto-gen secrets) and
# BEFORE `abra app deploy` — generate a fresh secp256k1 key + insert it.
#
# The key is per-run class-B (each per-run domain gets its own); destroyed with the app at run end.
#
# Environment supplied by the orchestrator:
# CCCI_APP_DOMAIN — the per-run domain
# CCCI_RECIPE — "bluesky-pds"
# CCCI_APP_ENV — path to the app's .env file
set -euo pipefail
: "${CCCI_APP_DOMAIN:?CCCI_APP_DOMAIN must be set by the harness}"
echo " bluesky-pds install_steps: generating secp256k1 PLC rotation key..."
# The recipe README's recipe uses openssl+xxd; cc-ci's PATH only has python3 (the nix
# cc-ci-run env). A random 32-byte value is overwhelmingly always a valid secp256k1 private key
# (P(invalid) ~= 2^-128); Python's secrets.token_bytes(32) is cryptographically random + the
# same shape the PDS expects (32-byte hex). Equivalent for atproto PDS bootstrap.
KEY_HEX=$(cc-ci-run -c 'import secrets; print(secrets.token_bytes(32).hex())')
if [ -z "${KEY_HEX}" ] || [ "${#KEY_HEX}" != "64" ]; then
echo " install_steps: failed to generate PLC rotation key (KEY_HEX length=${#KEY_HEX})" >&2
exit 1
fi
# Insert via abra under TTY-wrap (`abra app secret insert` requires a TTY on this version).
# We DON'T log the key value — abra also doesn't print it.
script -qec "abra app secret insert ${CCCI_APP_DOMAIN} pds_plc_rotation_key v1 ${KEY_HEX} --no-input" /dev/null \
>/dev/null 2>&1
echo " bluesky-pds install_steps: PLC rotation key inserted (v1)."
Reference in New Issue View Git Blame Copy Permalink