alleyinteractive / create-wordpress-project

A starter structure for the wp-content directory on a new WordPress project.

GNU General Public License v2.0

8 stars 0 forks source link

Convert CircleCI Auth to Deploy Keys #108

Closed kevinfodness closed 1 month ago

kevinfodness commented 1 month ago

Description

Currently, CircleCI authenticates as a user using an SSH key, which means that it's pushing to the -built branches as the user, rather than using a deploy key. There are some advantages to using deploy keys over SSH keys, especially that we can lock down branches using branch protection rules that say that they can only be updated via deploy keys and not via user pushes, which we can't do if Circle is authenticating as a user via an SSH key.

Use Case

When we configure CircleCI to build changes and deploy them to the -built branch, we should do so via a deploy key so that we can ensure that all CI updates to the repo happen via deploy keys.

Acceptance Criteria

Convert the CircleCI template to use a deploy key instead of SSH authentication as the Alley CI user.

kevinfodness commented 1 month ago

@benpbolton I'm going to rope you into this next week.

benpbolton commented 1 month ago

@kevinfodness I was able to do some testing on the wpcomvip/alley circleci builds to try out deploy keys.

The TLDR; is that they should work. This 'workflow' uses an ed25519 key that I created locally, uploaded the private key portion to Circle and the Pubkey with write access to GitHub as a deploy key. The fingerprint is in a different format, but I verified that it can use the key.

The biggest gotcha is that you cannot have circle create the key, you've got to create and upload and reference it manually (their docs say so too). What's the next-step here? I can see about writing some guidance to this effect in the infosphere... I understand you'd like to prefer write deploy keys over user keys ... and only use user keys where we require their ability to cross repositories?

kevinfodness commented 1 month ago

Thanks for doing this investigation—it's great that we can use deploy keys here for common scenarios. Can you please update the CircleCI config that comes with this repo to make any necessary changes and add a comment explaining what implementers need to do? Since this is a public repo, we should keep the documentation here rather than in an Alley internal location.

benpbolton commented 1 month ago

Added

            # If your build requires access to a private repository, you will need to configure
            # a 'User key' with read access to any private repositories and write access to the
            # destination build repository (e.g. via an AlleyCI user).
            # See https://circleci.com/docs/github-integration/#enable-your-project-to-check-out-additional-private-repositories
            # If you only require write access (to deploy) to the destination repository, you
            # should manually 'Add SSH Key' with a read/write deploy key to the github.com
            # hostname.
            # See https://circleci.com/docs/github-integration/#create-a-github-deploy-key

to circleci config examples