internal/ci: remove outdated setting of CUE_TEST_LOGINS

As the comment that is part of this diff suggests, this was (and, this CL confirms, is no longer) a temporary measure until we added a proper endpoint for getting test user ID credentials for pages that are part of cuelang.org that need the Central Registry. We also carefully document why the porcupine user is being used as the privileged account when regenerating pages requiring those test user IDs. Signed-off-by: Paul Jolly <[email protected]> Change-Id: Ibd7d53870cf2003c0d3504f96c297a034a838f92
cue-lang · Sep 20, 2024 · 7c73013 · 7c73013
1 parent 77ae8e7
commit 7c73013
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 8 deletions.
diff --git a/.github/workflows/trybot.yaml b/.github/workflows/trybot.yaml
@@ -203,8 +203,6 @@ jobs:
           EOD
       - name: Dist
         run: ./_scripts/build.bash --baseURL https://cl-${{ fromJSON(steps.DispatchTrailer.outputs.value).CL }}-${{ fromJSON(steps.DispatchTrailer.outputs.value).patchset }}--cue-cls.netlify.app
-        env:
-          CUE_TEST_LOGINS: ${{ secrets.CUECKOO_CUE_TEST_LOGINS }}
       - if: always()
         name: Check that git is clean at the end of the job
         run: test -z "$(git status --porcelain)" || (git status; git diff; false)

diff --git a/internal/ci/github/trybot.cue b/internal/ci/github/trybot.cue
@@ -191,6 +191,17 @@ workflows: trybot: _repo.bashWorkflow & {
 				"working-directory": "playground"
 			},
 
+			// A number of pages that are part of cuelang.org require interacting
+			// with the Central Registry. These pages require users with slightly
+			// different access levels, in order to simulate (for example) private
+			// modules, with some users granted access whilst others are denied.
+			// The Central Registry has a special endpoint which generates access
+			// tokens for a set of such test user IDs. Access to this endpoint is
+			// sensitive, because in  theory there is privilege escalation (even
+			// though in reality the test user IDs are intentionally not used
+			// for anything sensitive). As such, we use porcupine here order to
+			// more carefully contronl in a CI environment who has access to
+			// this endpoint.
 			json.#step & {
 				name: "write $HOME/.config/cue/logins.json"
 				run: """
@@ -203,12 +214,6 @@ workflows: trybot: _repo.bashWorkflow & {
 
 			_dist & {
 				_baseURL: _netlifyStep.#prime_url.CL
-
-				// TODO: remove this (and the credentials on the GitHub side in
-				// both the cuelang.org and cuelang.org-trybot repos) when we
-				// have a more principled solution to getting and passing
-				// temporary credentials.
-				env: CUE_TEST_LOGINS: "${{ secrets.CUECKOO_CUE_TEST_LOGINS }}"
 			},
 
 			// Check on clean repo prior to deploy