Skip to content

[AINFRA-1539] [Internal] Migrate from configure_apply to git-conceal #4841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AliSoftware wants to merge 11 commits into
base: main
Choose a base branch
from
Open

[AINFRA-1539] [Internal] Migrate from configure_apply to git-conceal #4841

AliSoftware wants to merge 11 commits into from
+131 −121

Conversation

@AliSoftware
Copy link
Contributor

@AliSoftware AliSoftware commented Dec 9, 2025
edited
Loading

Description

This updates the way this repository manages secret files needed for compilation (secret.properties, sentry.properties, etc) from being managed via configure_apply to being managed by git-conceal instead.

See paaHJt-96q-p2 more details about this migration.

Closes AINFRA-1539

Merge Timing

While this PR can be reviewed and tested already, I don't plan to merge it until January so that I can be around to help with any issues or questions that may arise with the new tool and new process.

Testing Instructions

Note

While not strictly necessary, in order to not risk messing up your everyday working copy while going through those testing instructions, I'd recommend running those steps in a separate fresh clone of the repository instead of in the working copy you usually work with.

  • Clone the repo, checkout this PR's branch
  • Validate that all the files that should be secret are indeed unreadable / encrypted:
    • secret.properties
    • sentry.properties
    • app/google-services.json
    • automotive/google-services.json
    • wear/google-services.json
    • google-upload-credentials.json
    • firebase.secrets.json
    • release.keystore
  • Compile the project, and validate that it prints relevant warnings about secret .properties files being encrypted and thus ignored
    • We might want to validate at that stage what's the status of Google Services in particular. i.e. since at that stage {app,automotive,wear}/google-services.json files were all present but encrypted (and thus not valid JSON), how does that impact flows like Google Login in the app? And thus how would this behave for external contributors to this project?
  • Follow the steps in the README.md to unlock the repo by copying the decryption key from the Secret Store and running pbpaste | base64 -d | git conceal unlock -
  • Validate that the files that were previously encrypted have been re-checked out and are now appearing in clear text in your working copy
  • Compile the project, and validate that the secret files (e.g. secret.properties, sentry.properties, …) are now read and their properties used during compilation
    • Validate that expected features that depend on those secret files (like Google Login for google-services.json?) work as expected in the compiled app

Note on CI failure

The CI failure on "Merged Manifest Diff" is expected, because the way this job works is that it switches to this PR's base branch to generate the base manifest and compare it with the one generated from this PR's head… but when it switches to this PR's branch, that base branch (main) doesn't have git-conceal set up—as it is still relying on configure_apply instead—so it doesn't have the google-services.json file present in main during that dance.

I expect this to be a transient issue, i.e. once this PR is merged into main and other PRs start to rebase on top so that all branches start to use git-conceal, this internal dance that "Merged Manifest Diff" does should work again.

@dangermattic
Copy link
Collaborator

dangermattic commented Dec 9, 2025
edited
Loading

1 Error
🚫 This PR is tagged with do not merge label(s).
1 Warning
⚠️ PR is not assigned to a milestone.

Generated by 🚫 Danger

@AliSoftware AliSoftware force-pushed the AINFRA-1539-adopt-git-conceal branch from ee73e6d to dab694d Compare December 9, 2025 20:16
@AliSoftware
Migrate secret.properties to git-conceal
09ee3b2
@AliSoftware
Migrate sentry.properties to git-conceal
8ec8d74
@AliSoftware
Migrate google-services.json files to git-conceal
3c29c7a
@AliSoftware
Migrate google-upload-credentials.json to git-conceal
4fe76ce
@AliSoftware
Migrate firebase.secrets.json to git-conceal (move from .configure-fi…
34950c0 
…les/ to root)
@AliSoftware
Migrate release.keystore to git-conceal
41fc718
@AliSoftware
Remove configure_apply call from finalize_release lane (all files mig…
0f9d25b 
…rated to git-conceal)
@AliSoftware
Update CI scripts to use git-conceal-unlock instead of configure_apply
0146a91 
- Updated a8c-ci-toolkit to version 6.0.0 in shared-pipeline-vars
- Replaced all configure_apply calls with git-conceal-unlock
- Moved secrets unlocking step before gem installation in all scripts
- Updated all shell scripts and YAML pipeline files
@AliSoftware
Fix .gradle.kts syntax error
a97adde
@AliSoftware
Clean up
88aa963
@AliSoftware
Add instructions about git-conceal unlock for a12s
f84cda4
@AliSoftware AliSoftware force-pushed the AINFRA-1539-adopt-git-conceal branch from dab694d to f84cda4 Compare December 9, 2025 20:32
@AliSoftware AliSoftware requested a review from wzieba December 9, 2025 20:48
@AliSoftware AliSoftware self-assigned this Dec 9, 2025
@AliSoftware AliSoftware added [Type] Tooling Related to the Gradle build scripts and the setup or maintenance of the project build process. do not merge [Area] Tooling labels Dec 9, 2025
@AliSoftware AliSoftware marked this pull request as ready for review December 9, 2025 20:48
@AliSoftware AliSoftware requested a review from a team as a code owner December 9, 2025 20:48
@AliSoftware AliSoftware requested review from geekygecko and removed request for a team December 9, 2025 20:48
This was referenced Dec 10, 2025
Draft
Merged
Merged
Merged
Merged
Merged
@MiSikora
Copy link
Contributor

MiSikora commented Jan 14, 2026

@AliSoftware Should we proceed with this migration?

@AliSoftware
Copy link
Contributor Author

AliSoftware commented Jan 14, 2026

Hey @MiSikora !

I think if you need to move forward with #4818 you should probably not wait for this migration to git-conceal after all.

  • I've been AFK for 2 weeks in December, then been at the AI workshop/meetup since the beginning of January (I'm still there until the end of the week), then will likely need some more extra days to catch up with everything that happened while I was away when I get back etc… so I might not go back to this PR until next week
  • The migration of all repos to git-conceal have been put a bit on pause while I wait for SysOps to validate that the approach is ok with them (see internal ref p5TWut-1t7-p2), so I want to clear things up with them before we commit to the plan of switching to this approach for good

So in the end, even if technically this PR is working, given the above AFK + SysOps approval points, it might take some more time than expected before I can unpause the project and we officailly go forward with merging that PR, and I don't want it to block your progress on #4818.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wzieba wzieba Awaiting requested review from wzieba

@geekygecko geekygecko Awaiting requested review from geekygecko geekygecko is a code owner automatically assigned from Automattic/pocket-casts-android

At least 1 approving review is required to merge this pull request.

Assignees

@AliSoftware AliSoftware

Labels

[Area] Tooling do not merge [Type] Tooling Related to the Gradle build scripts and the setup or maintenance of the project build process.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AliSoftware @dangermattic @MiSikora