internal/task: accept secrets explicitly via ExternalConfig struct

Previously, the tweet tasks fetched Twitter API credentials implicitly
from the environment, and a dryRun bool parameter was used to disable
the task from actually posting a tweet (useful for running tests).

This doesn't scale well to being able to supply different credentials,
which is needed to be able to run the task in a staging environment,
using a staging/test set of credentials.

Create an ExternalConfig struct for providing secrets for external
services that tasks need to interact with, making this more explicit.

This will be used by relui in its upcoming "create tweet" workflows.

Update the MailDLCL task analogously to accept the new ExternalConfig
parameter, making it more testable and dry-run-capable in the process.

Also switch to using *workflow.TaskContext (pointer, not value),
since that's what the x/build/internal/workflow package expects.

For golang/go#47402.
Updates golang/go#47405.

Change-Id: I40f0144a57ca0031840fbd1303ab56ac3fefc6c6
Reviewed-on: https://go-review.googlesource.com/c/build/+/382935
Run-TryBot: Dmitri Shuralyov <[email protected]>
Trust: Dmitri Shuralyov <[email protected]>
Reviewed-by: Alex Rakoczy <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

Author: dmitshur

cmd/releasebot/README.md

@@ -15,5 +15,7 @@ The user running a release will need:
 * gomote access and a token in your name
 * gcloud application default credentials, and an account with GCS access to golang-org for bucket golang-release-staging
 * **`release-manager` group membership on Gerrit**
+* for `-mode=mail-dl-cl` only, Secret Manager access to Gerrit API secret
+* for `-mode=tweet-*` only, Secret Manager access to Twitter API secret
 
 NOTE: all but the Gerrit permission are ensured by the bot on startup.

cmd/releasebot/gerrit.go

@@ -0,0 +1,32 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"context"
+
+	"golang.org/x/build/buildenv"
+	"golang.org/x/build/gerrit"
+	"golang.org/x/build/internal/secret"
+)
+
+const (
+	// gerritAPIURL is the Gerrit API URL.
+	gerritAPIURL = "https://go-review.googlesource.com"
+)
+
+// loadGerritAuth loads Gerrit API credentials.
+func loadGerritAuth() (gerrit.Auth, error) {
+	sc, err := secret.NewClientInProject(buildenv.Production.ProjectName)
+	if err != nil {
+		return nil, err
+	}
+	defer sc.Close()
+	token, err := sc.Retrieve(context.Background(), secret.NameGobotPassword)
+	if err != nil {
+		return nil, err
+	}
+	return gerrit.BasicAuth("git-gobot.golang.org", token), nil
+}

cmd/releasebot/main.go

@@ -207,28 +207,36 @@ func mailDLCL() {
 	}
 	versions := flag.Args()
 
-	fmt.Printf("About to create a golang.org/dl CL for the following Go versions:\n\n\t• %s\n\nOk? (Y/n) ", strings.Join(versions, "\n\t• "))
-	if dryRun {
-		fmt.Println("dry-run")
-		return
+	extCfg := task.ExternalConfig{
+		DryRun: dryRun,
 	}
+	if !dryRun {
+		extCfg.GerritAPI.URL = gerritAPIURL
+		var err error
+		extCfg.GerritAPI.Auth, err = loadGerritAuth()
+		if err != nil {
+			log.Fatalln("error loading Gerrit API credentials:", err)
+		}
+	}
+
+	fmt.Printf("About to create a golang.org/dl CL for the following Go versions:\n\n\t• %s\n\nOk? (Y/n) ", strings.Join(versions, "\n\t• "))
 	var resp string
 	if _, err := fmt.Scanln(&resp); err != nil {
 		log.Fatalln(err)
 	} else if resp != "Y" && resp != "y" {
 		log.Fatalln("stopped as requested")
 	}
-	changeURL, err := task.MailDLCL(context.Background(), versions)
+	changeURL, err := task.MailDLCL(&workflow.TaskContext{Context: context.Background(), Logger: log.Default()}, versions, extCfg)
 	if err != nil {
-		log.Fatalf(`task.MailDLCL(ctx, %#v) failed:
+		log.Fatalf(`task.MailDLCL(ctx, %#v, extCfg) failed:
 
 	%v
 
 If it's necessary to perform it manually as a workaround,
 consider the following steps:
 
 	git clone https://go.googlesource.com/dl && cd dl
-	go run ./internal/genv goX.Y.Z goX.A.B
+	# create files displayed in the log above
 	git add .
 	git commit -m "dl: add goX.Y.Z and goX.A.B"
 	git codereview mail -trybot -trust
@@ -252,6 +260,17 @@ func postTweet(kind string) {
 		log.Fatalln("error parsing release tweet JSON object:", err)
 	}
 
+	extCfg := task.ExternalConfig{
+		DryRun: dryRun,
+	}
+	if !dryRun {
+		var err error
+		extCfg.TwitterAPI, err = loadTwitterAuth()
+		if err != nil {
+			log.Fatalln("error loading Twitter API credentials:", err)
+		}
+	}
+
 	versions := []string{tweet.Version}
 	if tweet.SecondaryVersion != "" {
 		versions = append(versions, tweet.SecondaryVersion+" (secondary)")
@@ -272,20 +291,20 @@ func postTweet(kind string) {
 	} else if resp != "Y" && resp != "y" {
 		log.Fatalln("stopped as requested")
 	}
-	tweetRelease := map[string]func(workflow.TaskContext, task.ReleaseTweet, bool) (string, error){
+	tweetRelease := map[string]func(*workflow.TaskContext, task.ReleaseTweet, task.ExternalConfig) (string, error){
 		"minor": task.TweetMinorRelease,
 		"beta":  task.TweetBetaRelease,
 		"rc":    task.TweetRCRelease,
 		"major": task.TweetMajorRelease,
 	}[kind]
-	tweetURL, err := tweetRelease(workflow.TaskContext{Context: context.Background(), Logger: log.Default()}, tweet, dryRun)
+	tweetURL, err := tweetRelease(&workflow.TaskContext{Context: context.Background(), Logger: log.Default()}, tweet, extCfg)
 	if errors.Is(err, task.ErrTweetTooLong) && len([]rune(tweet.Security)) > 120 {
 		log.Fatalf(`A tweet was not created because it's too long.
 
 The provided security sentence is somewhat long (%d characters),
 so try making it shorter to avoid exceeding Twitter's limits.`, len([]rune(tweet.Security)))
 	} else if err != nil {
-		log.Fatalf(`tweetRelease(ctx, %#v) failed:
+		log.Fatalf(`tweetRelease(ctx, %#v, extCfg) failed:
 
 	%v
 

cmd/releasebot/twitter.go

@@ -0,0 +1,32 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+
+	"golang.org/x/build/buildenv"
+	"golang.org/x/build/internal/secret"
+)
+
+// loadTwitterAuth loads Twitter API credentials.
+func loadTwitterAuth() (secret.TwitterCredentials, error) {
+	sc, err := secret.NewClientInProject(buildenv.Production.ProjectName)
+	if err != nil {
+		return secret.TwitterCredentials{}, err
+	}
+	defer sc.Close()
+	secretJSON, err := sc.Retrieve(context.Background(), secret.NameTwitterAPISecret)
+	if err != nil {
+		return secret.TwitterCredentials{}, err
+	}
+	var v secret.TwitterCredentials
+	err = json.Unmarshal([]byte(secretJSON), &v)
+	if err != nil {
+		return secret.TwitterCredentials{}, err
+	}
+	return v, nil
+}

internal/secret/gcp_secret_manager.go

@@ -8,6 +8,7 @@ package secret
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"log"
 	"path"
@@ -34,7 +35,7 @@ const (
 	// NameGitHubSSHKey is the secret name for the GitHub SSH private key.
 	NameGitHubSSHKey = "github-ssh-private-key"
 
-	// NameGobotPassword is the secret name for the Gobot password.
+	// NameGobotPassword is the secret name for the [email protected] Gerrit account password.
 	NameGobotPassword = "gobot-password"
 
 	// NameGomoteSSHPrivateKey is the secret name for the gomote SSH private key.
@@ -66,7 +67,7 @@ const (
 	// posting tweets from the Go project's Twitter account (twitter.com/golang).
 	//
 	// The secret value encodes relevant keys and their secrets as
-	// a JSON object:
+	// a JSON object that can be unmarshaled into TwitterCredentials:
 	//
 	// 	{
 	// 		"ConsumerKey":       "...",
@@ -75,8 +76,31 @@ const (
 	// 		"AccessTokenSecret": "..."
 	// 	}
 	NameTwitterAPISecret = "twitter-api-secret"
+	// NameStagingTwitterAPISecret is the secret name for Twitter API credentials
+	// for posting tweets using a staging test Twitter account.
+	//
+	// This secret is available in the Secret Manager of the x/build staging GCP project.
+	//
+	// The secret value encodes relevant keys and their secrets as
+	// a JSON object that can be unmarshaled into TwitterCredentials.
+	NameStagingTwitterAPISecret = "staging-" + NameTwitterAPISecret
 )
 
+// TwitterCredentials holds Twitter API credentials.
+type TwitterCredentials struct {
+	ConsumerKey       string
+	ConsumerSecret    string
+	AccessTokenKey    string
+	AccessTokenSecret string
+}
+
+func (t TwitterCredentials) String() string {
+	return fmt.Sprintf("{%s (redacted) %s (redacted)}", t.ConsumerKey, t.AccessTokenKey)
+}
+func (t TwitterCredentials) GoString() string {
+	return fmt.Sprintf("secret.TwitterCredentials{ConsumerKey:%q ConsumerSecret:(redacted) AccessTokenKey:%q AccessTokenSecret:(redacted)}", t.ConsumerKey, t.AccessTokenKey)
+}
+
 type secretClient interface {
 	AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)
 	io.Closer

internal/task/dlcl.go

@@ -6,7 +6,6 @@ package task
 
 import (
 	"bytes"
-	"context"
 	"fmt"
 	"go/format"
 	"path"
@@ -15,9 +14,8 @@ import (
 	"text/template"
 	"time"
 
-	"golang.org/x/build/buildenv"
 	"golang.org/x/build/gerrit"
-	"golang.org/x/build/internal/secret"
+	"golang.org/x/build/internal/workflow"
 )
 
 // MailDLCL mails a golang.org/dl CL that adds commands for the
@@ -28,9 +26,8 @@ import (
 // 	• "go1.18" for a major Go release
 // 	• "go1.18beta1" or "go1.18rc1" for a pre-release
 //
-// Credentials are fetched from Secret Manager.
 // On success, the URL of the change is returned, like "https://go.dev/cl/123".
-func MailDLCL(ctx context.Context, versions []string) (changeURL string, _ error) {
+func MailDLCL(ctx *workflow.TaskContext, versions []string, e ExternalConfig) (changeURL string, _ error) {
 	if len(versions) < 1 || len(versions) > 2 {
 		return "", fmt.Errorf("got %d Go versions, want 1 or 2", len(versions))
 	}
@@ -67,33 +64,36 @@ func MailDLCL(ctx context.Context, versions []string) (changeURL string, _ error
 			return "", fmt.Errorf("could not gofmt: %v", err)
 		}
 		files[path.Join(ver, "main.go")] = string(gofmted)
+		if log := ctx.Logger; log != nil {
+			log.Printf("file %q (command %q):\n%s", path.Join(ver, "main.go"), "golang.org/dl/"+ver, gofmted)
+		}
 	}
 
 	// Create a Gerrit CL using the Gerrit API.
-	gobot, err := gobot()
-	if err != nil {
-		return "", err
+	if e.DryRun {
+		return "(dry-run)", nil
 	}
-	ci, err := gobot.CreateChange(ctx, gerrit.ChangeInput{
+	cl := gerrit.NewClient(e.GerritAPI.URL, e.GerritAPI.Auth)
+	c, err := cl.CreateChange(ctx, gerrit.ChangeInput{
 		Project: "dl",
 		Subject: "dl: add " + strings.Join(versions, " and "),
 		Branch:  "master",
 	})
 	if err != nil {
 		return "", err
 	}
-	changeID := fmt.Sprintf("%s~%d", ci.Project, ci.ChangeNumber)
+	changeID := fmt.Sprintf("%s~%d", c.Project, c.ChangeNumber)
 	for path, content := range files {
-		err := gobot.ChangeFileContentInChangeEdit(ctx, changeID, path, content)
+		err := cl.ChangeFileContentInChangeEdit(ctx, changeID, path, content)
 		if err != nil {
 			return "", err
 		}
 	}
-	err = gobot.PublishChangeEdit(ctx, changeID)
+	err = cl.PublishChangeEdit(ctx, changeID)
 	if err != nil {
 		return "", err
 	}
-	return fmt.Sprintf("https://go.dev/cl/%d", ci.ChangeNumber), nil
+	return fmt.Sprintf("https://go.dev/cl/%d", c.ChangeNumber), nil
 }
 
 func verifyGoVersions(versions ...string) error {
@@ -153,18 +153,3 @@ func main() {
 	version.Run("{{.Version}}")
 }
 `))
-
-// gobot creates an authenticated Gerrit API client
-// that uses the [email protected] Gerrit account.
-func gobot() (*gerrit.Client, error) {
-	sc, err := secret.NewClientInProject(buildenv.Production.ProjectName)
-	if err != nil {
-		return nil, err
-	}
-	defer sc.Close()
-	token, err := sc.Retrieve(context.Background(), secret.NameGobotPassword)
-	if err != nil {
-		return nil, err
-	}
-	return gerrit.NewClient("https://go-review.googlesource.com", gerrit.BasicAuth("git-gobot.golang.org", token)), nil
-}