ci: validate secrets after bundling

siddarthkay · siddarthkay · commit edff59610b51 · 2025-09-11T17:11:08.000+05:30
diff --git a/ci/Jenkinsfile.linux b/ci/Jenkinsfile.linux
@@ -125,6 +125,31 @@ pipeline {
       } }
     }
 
+    stage('Verify Credentials') {
+      steps { script {
+        sh """
+          tar -xzf ${env.STATUS_CLIENT_TARBALL} -C ${env.WORKSPACE_TMP}
+        """
+
+        def appImagePath = sh(
+          script: "basename ${env.STATUS_CLIENT_APPIMAGE}",
+          returnStdout: true
+        ).trim()
+
+        sh """
+          chmod +x ${env.WORKSPACE_TMP}/${appImagePath}
+        """
+
+        // Run verification inside the credentials context
+        desktop.withCommonCredentials([]) {
+          sh(
+            script: "${env.WORKSPACE_TMP}/${appImagePath} --verify-credentials"
+          )
+        }
+
+      } }
+    }
+
     stage('Parallel Upload') {
       parallel {
         stage('Upload') {
diff --git a/ci/Jenkinsfile.macos b/ci/Jenkinsfile.macos
@@ -140,6 +140,21 @@ pipeline {
       } }
     }
 
+    stage('Verify Credentials') {
+      steps { script {
+        sh "hdiutil attach ${env.STATUS_CLIENT_DMG} -mountpoint /tmp/status-mount"
+
+        desktop.withCommonCredentials([]) {
+          sh(
+            script: "/tmp/status-mount/Status.app/Contents/MacOS/nim_status_client --verify-credentials"
+          )
+        }
+
+        sh "hdiutil detach /tmp/status-mount"
+
+      } }
+    }
+
     stage('Notarize') {
       when { expression { utils.isReleaseBuild() } }
       steps { script {
diff --git a/ci/Jenkinsfile.windows b/ci/Jenkinsfile.windows
@@ -125,6 +125,24 @@ pipeline {
       } }
     }
 
+    stage('Verify Credentials') {
+      steps { script {
+        sh "7z x ${env.STATUS_CLIENT_7Z} -o${env.WORKSPACE_TMP}/extracted"
+
+        def exeName = sh(
+          script: "basename ${env.STATUS_CLIENT_EXE}",
+          returnStdout: true
+        ).trim()
+
+        desktop.withCommonCredentials([]) {
+          sh(
+            script: "${env.WORKSPACE_TMP}/extracted/bin/${exeName} --verify-credentials"
+          )
+        }
+
+      } }
+    }
+
     stage('Parallel Upload') {
       /* Uploads on Windows are slow. */
       parallel {
diff --git a/src/app/core/credential_verifier.nim b/src/app/core/credential_verifier.nim
@@ -0,0 +1,28 @@
+import os, strutils, sequtils
+
+proc runCredentialVerification*(): int =
+  echo "Starting credential verification"
+
+  let thingsToCheck = getEnv("THINGS_TO_CHECK")
+  if thingsToCheck.len == 0:
+    echo "ERROR: THINGS_TO_CHECK environment variable not set"
+    return 1
+
+  let credNames = thingsToCheck.splitLines().mapIt(it.strip()).filterIt(it.len > 0)
+  if credNames.len == 0:
+    echo "ERROR: No credentials to check"
+    return 1
+
+  var missingCreds: seq[string] = @[]
+
+  for credName in credNames:
+    if not existsEnv(credName):
+      missingCreds.add(credName)
+      echo "ERROR: Missing environment variable: ", credName
+
+  if missingCreds.len > 0:
+    echo "ERROR: Credential verification failed. Missing ", missingCreds.len, " out of ", credNames.len, " credentials"
+    return 1
+  else:
+    echo "SUCCESS: All ", credNames.len, " credentials verified successfully"
+    return 0
diff --git a/src/env_cli_vars.nim b/src/env_cli_vars.nim
@@ -296,6 +296,11 @@ type StatusDesktopConfig = object
     desc: "Sets address for prometheus metrics"
     name: "METRICS_ADDRESS"
     abbr: "metrics-address" .}: string
+  verifyCredentials* {.
+    defaultValue: false
+    desc: "Verify that all required credentials are present and exit"
+    name: "VERIFY_CREDENTIALS"
+    abbr: "verify-credentials" .}: bool
 
 # On macOS the first time when a user gets the "App downloaded from the
 # internet" warning, and clicks the Open button, the OS passes a unique process
@@ -310,4 +315,4 @@ else:
 if defined(macosx):
   cliParams.keepIf(proc(p: string): bool = not p.startsWith("-psn_"))
 
-let desktopConfig = StatusDesktopConfig.load(cmdLine = cliParams, envVarsPrefix = RUN_TIME_PREFIX)
+let desktopConfig* = StatusDesktopConfig.load(cmdLine = cliParams, envVarsPrefix = RUN_TIME_PREFIX)
diff --git a/src/nim_status_client.nim b/src/nim_status_client.nim
@@ -8,12 +8,14 @@ import
 
 import status_go
 import app/core/main
+import app/core/credential_verifier
 import constants as main_constants
 import statusq_bridge
 
 import app/global/global_singleton
 import app/global/local_app_settings
 import app/boot/app_controller
+import env_cli_vars
 
 featureGuard KEYCARD_ENABLED:
   import keycard_go
@@ -118,7 +120,7 @@ proc ensureDirectories*(dataDir, tmpDir, logDir: string) =
 proc logHandlerCallback(messageType: cint, message: cstring, category: cstring, file: cstring, function: cstring, line: cint) {.cdecl, exportc.} =
   # Initialize Nim GC stack bottom for foreign threads
   # https://status-im.github.io/nim-style-guide/interop.html#calling-nim-code-from-other-languages
-  when declared(setupForeignThreadGc): 
+  when declared(setupForeignThreadGc):
     setupForeignThreadGc()
   when declared(nimGC_setStackBottom):
     var locals {.volatile, noinit.}: pointer
@@ -154,6 +156,9 @@ proc logHandlerCallback(messageType: cint, message: cstring, category: cstring,
       warn "qt message of unknown type", messageType = int(messageType)
 
 proc mainProc() =
+  # used in CI
+  if env_cli_vars.desktopConfig.verifyCredentials:
+    quit(runCredentialVerification())
 
   when defined(macosx) and defined(arm64):
     var signalStack: cstring = cast[cstring](allocShared(SIGSTKSZ))
