Merge branch 'master' into extensions

Author: Alistair Laing

.travis.yml

@@ -1,18 +1,37 @@
 language: node_js
+
 node_js:
-- "lts/*"
-before_deploy:
-- test $TRAVIS_TEST_RESULT = 0
-deploy:
-- provider: script    # (If version.txt is updated) - create a new tag and push to Github, update the latest-release branch
-  script: ./create-release.sh
-  on: master
-  # Automatic deploys are enabled in Heroku for this app
-  # Every push to master will deploy a new version of this app. Deploys happen automatically.
-  # Heroku will wait for CI to pass before deploying.
+  - "lts/*"
+  - "8"
+
+os:
+  - linux
+  - osx
+  - windows
+
+jobs:
+  include:
+    # If version.txt is updated on the master branch:
+    # - create a new tag and push it to Github
+    # - update the latest-release branch
+    - stage: deploy
+      name: "Create release on GitHub 🚀"
+      os: linux
+      script: echo "Checking whether we should release..."
+      deploy:
+      - provider: script
+        script: ./create-release.sh
+        on:
+          branch: master
+      env:
+      # DEPLOY_KEY
+      - secure: qpuH/3v+wsMLy9C3bGjallB6KxFQAtDlyZf3jmX8UQ0703tIvBnZoC1h9EJXOqxZbirLPHon7g902nOuhqUfrsPQgV7XEmXMGZsp31PuK/1lkyTCG3fAdeg8wcghwZn10Gw8jYZpOfWIf2GPDL+6utIU6Aog+odcls7tHWLVT80=
+
+# Automatic deploys are also enabled in Heroku for this app
+# Every push to master will automatically deploy a new version of this app.
+# Heroku will wait for CI to pass before deploying.
+
 notifications:
   email: false
+
 sudo: false
-env:
-  global:
-  - secure: esj3ut+TwKX25QzU1koJyTVIX+x1V55graI65X8LiYXKcOP040VPJ9lIC0HeRs5UViBM0Ur1F93rGdgW2zYVzu5MLZoH7KjpzMcG30x+FDqLChT0JfNcLLtLm/wIhx/OAAmsBxXlvjPp092BeEKd3Jug8d329TxwwK5G5XxAatg=

.travis/README.md

@@ -1,18 +1,48 @@
 # Travis encrypted files
 
-This directory contains a public/private keypair generated just for this repository.
+This directory contains an encrypted private deploy key with write access to the
+Prototype Kit repository.
 
-The public key is a deploy key which has been added to the GitHub repo for push access.
+It has been encrypted using a key stored in the DEPLOY_KEY environment
+variable, which is itself encrypted using `travis encrypt`.
 
-The private key is encrypted using `travis encrypt-file` and then committed to this repo.
+The deploy key is decrypted in create-release.sh.
 
-The decrypt commands are in `.travis.yml`.
+To update the key:
 
-To regenerate a key:
+1. Generate a new keypair using ssh-keygen
+   
+  ```
+  ssh-keygen -b 4096 -f .travis/prototype-kit-deploy-key
+  ```
 
-```
-ssh-keygen -b 4096 -f .travis/govuk_prototype_kit   # Make a new keypair
-travis encrypt-file .travis/govuk_prototype_kit     # Encrypt the private key
-mv govuk_prototype_kit.enc .travis/                 # Move the private key to the right place
-rm .travis/govuk_prototype_kit                      # Remove the unencrypted private key
-```
+2. Add the *public* key as a new [deploy key], with write access to the
+   repository
+
+  ```
+  cat .travis/prototype-kit-deploy-key.pub
+  ```
+
+2. Generate a new random string which we can use as an encryption key
+
+3. Encrypt the private key using ssh-keygen
+
+  ```
+  openssl aes-256-cbc -k [encryption key here] \
+    -in prototype-kit-deploy-key \
+    -out prototype-kit-deploy-key.enc
+  ```
+
+4. Remove the unencrypted private key and the public key
+
+5. Encrypt the private key using the encryption key
+
+  ```
+  travis encrypt DEPLOY_KEY=[encryption key]
+  ```
+
+6. Add the encrypted variable to the environment variables for the deploy job
+   in .travis.yml
+
+
+[deploy key]: https://github.com/alphagov/govuk-prototype-kit/settings/keys

.travis/govuk_prototype_kit.enc

@@ -1,41 +1,42 @@
 #!/bin/bash
 set -e
 
-REPO_PATH='alphagov/govuk-prototype-kit'
-
-echo "Add config for alphagov/$REPO_PATH"
+# Check for the TRAVIS environment variable
+if [[ -z "${TRAVIS}" ]]; then
+  echo "⛔️ Refusing to run outside of Travis..."
+  exit 1
+fi
 
+# Configure git...
 git config --global user.name "Travis CI"
 git config --global user.email "travis@travis-ci.org"
-git remote add origin_ssh git@github.com:$REPO_PATH.git
+git remote add origin_ssh git@github.com:alphagov/govuk-prototype-kit.git
 
-# This openssl command was generated automatically by `travis encrypt-file`, see `.travis/README.md` for more details
-openssl aes-256-cbc -K $encrypted_a0ab9bc5246b_key -iv $encrypted_a0ab9bc5246b_iv -in .travis/govuk_prototype_kit.enc -out ~/.ssh/id_rsa -d
-chmod 600 ~/.ssh/id_rsa
+# Decrypt deploy key.
+# 
+# See `.travis/README.md` for more details
+openssl aes-256-cbc -d -k $DEPLOY_KEY \
+  -in .travis/prototype-kit-deploy-key.enc \
+  -out ~/.ssh/id_rsa
 
-echo "Check to see if the version file has been updated"
+chmod 600 ~/.ssh/id_rsa
 
 # Get the version from the version file
 VERSION_TAG="v`cat VERSION.txt`"
 
-# Create a new tag - if the version file has been updated and a tag for that
-# version doesn't already exist
-
-# Check to make sure the tag doesn't already exist
+# Check that there's not a tag for the current version already
 if ! git rev-parse $VERSION_TAG >/dev/null 2>&1; then
-  echo "Creating new tag: $VERSION_TAG"
-
-  # Create a new tag and push to Github
+  # Create a new tag and push to GitHub.
+  # 
+  # GitHub will automatically create a release for the tag, ignoring any files
+  # specified in the .gitattributes file
+  echo "🏷 Creating new tag: $VERSION_TAG"
   git tag $VERSION_TAG
   git push origin_ssh $VERSION_TAG
 
-  # This tag will trigger the builds for the deploy providers marked "# For tagged commits" in .travis.yml
-
-  # Alias branch for the most recently released tag, for easier diffing
-  # Force push local `master` branch to the `latest-release` branch on Github
+  # Force push the latest-release branch to this commit
+  echo "💨 Pushing latest-release branch to GitHub"
   git push --force origin_ssh master:latest-release
-  echo "Pushed latest-release branch to GitHub"
-
 else
-  echo "Not creating a new tag, or updating the latest-release branch as the tag already exists..."
+  echo "😴 Current version already exists as a tag on GitHub. Nothing to do."
 fi