From 134776d2342a599c25ffa91757b4599a2c98c650 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Thu, 1 Jul 2021 11:18:37 -0400
Subject: [PATCH] Try to put the deploy key on tmpfs

---
 .gitlab-ci.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 898dee93..d30190fb 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -87,18 +87,20 @@ deploy-to-staging:
     - |
       # The environment variable is configured with GitLab using Terraform so
       # we can retain some bare minimum level of confidentiality.
-      base64 --decode "${PRIVATESTORAGEIO_STAGING_SSH_DEPLOY_KEY}" > "${PWD}"/deploy_key
+      KEY_DIR="$(mktemp -d -p "${XDG_RUNTIME_DIR}-deploy_key")"
+      KEY_PATH="${KEY_DIR}/deploy_key"
+      base64 --decode "${PRIVATESTORAGEIO_STAGING_SSH_DEPLOY_KEY}" > "${KEY_PATH}"
 
     # Update the deployment
     - |
-      ./ci-tools/deploy-to-staging "${PWD}"/deploy_key ${name}
+      ./ci-tools/deploy-to-staging "${KEY_PATH}" ${name}
 
     # Remove the key from the filesystem to reduce the chance of unintentional
     # disclosure.  Overall our handling of this key is still not *particulary*
     # safe or secure but that's why the key is only authorized to perform a
     # single very specific operation.
     - |
-      rm -v "${PWD}"/deploy_key
+      rm -v "${KEY_PATH}"
 
 deploy-to-production:
   stage: "deploy"
-- 
GitLab