Call git-crypt unlock in CI

 - Replace calls to `configure_apply` with calls to `.buildkite/git-crypt/unlock.sh`
 - Commit the prebuilt binary to use on our EC2 images on CI(1), alongside the Dockerfile that was used to create it(2)

(1) In the future we'll probably pre-provision our custom Android AMI with it instead of shipping it inside each repo
(2) In theory we could use `docker run --rm -v …` to run `git-crypt` from within the Docker container, instead of extracting the binary from the Docker image and committing that binary. But for this to work, that requires to not only map the repo's dir as volume in the container, but also map the repo mirror dir used during `git clone --reference` / listed in `.git/objects/info/alternates`; so that can get tricky in CI that uses that git mirrors mechanism. Besides, the binary is pretty small (200KB) and being able to run it directly without Docker is not only simpler but avoids pulling the docker image in the CI agent before we can run it.

Author: AliSoftware

.buildkite/commands/diff-merged-manifest.sh

@@ -15,7 +15,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/unlock.sh
 
 echo "--- 💾 Diff Merged Manifest (Module: WooCommerce, Build Variant: ${BUILD_VARIANT})"
 comment_with_manifest_diff "WooCommerce" ${BUILD_VARIANT}

.buildkite/commands/gradle-cache-build.sh

@@ -14,7 +14,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/unlock.sh
 
 echo "--- :hammer_and_wrench: Building"
 ./gradlew assembleWasabiDebug

.buildkite/commands/prototype-build.sh

@@ -13,7 +13,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/unlock.sh
 
 echo "--- :hammer_and_wrench: Building ${APP_TO_BUILD}"
 bundle exec fastlane build_and_upload_prototype_build app:"${APP_TO_BUILD}"

.buildkite/commands/release-build.sh

@@ -6,7 +6,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/unlock.sh
 
 echo "--- :hammer_and_wrench: Building ${APP_TO_BUILD}"
 bundle exec fastlane build_and_upload_google_play app:"${APP_TO_BUILD}"

.buildkite/commands/run-instrumented-tests.sh

@@ -12,7 +12,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/unlock.sh
 
 echo "--- 🧪 Testing"
 set +e

.buildkite/commands/run-unit-tests.sh

@@ -12,7 +12,7 @@ echo "--- :rubygems: Setting up Gems"
 install_gems
 
 echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
+.buildkite/git-crypt/unlock.sh
 
 echo "+++ 🧪 Testing"
 set +e

.buildkite/git-crypt/Dockerfile

@@ -0,0 +1,34 @@
+### Builder Layer
+
+FROM amazonlinux:latest AS builder
+
+ENV VERSION=0.8.0
+
+RUN dnf install -y \
+   make \
+   gcc-c++ \
+   openssl-devel \
+   tar \
+   gzip
+
+RUN curl -L https://github.com/AGWA/git-crypt/archive/$VERSION.tar.gz | tar -zxv
+
+RUN cd git-crypt-$VERSION \
+    && make \
+    && make install PREFIX=/usr/local
+
+### Final Layer
+
+FROM amazonlinux:latest
+COPY --from=builder /usr/local/bin/git-crypt /usr/local/bin/git-crypt
+
+WORKDIR /repo
+VOLUME /repo
+ENTRYPOINT ["/usr/local/bin/git-crypt"]
+
+# To extract the binary and commit it into the repository, follow these steps:
+#
+# $ docker build --platform linux/amd64 -t git-crypt .
+# $ CONTAINER_ID=$(docker create git-crypt)
+# $ docker cp $CONTAINER_ID:/usr/local/bin/git-crypt ./git-crypt.linux-x86_64
+# $ docker rm $CONTAINER_ID

.buildkite/git-crypt/git-crypt.linux-x86_64

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+if [ -z "$GIT_CRYPT_ENCRYPTION_KEY" ]; then
+  echo "GIT_CRYPT_ENCRYPTION_KEY is not set"
+  exit 1
+fi
+
+set -euo pipefail
+
+echo "Checking for git-crypt..."
+if command -v git-crypt >/dev/null 2>&1; then
+  echo " - Using system git-crypt"
+  gitcrypt_path="git-crypt"
+elif [ "$(uname -s)" == "Linux" ] && [ "$(uname -m)" == "x86_64" ]; then
+  echo " - Using pre-compiled x86_64 git-crypt"
+  gitcrypt_path=".buildkite/git-crypt/git-crypt.linux-x86_64"
+else
+  echo "Unable to find git-crypt binary (architecture: $(uname -s) $(uname -m))"
+  exit 1
+fi
+
+echo "🔓 Decrypting repository..."
+"${gitcrypt_path}" unlock <(echo "${GIT_CRYPT_ENCRYPTION_KEY}" | base64 -d)
+echo "✅ git-crypt unlocked"

.buildkite/git-crypt/unlock.sh

@@ -13,6 +13,9 @@ steps:
       echo '--- :ruby: Setup Ruby Tools'
       install_gems
 
+      echo '--- :closed_lock_with_key: Installing Secrets'
+      .buildkite/git-crypt/unlock.sh
+
       echo '--- :globe_with_meridians: Download Release Translations'
       bundle exec fastlane download_release_translations skip_confirm:true include_wear_app:"${INCLUDE_WEAR_APP:-false}"
     agents: