How to test a git-crypt encrypted repo with Jenkins

To solve the issue of the prompt, run the git-crypt steps manually insertingyour passphrase as a command-line argument to gpg and the decrypted symmetrickey to git-crypt unlock. Here we make use of a few more tricks that will ease your life like the use of the Jenkins environment variables.

gpg --no-tty --passphrase YOUR_PASSPHRASE_GOES_HERE --output $WORKSPACE/.git-crypt/keys/default/0/decrypted.gpg --decrypt $WORKSPACE/.git-crypt/keys/default/0/YOUR_KEY_FILE_GOES_HERE.gpg && git-crypt unlock $WORKSPACE/.git-crypt/keys/default/0/decrypted.gpg

Here we raise a second issue, and it is that executing this twice will raise anerror as well. We want the repo to be decrypted only when it is encrypted. Inorder to solve that, first check that the file containing the symmetric keyexists, generated only during the previous step. In the end, we end up with astage that looks like:

stage('Unlock repo') { steps { script { sh("[ -f $WORKSPACE/.git-crypt/keys/default/0/decrypted.gpg ] || gpg --no-tty --passphrase YOUR_PASSPHRASE_GOES_HERE --output $WORKSPACE/.git-crypt/keys/default/0/decrypted.gpg --decrypt $WORKSPACE/.git-crypt/keys/default/0/YOUR_KEY_FILE_GOES_HERE.gpg && git-crypt unlock $WORKSPACE/.git-crypt/keys/default/0/decrypted.gpg") } }}

I've build another solution for git-crypt by creating a separate container with git-crypt and invoke these in stages before and after the main build step:

pipeline {    environment {       // $HOME is not set in build-agent       JAVA_TOOL_OPTIONS = '-Duser.home=/home/jenkins/'    }    agent {        label 'docker'    }    stages {        stage('Decrypt') {            agent {                docker {                    image 'wjung/jenkins-git-crypt:latest'                    registryUrl 'https://index.docker.io/v1/'                    registryCredentialsId 'docker-hub'                }            }            steps {                withCredentials([file(credentialsId: 'git-crypt-key', variable: 'FILE')]) {                    sh 'cd $WORKSPACE; git-crypt unlock $FILE'                }            }        }        stage('Build docker image') {            agent {                docker {                    image 'maven:3-jdk-11'                    args '-v /services/maven/m2:/home/jenkins/.m2 -v /services/maven/m2/cache:/home/jenkins/.cache'                }            }            steps {                configFileProvider([configFile(fileId: 'mvn-setting-xml', variable: 'MAVEN_SETTINGS')]) {                    sh 'mvn -s $MAVEN_SETTINGS -B -Dmaven.test.skip clean deploy'                }            }        }        stage('Lock dir') {            agent {                docker {                    image 'wjung/jenkins-git-crypt:latest'                    registryUrl 'https://index.docker.io/v1/'                    registryCredentialsId 'docker-hub'                }            }            steps {                sh 'cd $WORKSPACE; git-crypt lock'            }        }    }}

The encryption key is exported from the repository by git-crypt export-key TMPFILE and later added as secret file with id: git-crypt-key.