Enable remote caching for fork builds through Toolchain's auth plugin (…

…pantsbuild#11544)

.travis.yml

@@ -54,11 +54,6 @@ jobs:
     before_install:
     - ./build-support/bin/install_aws_cli_for_ci.sh
     - pyenv global 2.7.17 3.6.10 3.7.6 3.8.1
-    - if [[ ${TRAVIS_PULL_REQUEST} == false ]]; then openssl aes-256-cbc -K $encrypted_f6717c01a353_key
-      -iv $encrypted_f6717c01a353_iv -in build-support/secrets/remote-cache-toolchain-jwt.txt.encrypted
-      -out build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted -d && export
-      PANTS_REMOTE_OAUTH_BEARER_TOKEN_PATH=./build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted;
-      fi
     cache:
       directories:
       - ${AWS_CLI_ROOT}
@@ -115,11 +110,6 @@ jobs:
     before_install:
     - ./build-support/bin/install_aws_cli_for_ci.sh
     - pyenv global 2.7.17 3.6.10 3.7.6 3.8.1
-    - if [[ ${TRAVIS_PULL_REQUEST} == false ]]; then openssl aes-256-cbc -K $encrypted_f6717c01a353_key
-      -iv $encrypted_f6717c01a353_iv -in build-support/secrets/remote-cache-toolchain-jwt.txt.encrypted
-      -out build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted -d && export
-      PANTS_REMOTE_OAUTH_BEARER_TOKEN_PATH=./build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted;
-      fi
     cache:
       directories:
       - ${AWS_CLI_ROOT}
@@ -266,11 +256,6 @@ jobs:
     - sudo sysctl fs.inotify.max_user_watches=524288
     - ./build-support/bin/install_aws_cli_for_ci.sh
     - pyenv global 2.7.17 3.6.10 3.7.6 3.8.1
-    - if [[ ${TRAVIS_PULL_REQUEST} == false ]]; then openssl aes-256-cbc -K $encrypted_f6717c01a353_key
-      -iv $encrypted_f6717c01a353_iv -in build-support/secrets/remote-cache-toolchain-jwt.txt.encrypted
-      -out build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted -d && export
-      PANTS_REMOTE_OAUTH_BEARER_TOKEN_PATH=./build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted;
-      fi
     before_script:
     - ./build-support/bin/get_ci_bootstrapped_pants_pex.sh ${AWS_BUCKET} ${BOOTSTRAPPED_PEX_KEY_PREFIX}.${BOOTSTRAPPED_PEX_KEY_SUFFIX}
     cache:
@@ -321,11 +306,6 @@ jobs:
     - sudo sysctl fs.inotify.max_user_watches=524288
     - ./build-support/bin/install_aws_cli_for_ci.sh
     - pyenv global 2.7.17 3.6.10 3.7.6 3.8.1
-    - if [[ ${TRAVIS_PULL_REQUEST} == false ]]; then openssl aes-256-cbc -K $encrypted_f6717c01a353_key
-      -iv $encrypted_f6717c01a353_iv -in build-support/secrets/remote-cache-toolchain-jwt.txt.encrypted
-      -out build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted -d && export
-      PANTS_REMOTE_OAUTH_BEARER_TOKEN_PATH=./build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted;
-      fi
     before_script:
     - ./build-support/bin/get_ci_bootstrapped_pants_pex.sh ${AWS_BUCKET} ${BOOTSTRAPPED_PEX_KEY_PREFIX}.${BOOTSTRAPPED_PEX_KEY_SUFFIX}
     cache:
@@ -450,11 +430,6 @@ jobs:
     - wget -qO- "https://github.com/crazy-max/travis-wait-enhanced/releases/download/v0.2.1/travis-wait-enhanced_0.2.1_linux_x86_64.tar.gz"
       | tar -zxvf - travis-wait-enhanced
     - mv travis-wait-enhanced /home/travis/bin/
-    - if [[ ${TRAVIS_PULL_REQUEST} == false ]]; then openssl aes-256-cbc -K $encrypted_f6717c01a353_key
-      -iv $encrypted_f6717c01a353_iv -in build-support/secrets/remote-cache-toolchain-jwt.txt.encrypted
-      -out build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted -d && export
-      PANTS_REMOTE_OAUTH_BEARER_TOKEN_PATH=./build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted;
-      fi
     before_script:
     - ./build-support/bin/get_ci_bootstrapped_pants_pex.sh ${AWS_BUCKET} ${BOOTSTRAPPED_PEX_KEY_PREFIX}.${BOOTSTRAPPED_PEX_KEY_SUFFIX}
     cache:
@@ -507,11 +482,6 @@ jobs:
     - wget -qO- "https://github.com/crazy-max/travis-wait-enhanced/releases/download/v0.2.1/travis-wait-enhanced_0.2.1_linux_x86_64.tar.gz"
       | tar -zxvf - travis-wait-enhanced
     - mv travis-wait-enhanced /home/travis/bin/
-    - if [[ ${TRAVIS_PULL_REQUEST} == false ]]; then openssl aes-256-cbc -K $encrypted_f6717c01a353_key
-      -iv $encrypted_f6717c01a353_iv -in build-support/secrets/remote-cache-toolchain-jwt.txt.encrypted
-      -out build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted -d && export
-      PANTS_REMOTE_OAUTH_BEARER_TOKEN_PATH=./build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted;
-      fi
     before_script:
     - ./build-support/bin/get_ci_bootstrapped_pants_pex.sh ${AWS_BUCKET} ${BOOTSTRAPPED_PEX_KEY_PREFIX}.${BOOTSTRAPPED_PEX_KEY_SUFFIX}
     cache:
@@ -632,11 +602,6 @@ jobs:
     - sudo sysctl fs.inotify.max_user_watches=524288
     - ./build-support/bin/install_aws_cli_for_ci.sh
     - pyenv global 2.7.17 3.6.10 3.7.6 3.8.1
-    - if [[ ${TRAVIS_PULL_REQUEST} == false ]]; then openssl aes-256-cbc -K $encrypted_f6717c01a353_key
-      -iv $encrypted_f6717c01a353_iv -in build-support/secrets/remote-cache-toolchain-jwt.txt.encrypted
-      -out build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted -d && export
-      PANTS_REMOTE_OAUTH_BEARER_TOKEN_PATH=./build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted;
-      fi
     before_script:
     - ./build-support/bin/get_ci_bootstrapped_pants_pex.sh ${AWS_BUCKET} ${BOOTSTRAPPED_PEX_KEY_PREFIX}.${BOOTSTRAPPED_PEX_KEY_SUFFIX}
     cache:
@@ -889,11 +854,6 @@ jobs:
     - sudo sysctl fs.inotify.max_user_watches=524288
     - ./build-support/bin/install_aws_cli_for_ci.sh
     - pyenv global 2.7.17 3.6.10 3.7.6 3.8.1
-    - if [[ ${TRAVIS_PULL_REQUEST} == false ]]; then openssl aes-256-cbc -K $encrypted_f6717c01a353_key
-      -iv $encrypted_f6717c01a353_iv -in build-support/secrets/remote-cache-toolchain-jwt.txt.encrypted
-      -out build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted -d && export
-      PANTS_REMOTE_OAUTH_BEARER_TOKEN_PATH=./build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted;
-      fi
     before_script:
     - ./build-support/bin/get_ci_bootstrapped_pants_pex.sh ${AWS_BUCKET} ${BOOTSTRAPPED_PEX_KEY_PREFIX}.${BOOTSTRAPPED_PEX_KEY_SUFFIX}
     cache:
@@ -952,11 +912,6 @@ jobs:
     - sudo sysctl fs.inotify.max_user_watches=524288
     - ./build-support/bin/install_aws_cli_for_ci.sh
     - pyenv global 2.7.17 3.6.10 3.7.6 3.8.1
-    - if [[ ${TRAVIS_PULL_REQUEST} == false ]]; then openssl aes-256-cbc -K $encrypted_f6717c01a353_key
-      -iv $encrypted_f6717c01a353_iv -in build-support/secrets/remote-cache-toolchain-jwt.txt.encrypted
-      -out build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted -d && export
-      PANTS_REMOTE_OAUTH_BEARER_TOKEN_PATH=./build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted;
-      fi
     before_script:
     - ./build-support/bin/get_ci_bootstrapped_pants_pex.sh ${AWS_BUCKET} ${BOOTSTRAPPED_PEX_KEY_PREFIX}.${BOOTSTRAPPED_PEX_KEY_SUFFIX}
     cache:

build-support/bin/ci.py

@@ -79,8 +79,8 @@ def create_parser() -> argparse.ArgumentParser:
         "--remote-cache-enabled",
         action="store_true",
         help=(
-            "Enable remote caching via Toolchain. This requires setting the options "
-            "`remote_oauth_bearer_token_path` and `remote_ca_certs_path` in your environment."
+            "Enable remote caching via Toolchain. This requires enabling "
+            "`remote_auth_plugin` and `remote_ca_certs_path` in your environment."
         ),
     )
 
@@ -158,9 +158,6 @@ def set_run_from_pex() -> None:
     os.environ["RUN_PANTS_FROM_PEX"] = "1"
 
 
-IS_PR_BUILD = "CI" in os.environ and os.environ.get("TRAVIS_PULL_REQUEST", "false") != "false"
-
-
 # -------------------------------------------------------------------------
 # Bootstrap pants.pex
 # -------------------------------------------------------------------------
@@ -270,7 +267,7 @@ def run_check(command: List[str]) -> None:
 def run_lint(*, remote_cache_enabled: bool) -> None:
     targets = ["build-support::", "src::", "tests::"]
     command = ["./pants.pex", "--tag=-nolint", "lint", "typecheck", *targets]
-    if remote_cache_enabled and IS_PR_BUILD is False:
+    if remote_cache_enabled:
         command.append("--pants-config-files=pants.remote-cache.toml")
     _run_command(
         command,
@@ -326,7 +323,7 @@ def run_python_tests(
     *, include_unit: bool, include_integration: bool, remote_cache_enabled: bool
 ) -> None:
     extra_args = []
-    if remote_cache_enabled and IS_PR_BUILD is False:
+    if remote_cache_enabled:
         extra_args.append("--pants-config-files=pants.remote-cache.toml")
     if not include_unit and not include_integration:
         raise ValueError(

build-support/bin/generate_travis_yml.py

@@ -327,13 +327,6 @@ def linux_shard(
             *_linux_before_install(
                 include_test_config=load_test_config, install_travis_wait=install_travis_wait
             ),
-            (
-                "if [[ ${TRAVIS_PULL_REQUEST} == false ]]; then openssl aes-256-cbc -K "
-                "$encrypted_f6717c01a353_key -iv $encrypted_f6717c01a353_iv -in "
-                "build-support/secrets/remote-cache-toolchain-jwt.txt.encrypted -out "
-                "build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted -d && export "
-                "PANTS_REMOTE_OAUTH_BEARER_TOKEN_PATH=./build-support/secrets/remote-cache-toolchain-jwt.txt.decrypted; fi"
-            ),
         ],
         "after_failure": ["./build-support/bin/ci-failure.sh"],
         "stage": python_version.default_stage().value,

pants.remote-cache.toml

@@ -19,3 +19,4 @@ remote_store_maximum_timeout = 5000
 # NB: this is used for Toolchain's remote caching and may need to change for other implementations.
 remote_store_server = "build.toolchain.com:443"
 remote_instance_name = "main"
+remote_auth_plugin = "toolchain.pants.auth.plugin:toolchain_auth_plugin"