Better secrets handling

Secrets should be defined in pre-command hooks to benefit from redaction
See https://buildkite.com/docs/pipelines/managing-log-output#redacted-environment-variables

Author: nkammah

.buildkite/hooks/pre-command

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -euo pipefail
+
+function retry {
+    local retries=$1
+    shift
+
+    local count=0
+    until "$@"; do
+        exit=$?
+        wait=$((2 ** count))
+        count=$((count + 1))
+        if [ $count -lt "$retries" ]; then
+            >&2 echo "Retry $count/$retries exited $exit, retrying in $wait seconds..."
+            sleep $wait
+        else
+            >&2 echo "Retry $count/$retries exited $exit, no more retries left."
+            return $exit
+        fi
+    done
+    return 0
+}
+
+# Secrets must be redacted
+# https://buildkite.com/docs/pipelines/managing-log-output#redacted-environment-variables
+if [[ "$BUILDKITE_PIPELINE_SLUG" == "docs-build-pr" ]];then
+    export GITHUB_TOKEN=$(retry 5 vault kv get -field=value secret/ci/elastic-docs/docs_preview_cleaner)
+fi

.buildkite/scripts/build_pr_commit_status.sh

@@ -20,16 +20,14 @@ case $status_state in
       exit 1;;
 esac
 
-gitHubToken=$(vault read -field=value secret/ci/elastic-docs/docs_preview_cleaner)
-
 githubPublishStatus="https://api.github.com/repos/${GITHUB_PR_OWNER}/${GITHUB_PR_REPO}/statuses/${GITHUB_PR_TRIGGERED_SHA}"
 data='{"state":"'$status_state'","target_url":"'$BUILDKITE_BUILD_URL'","description":"'$description'","context":"buildkite/'$BUILDKITE_PIPELINE_SLUG'"}'
 
 echo "Setting buildkite/docs commit status to ${status_state}"
 curl -s -L \
   -X POST \
   -H "Accept: application/vnd.github+json" \
-  -H "Authorization: Bearer ${gitHubToken}" \
+  -H "Authorization: Bearer ${GITHUB_TOKEN}" \
   -H "X-GitHub-Api-Version: 2022-11-28" \
   "${githubPublishStatus}" \
   -d "${data}"