ci: validate secrets after bundling

Introduces --verify-credentials flag which can be passed to status app and it will check for all the necessary credentials provided by status-jenkins-lib.
related changes are here : status-im/status-jenkins-lib#120

Adds an Audit stage in jenkins which checks for these credentials, this is an integration test in CI to ensure that bundled app has all the necessary secrets.

Author: siddarthkay

ci/Jenkinsfile.combined

@@ -1,6 +1,6 @@
 #!/usr/bin/env groovy
 
-library 'status-jenkins-lib@v1.9.27'
+library 'status-jenkins-lib@refactor-common-secrets'
 
 /* Object to store public URLs for description. */
 urls = [:]

ci/Jenkinsfile.linux

@@ -1,5 +1,5 @@
 #!/usr/bin/env groovy
-library 'status-jenkins-lib@v1.9.27'
+library 'status-jenkins-lib@refactor-common-secrets'
 
 /* Options section can't access functions in objects. */
 def isPRBuild = utils.isPRBuild()
@@ -125,6 +125,31 @@ pipeline {
       } }
     }
 
+    stage('Verify Credentials') {
+      steps { script {
+        sh """
+          tar -xzf ${env.STATUS_CLIENT_TARBALL} -C ${env.WORKSPACE_TMP}
+        """
+
+        def appImagePath = sh(
+          script: "basename ${env.STATUS_CLIENT_APPIMAGE}",
+          returnStdout: true
+        ).trim()
+
+        sh """
+          chmod +x ${env.WORKSPACE_TMP}/${appImagePath}
+        """
+
+        // Run verification inside the credentials context
+        desktop.withCommonCredentials([]) {
+          sh(
+            script: "${env.WORKSPACE_TMP}/${appImagePath} --verify-credentials"
+          )
+        }
+
+      } }
+    }
+
     stage('Parallel Upload') {
       parallel {
         stage('Upload') {

ci/Jenkinsfile.linux-nix

@@ -1,6 +1,6 @@
 #!/usr/bin/env groovy
 
-library 'status-jenkins-lib@v1.9.27'
+library 'status-jenkins-lib@refactor-common-secrets'
 
 /* Options section can't access functions in objects. */
 def isPRBuild = utils.isPRBuild()

ci/Jenkinsfile.macos

@@ -1,5 +1,5 @@
 #!/usr/bin/env groovy
-library 'status-jenkins-lib@v1.9.27'
+library 'status-jenkins-lib@refactor-common-secrets'
 
 /* Options section can't access functions in objects. */
 def isPRBuild = utils.isPRBuild()
@@ -140,6 +140,21 @@ pipeline {
       } }
     }
 
+    stage('Verify Credentials') {
+      steps { script {
+        sh "hdiutil attach ${env.STATUS_CLIENT_DMG} -mountpoint /tmp/status-mount"
+
+        desktop.withCommonCredentials([]) {
+          sh(
+            script: "/tmp/status-mount/Status.app/Contents/MacOS/nim_status_client --verify-credentials"
+          )
+        }
+
+        sh "hdiutil detach /tmp/status-mount"
+
+      } }
+    }
+
     stage('Notarize') {
       when { expression { utils.isReleaseBuild() } }
       steps { script {

ci/Jenkinsfile.tests-e2e

@@ -1,5 +1,5 @@
 #!/usr/bin/env groovy
-library 'status-jenkins-lib@v1.9.16'
+library 'status-jenkins-lib@refactor-common-secrets'
 
 pipeline {
 

ci/Jenkinsfile.tests-nim

@@ -1,5 +1,5 @@
 #!/usr/bin/env groovy
-library 'status-jenkins-lib@v1.9.16'
+library 'status-jenkins-lib@refactor-common-secrets'
 
 /* Options section can't access functions in objects. */
 def isPRBuild = utils.isPRBuild()

ci/Jenkinsfile.tests-ui

@@ -1,5 +1,5 @@
 #!/usr/bin/env groovy
-library 'status-jenkins-lib@v1.9.16'
+library 'status-jenkins-lib@refactor-common-secrets'
 
 /* Options section can't access functions in objects. */
 def isPRBuild = utils.isPRBuild()

ci/Jenkinsfile.windows

@@ -1,5 +1,5 @@
 #!/usr/bin/env groovy
-library 'status-jenkins-lib@v1.9.27'
+library 'status-jenkins-lib@refactor-common-secrets'
 
 /* Options section can't access functions in objects. */
 def isPRBuild = utils.isPRBuild()
@@ -125,6 +125,24 @@ pipeline {
       } }
     }
 
+    stage('Verify Credentials') {
+      steps { script {
+        sh "7z x ${env.STATUS_CLIENT_7Z} -o${env.WORKSPACE_TMP}/extracted"
+
+        def exeName = sh(
+          script: "basename ${env.STATUS_CLIENT_EXE}",
+          returnStdout: true
+        ).trim()
+
+        desktop.withCommonCredentials([]) {
+          sh(
+            script: "${env.WORKSPACE_TMP}/extracted/bin/${exeName} --verify-credentials"
+          )
+        }
+
+      } }
+    }
+
     stage('Parallel Upload') {
       /* Uploads on Windows are slow. */
       parallel {

src/app/core/credential_verifier.nim

@@ -0,0 +1,28 @@
+import os, strutils, sequtils
+
+proc runCredentialVerification*(): int =
+  echo "Starting credential verification"
+
+  let thingsToCheck = getEnv("THINGS_TO_CHECK")
+  if thingsToCheck.len == 0:
+    echo "ERROR: THINGS_TO_CHECK environment variable not set"
+    return 1
+
+  let credNames = thingsToCheck.splitLines().mapIt(it.strip()).filterIt(it.len > 0)
+  if credNames.len == 0:
+    echo "ERROR: No credentials to check"
+    return 1
+
+  var missingCreds: seq[string] = @[]
+
+  for credName in credNames:
+    if not existsEnv(credName):
+      missingCreds.add(credName)
+      echo "ERROR: Missing environment variable: ", credName
+
+  if missingCreds.len > 0:
+    echo "ERROR: Credential verification failed. Missing ", missingCreds.len, " out of ", credNames.len, " credentials"
+    return 1
+  else:
+    echo "SUCCESS: All ", credNames.len, " credentials verified successfully"
+    return 0

src/env_cli_vars.nim

@@ -296,6 +296,11 @@ type StatusDesktopConfig = object
     desc: "Sets address for prometheus metrics"
     name: "METRICS_ADDRESS"
     abbr: "metrics-address" .}: string
+  verifyCredentials* {.
+    defaultValue: false
+    desc: "Verify that all required credentials are present and exit"
+    name: "VERIFY_CREDENTIALS"
+    abbr: "verify-credentials" .}: bool
 
 # On macOS the first time when a user gets the "App downloaded from the
 # internet" warning, and clicks the Open button, the OS passes a unique process
@@ -310,4 +315,4 @@ else:
 if defined(macosx):
   cliParams.keepIf(proc(p: string): bool = not p.startsWith("-psn_"))
 
-let desktopConfig = StatusDesktopConfig.load(cmdLine = cliParams, envVarsPrefix = RUN_TIME_PREFIX)
+let desktopConfig* = StatusDesktopConfig.load(cmdLine = cliParams, envVarsPrefix = RUN_TIME_PREFIX)