Move flickr credentials into secret environment

Also roll them

.dockerignore

@@ -2,4 +2,3 @@ public/
 resources/
 node_modules/
 .cache/
-.env

.github/workflows/ci.yml

@@ -2,6 +2,10 @@ name: CI
 
 on: [push, pull_request]
 
+env:
+  FLICKR_API_KEY: ${{ secrets.FLICKR_API_KEY }}
+  FLICKR_USER_ID: ${{ secrets.FLICKR_USER_ID }}
+
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -10,6 +14,9 @@ jobs:
         with:
           submodules: true
 
+      - name: Dump environment
+        run: env >> .env
+
       - name: Build image
         run: docker-compose build
 
@@ -43,6 +50,9 @@ jobs:
       - name: Install Dependencies
         run: npm ci
 
+      - name: Dump environment
+        run: env >> .env
+
       - name: Build site
         run: ./scripts/release.sh
 

.github/workflows/deploy.yml

@@ -5,6 +5,10 @@ on:
     branches:
       - master
 
+env:
+  FLICKR_API_KEY: ${{ secrets.FLICKR_API_KEY }}
+  FLICKR_USER_ID: ${{ secrets.FLICKR_USER_ID }}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -14,8 +18,11 @@ jobs:
         with:
           submodules: true
 
+      - name: Dump environment
+        run: env >> .env
+
       - name: Build production container
-        run: docker build --tag docker.pkg.github.com/${GITHUB_REPOSITORY,,}/theorangeone.net:latest .
+        run: docker build --tag docker.pkg.github.com/${GITHUB_REPOSITORY,,}/theorangeone.net:latest --env-file .env .
 
       - name: Log into GitHub Docker Registry
         run: echo ${{ secrets.GITHUB_TOKEN }} | docker login docker.pkg.github.com -u ${GITHUB_REPOSITORY%/*} --password-stdin

data/flickr.yml

@@ -1,3 +0,0 @@
----
-user_id: "132071530@N06"
-api_key: 920710c1f504befe4b3da60739e473c3

docker-compose.yml

@@ -4,6 +4,7 @@ services:
   website:
     build:
       context: .
+    env_file: .env
     volumes:
       - "./public:/usr/share/nginx/html:ro"
       - "./nginx.conf:/etc/nginx/nginx.conf:ro"

layouts/_default/flickr.html

@@ -4,9 +4,9 @@
     {{ partial "content.html" . }}
 
     {{ $id := .Params.photoset }}
-    {{ $query := querify "format" "json" "nojsoncallback" "1" "api_key" .Site.Data.flickr.api_key  }}
+    {{ $query := querify "format" "json" "nojsoncallback" "1" "api_key" (getenv "FLICKR_API_KEY") }}
 
-    {{ $method := querify "method" "flickr.photosets.getPhotos" "user_id" .Site.Data.flickr.user_id "photoset_id" $id "extras" "url_k,url_q" }}
+    {{ $method := querify "method" "flickr.photosets.getPhotos" "user_id" (getenv "FLICKR_USER_ID") "photoset_id" $id "extras" "url_k,url_q" }}
     {{ $photoset := (getJSON "https://api.flickr.com/services/rest/?" $query "&" $method).photoset }}
 
     <div id="light-gallery" class="row">

scripts/common.sh

@@ -1,4 +1,7 @@
 BASEDIR=$PWD
+
+export $(cat $BASEDIR/.env | xargs)
+
 NODE_BIN=$BASEDIR/node_modules/.bin
 
 STATIC_SRC=$BASEDIR/static/src

scripts/release.sh

@@ -4,11 +4,6 @@ set -e
 
 source ./scripts/common.sh
 
-# Expose environment variables so `parcel-bundler` can access them
-env > $BASEDIR/.env
-
 ./scripts/build.sh --minify
 
 gzipper compress -e gz --verbose $OUTPUT_DIR $OUTPUT_DIR
-
-rm -f $BASEDIR/.env