Could you make this part of setup_env.sh?

Maybe something like

if which brew
then
  brew install git-secrets
else
  git clone https://github.com/awslabs/git-secrets.git
  cd git-secrets
  make install
  cd ..
  rm -rf git-secrets
fi

I haven't tried that, but I suspect it would work. I think you still need to download git-secrets before running the brew command, but I can talk to Mohs to see if we can duplicate the effects of a manual install in a script. (To try to do it from a fresh computer.)

If he doesn't have bandwidth I can reset my local environment to try that.

Using their sudo make install I still got permission errors, until I did sudo chmod 755 /usr/local/bin/git-secrets. (I couldn't install without sudo; I got cp: cannot create regular file ‘/usr/local/bin/git-secrets’: Permission denied.)

I think it's OK not to auto-setup, but it'd be useful to at least have instructions for Linux, which I think should go:

git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install
sudo chmod 755 /usr/local/bin/git-secrets

and then a "See README for setup instructions if this fails" in setup_git_secrets or wherever is closest to the failure point if you haven't installed it yet.

I'll add the Linux stuff tomorrow, thank you for testing that out for me.

Thanks! Please use the steps in the previous comment (with sudo and chmod) though -- just plain make install doesn't work (it tries to install to a global location w/o sufficient permissions).

I think since we have a shared hooks directory, we don't actually need this setup script. If you want to put a comment either in the README or in one of the hooks saying the hooks are auto-generated by git secrets --install I think that's good.

The problem is that although the hooks are shared, the results of the git secrets --add commands are stored locally. Probably the installation pieces aren't necessary, but a centralized place to put all the adds would be good.

Oh, I see. Bummer! I think that's a blocker; having to pay attention / do work to keep the secrets list in sync defeats the utility of having something check for secrets, to me. (It's the difference between one-time setup, where if I forget to install git-secrets some scripts break, and having to remember to re-run the installs when we add/change what patterns to looks for; the potential for silent failures.)

On the RDR, we got away with a simple grep. I'm inclined to stick with something like that. It looks like this https://github.com/vanderbilt/pmi-data/blob/master/ci/test.sh#L7 :

echo "Grepping for checked-in credentials..."
set +e  # OK if grep does not find any matches.
KEY_FILES=`grep -ril "BEGIN PRIVATE KEY" . | grep -v $0 | grep -v oauth2client`
set -e
if [ "${KEY_FILES}" ]
then
  echo "No keys may be checked in, but found: $KEY_FILES"
  exit 1
fi

I think I agree with you, although theoretically we could add something to the hooks to run the script adding all our secrets before making a commit.

It may make sense to discuss this at, before, or after the standup so we all get on the same page about what our plan is? Or have a separate meeting to discuss it.

The git-secrets config file should be checked in, right? I don't see it in your PR.

The git-secrets config file is actually just part of your regular git config. workbench/.git/config Despite the fact that we want to push the git secrets configuration, we don't want to push the git config file. (Which is why I explored the idea of a script as a way to solve that?)

Using their sudo make install I still got permission errors, until I did sudo chmod 755 /usr/local/bin/git-secrets. (I couldn't install without sudo; I got cp: cannot create regular file ‘/usr/local/bin/git-secrets’: Permission denied.)

I think it's OK not to auto-setup, but it'd be useful to at least have instructions for Linux, which I think should go:

git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install
sudo chmod 755 /usr/local/bin/git-secrets

and then a "See README for setup instructions if this fails" in setup_git_secrets or wherever is closest to the failure point if you haven't installed it yet.

.sh

I think several of these are missing tools and .sh. This should be tools/setup_env.sh right?

I think it's better to skip setup here, since it's just above.

Thanks! Please use the steps in the previous comment (with sudo and chmod) though -- just plain make install doesn't work (it tries to install to a global location w/o sufficient permissions).

Since you have these commands in setup_env, I don't think you need to include them here too. (It increases risk of them getting out of sync.)

I do agree. That said, I am getting a bit wary of doing so much in the setup env script, since I know that it can fail pretty easily if you have already run one or more steps of it?
That said, there is nothing stopping a developer from going in and looking at the file.

A few issues here.

1. The first I run setup_env.sh, make install fails because it doesn't have root access. Could fix with sudo, though by default this creates a file in /usr/local/bin that non-root users can't read/execute.
2. Re-running setup_env.sh, git clone fails with fatal: destination path 'git-secrets' already exists and is not an empty directory.
3. In trying this out, I noticed that our reference to a pre-publication snapshot of the swagger cli jar has expired.

The tweaks below are blunt, but the result works for me...

diff --git a/tools/download_swagger_cli.sh b/tools/download_swagger_cli.sh
index 8f7f547..b8a96e8 100755
--- a/tools/download_swagger_cli.sh
+++ b/tools/download_swagger_cli.sh
@@ -1 +1 @@
-wget https://oss.sonatype.org/content/repositories/snapshots/io/swagger/swagger-codegen-cli/2.3.0-SNAPSHOT/swagger-codegen-cli-2.3.0-20170716.142514-29.jar -O swagger-codegen-cli.jar
+wget https://oss.sonatype.org/content/repositories/snapshots/io/swagger/swagger-codegen-cli/2.3.0-SNAPSHOT/swagger-codegen-cli-2.3.0-20170809.095725-71.jar -O swagger-codegen-cli.jar
diff --git a/tools/setup_env.sh b/tools/setup_env.sh
index 1cc214c..fd13a46 100755
--- a/tools/setup_env.sh
+++ b/tools/setup_env.sh
@@ -16,9 +16,10 @@ if which brew
 then
   brew install git-secrets
 else
+  rm -rf git-secrets
   git clone https://github.com/awslabs/git-secrets.git
   cd git-secrets
-  make install
+  sudo make install && sudo chmod o+rx /usr/local/bin/git-secrets
   cd ..
   rm -rf git-secrets
 fi

(Note that as we move our dev env to docker, we may want to move angular CLI installation and swagger codegen CLI installation into docker too.)

I was concerned about the issues with re-running setup_env.sh anyway. I'm inclined to just provide installation instructions in the README, and not run the commands in setup_env?

I'm fine with that.

Getting off topic a bit: we should decide what happens on a developer's machine and what happens in docker, in any case.

• Installing git and git-secrets feels like a dev host machine concern
• Installing angular CLI feels "in the grey area" for me
• Installing gradle and maven feels like a "docker dev env" thing to me

I agree that git and git-secrets feels like a dev host machine concern.
The other two questions might warrant asking in the slack or the docker PR?

Option to possibly provide a nicer error message to someone who doesn't see this in the README.

{ which git-secrets; } || {
  echo 'git-secrets required and not found. See README for installation instructions.'
  echo
  exit 1
}