Merge branch 'ci-do-not-leak-secrets' into dev

Author: greenrobot-team

Jenkinsfile

@@ -14,14 +14,15 @@ pipeline {
         GITLAB_URL = credentials('gitlab_url')
         MVN_REPO_LOGIN = credentials('objectbox_internal_mvn_user')
         MVN_REPO_URL = credentials('objectbox_internal_mvn_repo_http')
-        MVN_REPO_ARGS = "-PinternalObjectBoxRepo=$MVN_REPO_URL " +
-                        "-PinternalObjectBoxRepoUser=$MVN_REPO_LOGIN_USR " +
-                        "-PinternalObjectBoxRepoPassword=$MVN_REPO_LOGIN_PSW"
+        // Warning: use single quotes to avoid Groovy String interpolation leaking secrets.
+        MVN_REPO_ARGS = '-PinternalObjectBoxRepo=$MVN_REPO_URL ' +
+                        '-PinternalObjectBoxRepoUser=$MVN_REPO_LOGIN_USR ' +
+                        '-PinternalObjectBoxRepoPassword=$MVN_REPO_LOGIN_PSW'
         MVN_REPO_UPLOAD_URL = credentials('objectbox_internal_mvn_repo')
-        MVN_REPO_UPLOAD_ARGS = "-PpreferredRepo=$MVN_REPO_UPLOAD_URL " +
-                        "-PpreferredUsername=$MVN_REPO_LOGIN_USR " +
-                        "-PpreferredPassword=$MVN_REPO_LOGIN_PSW " +
-                        "-PversionPostFix=$versionPostfix"
+        MVN_REPO_UPLOAD_ARGS = '-PpreferredRepo=$MVN_REPO_UPLOAD_URL ' +
+                        '-PpreferredUsername=$MVN_REPO_LOGIN_USR ' +
+                        '-PpreferredPassword=$MVN_REPO_LOGIN_PSW ' +
+                        '-PversionPostFix=$versionPostfix'
         // Note: for key use Jenkins secret file with PGP key as text in ASCII-armored format.
         ORG_GRADLE_PROJECT_signingKeyFile = credentials('objectbox_signing_key')
         ORG_GRADLE_PROJECT_signingKeyId = credentials('objectbox_signing_key_id')
@@ -81,9 +82,10 @@ pipeline {
 
                 // Note: supply internal Maven repo as tests use native dependencies (can't publish those without the Java libraries).
                 // Note: add quotes around URL parameter to avoid line breaks due to semicolon in URL.
+                // Warning: use single quotes to avoid Groovy String interpolation leaking secrets.
                 sh "./gradlew $gradleArgs $MVN_REPO_ARGS " +
-                   "\"-PpreferredRepo=${BINTRAY_URL}\" -PpreferredUsername=${BINTRAY_LOGIN_USR} -PpreferredPassword=${BINTRAY_LOGIN_PSW} " +
-                   "uploadArchives"
+                   '\"-PpreferredRepo=$BINTRAY_URL\" -PpreferredUsername=$BINTRAY_LOGIN_USR -PpreferredPassword=$BINTRAY_LOGIN_PSW ' +
+                   'uploadArchives'
 
                 googlechatnotification url: 'id:gchat_java',
                     message: "Published ${currentBuild.fullDisplayName} successfully to Bintray - check https://bintray.com/objectbox/objectbox\n${env.BUILD_URL}"

ci/Jenkinsfile-Windows

@@ -10,9 +10,10 @@ pipeline {
         GITLAB_URL = credentials('gitlab_url')
         MVN_REPO_URL = credentials('objectbox_internal_mvn_repo_http')
         MVN_REPO_LOGIN = credentials('objectbox_internal_mvn_user')
-        MVN_REPO_ARGS = "-PinternalObjectBoxRepo=$MVN_REPO_URL " +
-                        "-PinternalObjectBoxRepoUser=$MVN_REPO_LOGIN_USR " +
-                        "-PinternalObjectBoxRepoPassword=$MVN_REPO_LOGIN_PSW"
+        // Warning: use single quotes to avoid Groovy String interpolation leaking secrets.
+        MVN_REPO_ARGS = '-PinternalObjectBoxRepo=%MVN_REPO_URL% ' +
+                        '-PinternalObjectBoxRepoUser=%MVN_REPO_LOGIN_USR% ' +
+                        '-PinternalObjectBoxRepoPassword=%MVN_REPO_LOGIN_PSW%'
     }
 
     options {