[AINFRA-1539] [Internal] Migrate from configure_apply to git-conceal

[AliSoftware]

Description

This updates the way this repository manages secret files needed for compilation (secret.properties, sentry.properties, etc) from being managed via configure_apply to being managed by git-conceal instead.

See paaHJt-96q-p2 more details about this migration.

Closes AINFRA-1539

Merge Timing

While this PR can be reviewed and tested already, I don't plan to merge it until January so that I can be around to help with any issues or questions that may arise with the new tool and new process.

Testing Instructions

Note

While not strictly necessary, in order to not risk messing up your everyday working copy while going through those testing instructions, I'd recommend running those steps in a separate fresh clone of the repository instead of in the working copy you usually work with.

• Clone the repo, checkout this PR's branch
• Validate that all the files that should be secret are indeed unreadable / encrypted:
  • secret.properties
  • sentry.properties
  • app/google-services.json
  • automotive/google-services.json
  • wear/google-services.json
  • google-upload-credentials.json
  • firebase.secrets.json
  • release.keystore
• Compile the project, and validate that it prints relevant warnings about secret .properties files being encrypted and thus ignored
  • We might want to validate at that stage what's the status of Google Services in particular. i.e. since at that stage {app,automotive,wear}/google-services.json files were all present but encrypted (and thus not valid JSON), how does that impact flows like Google Login in the app? And thus how would this behave for external contributors to this project?
• Follow the steps in the README.md to unlock the repo by copying the decryption key from the Secret Store and running pbpaste | base64 -d | git conceal unlock -
• Validate that the files that were previously encrypted have been re-checked out and are now appearing in clear text in your working copy
• Compile the project, and validate that the secret files (e.g. secret.properties, sentry.properties, …) are now read and their properties used during compilation
  • Validate that expected features that depend on those secret files (like Google Login for google-services.json?) work as expected in the compiled app

Note on CI failure

The CI failure on "Merged Manifest Diff" is expected, because the way this job works is that it switches to this PR's base branch to generate the base manifest and compare it with the one generated from this PR's head… but when it switches to this PR's branch, that base branch (main) doesn't have git-conceal set up—as it is still relying on configure_apply instead—so it doesn't have the google-services.json file present in main during that dance.

I expect this to be a transient issue, i.e. once this PR is merged into main and other PRs start to rebase on top so that all branches start to use git-conceal, this internal dance that "Merged Manifest Diff" does should work again.

[dangermattic]

	1 Error
🚫	This PR is tagged with do not merge label(s).

	1 Warning
⚠️	PR is not assigned to a milestone.

Generated by 🚫 Danger

[MiSikora]

@AliSoftware Should we proceed with this migration?

[AliSoftware]

Hey @MiSikora !

I think if you need to move forward with #4818 you should probably not wait for this migration to git-conceal after all.

• I've been AFK for 2 weeks in December, then been at the AI workshop/meetup since the beginning of January (I'm still there until the end of the week), then will likely need some more extra days to catch up with everything that happened while I was away when I get back etc… so I might not go back to this PR until next week
• The migration of all repos to git-conceal have been put a bit on pause while I wait for SysOps to validate that the approach is ok with them (see internal ref p5TWut-1t7-p2), so I want to clear things up with them before we commit to the plan of switching to this approach for good

So in the end, even if technically this PR is working, given the above AFK + SysOps approval points, it might take some more time than expected before I can unpause the project and we officailly go forward with merging that PR, and I don't want it to block your progress on #4818.

[AliSoftware]

I am closing this PR because (1) it's becoming stale which means that the secrets we re-encrypted in this PR are not in sync anymore with the ones still used by configure in mobile-secrets, and (2) after long discussions with SecOps team, we concluded that git-conceal would not be the solution we'd end up using and we are working on a different approach instead.