[bazel] Use a credential helper (#12018)

Author: shs96c

.bazelrc

@@ -119,3 +119,6 @@ test:remote --test_tag_filters=-edge,-safari,-remote
 build:remote --action_env=HOME=/home/dev
 build:remote --action_env=PATH=/bin:/usr/bin:/usr/local/bin
 test:remote --test_env=HOME=/home/dev
+
+# Make sure we sniff credentials properly
+build:remote --experimental_credential_helper=%workspace%/scripts/credential-helper.sh

scripts/credential-helper.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+# We try not to rely on there being anything installed on the
+# local machine so although it would be nice to use `jq` here
+# we don't do so. This means that a selenium build needs very
+# little installed by the user
+
+function emit_headers() {
+  echo "{\"headers\":{\"Authorization\":[\"Bearer ${1}\"]}}"
+  exit 0
+}
+
+function get() {
+  INPUT=$1
+
+  if [ -z "$(echo "$INPUT" | grep "gypsum.cluster")" ]; then
+    exit 0
+  fi
+
+  if [ -n "$GITHUB_TOKEN" ]; then
+    emit_headers "$GITHUB_TOKEN"
+  fi
+
+  if [ -n "$ENGFLOW_GITHUB_TOKEN" ]; then
+    emit_headers "${ENGFLOW_GITHUB_TOKEN}"
+  fi
+
+  KEYCHAIN="$(security find-generic-password -a selenium -s 'Selenium EngFlow' -w )"
+  if [ -n "$KEYCHAIN" ]; then
+    emit_headers "${KEYCHAIN}"
+  fi
+
+  "{\"headers\":{}"
+  exit 0
+}
+
+function set() {
+    security add-generic-password -a selenium -s 'Selenium EngFlow' -w "$1"
+    exit 0
+}
+
+cmd=$1
+
+case $cmd in
+"get")
+  get "$(</dev/stdin)"
+  ;;
+
+"set")
+  set "$(</dev/stdin)"
+  ;;
+
+"test")
+  get '{"uri":"https://gypsum.cluster.engflow.com/google.devtools.build.v1.PublishBuildEvent"}'
+  ;;
+
+*)
+  exit 1
+  ;;
+esac