woocommerce · AliSoftware · Nov 14, 2025 · Nov 14, 2025 · Nov 14, 2025 · Nov 14, 2025
diff --git a/.buildkite/commands/diff-merged-manifest.sh b/.buildkite/commands/diff-merged-manifest.sh
@@ -14,9 +14,6 @@ BUILD_VARIANT=$1
 echo "--- :rubygems: Setting up Gems"
 install_gems
 
-echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
-
 echo "--- 💾 Diff Merged Manifest (Module: WooCommerce, Build Variant: ${BUILD_VARIANT})"
 comment_with_manifest_diff "WooCommerce" ${BUILD_VARIANT}
 

diff --git a/.buildkite/commands/git-crypt-unlock.sh b/.buildkite/commands/git-crypt-unlock.sh
@@ -0,0 +1,5 @@
+#!/bin/bash 
+
+set -euo pipefail
+
+echo "$GIT_CRYPT_ENCRYPTION_KEY" | base64 -d | git-crypt unlock -
diff --git a/.buildkite/commands/gradle-cache-build.sh b/.buildkite/commands/gradle-cache-build.sh
@@ -10,11 +10,11 @@ fi
 
 "$(dirname "${BASH_SOURCE[0]}")/restore-cache.sh"
 
+echo "--- :closed_lock_with_key: Decrypting Secrets"
+.buildkite/commands/git-crypt-unlock.sh
+
 echo "--- :rubygems: Setting up Gems"
 install_gems
 
-echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
-
 echo "--- :hammer_and_wrench: Building"
 ./gradlew assembleWasabiDebug
diff --git a/.buildkite/commands/prototype-build.sh b/.buildkite/commands/prototype-build.sh
@@ -9,11 +9,11 @@ fi
 
 APP_TO_BUILD="${1?You need to specify the app to build, WooCommerce or WooCommerce-Wear}"
 
+echo "--- :closed_lock_with_key: Decrypting Secrets"
+.buildkite/commands/git-crypt-unlock.sh
+
 echo "--- :rubygems: Setting up Gems"
 install_gems
 
-echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
-
 echo "--- :hammer_and_wrench: Building ${APP_TO_BUILD}"
 bundle exec fastlane build_and_upload_prototype_build app:"${APP_TO_BUILD}"
diff --git a/.buildkite/commands/release-build.sh b/.buildkite/commands/release-build.sh
@@ -2,11 +2,11 @@
 
 APP_TO_BUILD="${1?You need to specify the app to build, WooCommerce or WooCommerce-Wear}"
 
+echo "--- :closed_lock_with_key: Decrypting Secrets"
+.buildkite/commands/git-crypt-unlock.sh
+
 echo "--- :rubygems: Setting up Gems"
 install_gems
 
-echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
-
 echo "--- :hammer_and_wrench: Building ${APP_TO_BUILD}"
 bundle exec fastlane build_and_upload_google_play app:"${APP_TO_BUILD}"
diff --git a/.buildkite/commands/run-instrumented-tests.sh b/.buildkite/commands/run-instrumented-tests.sh
@@ -8,12 +8,12 @@ fi
 
 "$(dirname "${BASH_SOURCE[0]}")/restore-cache.sh"
 
+echo "--- :closed_lock_with_key: Decrypting Secrets"
+.buildkite/commands/git-crypt-unlock.sh
+
 echo "--- :rubygems: Setting up Gems"
 install_gems
 
-echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
-
 echo "--- 🧪 Testing"
 set +e
 bundle exec fastlane build_and_instrumented_test

diff --git a/.buildkite/commands/run-unit-tests.sh b/.buildkite/commands/run-unit-tests.sh
@@ -8,12 +8,12 @@ fi
 
 "$(dirname "${BASH_SOURCE[0]}")/restore-cache.sh"
 
+echo "--- :closed_lock_with_key: Decrypting Secrets"
+.buildkite/commands/git-crypt-unlock.sh
+
 echo "--- :rubygems: Setting up Gems"
 install_gems
 
-echo "--- :closed_lock_with_key: Installing Secrets"
-bundle exec fastlane run configure_apply
-
 echo "+++ 🧪 Testing"
 set +e
 ./gradlew testJalapenoDebugUnitTest testDebugUnitTest jacocoTestReport

diff --git a/.buildkite/release-pipelines/download-release-translations.yml b/.buildkite/release-pipelines/download-release-translations.yml
@@ -10,6 +10,9 @@ steps:
 
       .buildkite/commands/checkout-release-branch.sh "$RELEASE_VERSION"
 
+      echo '--- :closed_lock_with_key: Decrypting Secrets'
+      .buildkite/commands/git-crypt-unlock.sh
+
       echo '--- :ruby: Setup Ruby Tools'
       install_gems
 

diff --git a/.buildkite/release-pipelines/finalize-release.yml b/.buildkite/release-pipelines/finalize-release.yml
@@ -10,6 +10,9 @@ steps:
 
       .buildkite/commands/checkout-release-branch.sh "$RELEASE_VERSION"
 
+      echo '--- :closed_lock_with_key: Decrypting Secrets'
+      .buildkite/commands/git-crypt-unlock.sh
+
       echo '--- :ruby: Setup Ruby Tools'
       install_gems
 

diff --git a/.buildkite/shared-pipeline-vars b/.buildkite/shared-pipeline-vars
@@ -3,6 +3,7 @@
 # This file is `source`'d before calling `buildkite-agent pipeline upload`, and can be used
 # to set up some variables that will be interpolated in the `.yml` pipeline before uploading it.
 
-export CI_TOOLKIT="automattic/a8c-ci-toolkit#5.4.0"
+# "git-crypt-unlock" branch / https://github.com/Automattic/a8c-ci-toolkit-buildkite-plugin/pull/195
+export CI_TOOLKIT="automattic/a8c-ci-toolkit#0a3f10921096cee57c18ac5667fc64c1aaad4a7d"
 export TEST_COLLECTOR="test-collector#v1.10.1"
 export CLAUDE_PLUGIN="claude-summarize#v1.1.0"
diff --git a/.configure b/.configure
diff --git a/.configure-files/automattic_upload.jks.enc b/.configure-files/automattic_upload.jks.enc
diff --git a/.configure-files/debug.keystore.enc b/.configure-files/debug.keystore.enc
diff --git a/.configure-files/firebase.secrets.json.enc b/.configure-files/firebase.secrets.json.enc
diff --git a/.configure-files/google-services.json.enc b/.configure-files/google-services.json.enc
diff --git a/.configure-files/google-upload-credentials.json.enc b/.configure-files/google-upload-credentials.json.enc
diff --git a/.configure-files/gradle.properties.enc b/.configure-files/gradle.properties.enc
diff --git a/.configure-files/secrets.properties.enc b/.configure-files/secrets.properties.enc
diff --git a/.configure-files/sentry.properties.enc b/.configure-files/sentry.properties.enc
diff --git a/.gitattributes b/.gitattributes
@@ -1,3 +1,13 @@
 RELEASE-NOTES.txt merge=union
 
-.configure-files/*.enc binary
+#########################################
+# Secrets files encrypted with git-crypt
+#########################################
+
+secrets.properties filter=git-crypt diff=git-crypt
+sentry.properties filter=git-crypt diff=git-crypt
+google-services.json filter=git-crypt diff=git-crypt
+firebase.secrets.json filter=git-crypt diff=git-crypt
+google-upload-credentials.json filter=git-crypt diff=git-crypt
+*.keystore filter=git-crypt diff=git-crypt
+*.jks filter=git-crypt diff=git-crypt
diff --git a/.gitignore b/.gitignore
@@ -25,8 +25,6 @@ developer.properties
 
 # Crash Logging Configuration
 fabric.properties
-# Sentry
-sentry.properties
 
 # Local configuration file (sdk path, etc)
 local.properties
@@ -57,6 +55,11 @@ local.properties
 # Backup Files
 *.bak
 
+# Legacy secret files managed by `configure`, before we migrated to use `git-crypt`.
+# Kept in this `.gitignore` to ensure that, if someone still had them in their local working copy and didn't do a
+# `git clean` to remove them after the migration away from `configure`, they don't risk being accidentally committed.
+.configure-files/
+
 # Android Studio Navigation editor temp files
 .navigation/
 
@@ -66,15 +69,9 @@ captures/
 # Android Studio backup files
 projectFilesBackup/
 
-# Keystore files
-*.jks
-
 # External native build folder generated in Android Studio 2.2 and later
 .externalNativeBuild
 
-# Google Services (e.g. APIs or Firebase)
-google-services.json
-
 # Silver Searcher ignore file
 .agignore
 
@@ -88,7 +85,6 @@ google-services.json
 fastlane/README.md
 fastlane/report.xml
 fastlane/.env
-google-upload-credentials.json
 fastlane/screenshots
 fastlane/promo_sceenshots
 # This is a byproduct of the screenshots composition process
@@ -102,15 +98,6 @@ default.profraw
 
 local-builds.gradle
 
-# All secrets should be stored under .configure-files
-# Everything without a .enc extension is ignored
-.configure-files/*
-!.configure-files/*.enc
-# This secret is not part of the repository anymore, but we keep it in the
-# gitignore for retrocompatibility, so that it won't appear as a new file and
-# be accidentally checked in the repository.
-google-upload-credentials.json
-
 # Kotlin
 .kotlin/
 

diff --git a/README.md b/README.md
@@ -38,8 +38,13 @@
     $ cd woocommerce-android
     ```
 
-1. Copy `defaults.properties` to the secrets directory: `cp defaults.properties ~/.configure/woocommerce-android/secrets/secrets.properties`. See the [Configuration Files](docs/project-overview.md#configuration-files) section for a breakdown of the properties.
-1. Generate the developer oauth2 tokens. These values get copied into the `~/.configure/woocommerce-android/secrets.properties` file in the next step. See the [OAuth2 Authentication](docs/project-overview.md#oauth2-authentication) section for details.
+1. If you are a developer at Automattic:
+   1. Make sure you have `git-crypt` installed (`brew install git-crypt`)
+   1. Open [the "WooCommerce Android git-crypt encryption key" entry in our Secret Store](https://mc.a8c.com/secret-store/?secret_id=13697), and copy the Base64 value in your clipboard
+   1. Run `pbpaste | base64 -d | git-crypt unlock -` to decrypt the encrypted files (including `secrets.properties` and `WooCommerce/google-services.json`)
+1. If you are an external contributor:
+   1. Generate developer OAuth2 tokens. See the [OAuth2 Authentication](docs/project-overview.md#oauth2-authentication) section for details.
+   1. Edit `defaults.properties` and adjust the values as needed — especially including `wp.oauth.*` ones. See the [Configuration Files](docs/project-overview.md#configuration-files) section for a breakdown of the properties.
 1. In Android Studio, open the project from the local repository. This will auto-generate `local.properties` with the SDK location.
 1. Optional: Go to Tools → Device Manager and create an emulated device.
 1. Run. (Creates a default virtual device if you skipped the previous step)

diff --git a/WooCommerce/build.gradle b/WooCommerce/build.gradle
@@ -17,7 +17,7 @@ plugins {
 
 fladle {
     variant = "vanillaDebug"
-    serviceAccountCredentials = rootProject.file(".configure-files/firebase.secrets.json")
+    serviceAccountCredentials = rootProject.file("firebase.secrets.json")
     testTargets = [
             "notPackage com.woocommerce.android.e2e.tests.screenshot",
             "notClass com.woocommerce.android.e2e.tests.ui.OrdersRealAPI",
@@ -498,12 +498,13 @@ android.buildTypes.all { buildType ->
     }
 
     // If Google services file doesn't exist, copy example file.
-    if (!file("google-services.json").exists()) {
+    def googleServicesFile = file("google-services.json")
+    if (!googleServicesFile.exists() || isFileEncrypted(googleServicesFile)) {
         tasks.copyGoogleServicesExampleFile.copy()
     }
 
     // Print warning message if example Google services file is used.
-    if ((file("google-services.json").text) == (file("google-services.json-example").text)) {
+    if ((googleServicesFile.text) == (file("google-services.json-example").text)) {
         println("WARNING: You're using the example google-services.json file. Google login will fail.")
     }
 }
@@ -516,6 +517,13 @@ static def loadPropertiesFromFile(inputFile) {
     return properties
 }
 
+static def isFileEncrypted(File file) {
+    def gitcryptHeader = [0x00, 0x47, 0x49, 0x54, 0x43, 0x52, 0x59, 0x50, 0x54] as byte[] // GITCRYPT header
+    def header = new byte[gitcryptHeader.length]
+    file.withInputStream { stream -> stream.read(header) }
+    return Arrays.equals(header, gitcryptHeader)
+}
+
 def isLeakCanaryEnabled() {
     return developerProperties.get("enable_leak_canary") ?: true
 }

diff --git a/WooCommerce/google-services.json b/WooCommerce/google-services.json
diff --git a/WooCommerce/upload.jks b/WooCommerce/upload.jks
diff --git a/debug.keystore b/debug.keystore
diff --git a/docs/project-overview.md b/docs/project-overview.md
@@ -13,11 +13,8 @@ When creating your application, you should select "**Native client**" for the ap
 The "**Website URL**", "**Redirect URLs**", and "**Javascript Origins**" fields are required but not used for
 the mobile apps. Just use "**[https://localhost](https://localhost)**".
 
-Once you've created your application in the [applications manager][wp-com-apps], you'll
-need to update the `wc.oauth.app_id` and `wc.oauth.app_secret` fields in `secrets.properties`.
-See [setup instructions][setup] for more details about secrets file. Then you can compile and run the app on a device or an emulator and 
-try to login with a WordPress.com account. Note that authenticating to WordPress.com via Google is 
-not supported in development builds of the app, only in the official release.
+Once you've created your application in the [applications manager][wp-com-apps], you'll need to update the `wc.oauth.app_id` and `wc.oauth.app_secret` fields in `defaults.properties` (copied from `defaults-example.properties`). See [setup instructions][setup] for more details.
+Then you can compile and run the app on a device or an emulator and  try to login with a WordPress.com account. Note that authenticating to WordPress.com via Google is not supported in development builds of the app, only in the official release.
 
 Note that credentials created with our [WordPress.com applications manager][wp-com-apps]
 allow login only and not signup. New accounts must be created using the [official app][wp-app]
@@ -35,7 +32,15 @@ Read more about [OAuth2][oauth] and the [WordPress.com REST endpoint][wp-api].
 
 #### `secrets.properties`
 
-The `secrets.properties` file is used to store sensitive information that should not be checked into version control. This file is located at `~/.configure/woocommerce-android/secrets/secrets.properties`.
+The `secrets.properties` file is used to store sensitive information that should not be checked into version control in clear text.
+This file is encrypted (using `git-crypt`), and only developers working at Automattic have the decryption key.
+
+If you are a developer working at Automattic, ensure you followed those instructions once after cloning the repo:
+  1. Make sure you have `git-crypt` installed (`brew install git-crypt`)
+  1. Search for "WooCommerce Android git-crypt encryption key" in our Secret Store, and copy the Base64 value in your clipboard
+  1. Run `pbpaste | base64 -d | git-crypt unlock -` to decrypt the encrypted files (including `secrets.properties`)
+
+If you are an external contributor, provide those variables in your `defaults.properties` instead:
 
 | Property                   | Description |
 |:---------------------------|:------------|

diff --git a/fastlane/Fastfile b/fastlane/Fastfile
@@ -62,7 +62,7 @@ GLOTPRESS_APP_STRINGS_PROJECT_URL = 'https://translate.wordpress.com/projects/wo
 GLOTPRESS_PLAYSTORE_METADATA_PROJECT_URL = "#{GLOTPRESS_APP_STRINGS_PROJECT_URL}/release-notes/".freeze
 
 APP_PACKAGE_NAME = 'com.woocommerce.android'
-GOOGLE_FIREBASE_SECRETS_PATH = File.join(PROJECT_ROOT_FOLDER, '.configure-files', 'firebase.secrets.json')
+GOOGLE_FIREBASE_SECRETS_PATH = File.join(PROJECT_ROOT_FOLDER, 'firebase.secrets.json')
 
 # Instantiate versioning classes
 VERSION_CALCULATOR = Fastlane::Wpmreleasetoolkit::Versioning::MarketingVersionCalculator.new
@@ -80,7 +80,7 @@ DEFAULT_BRANCH = 'trunk'
 REPOSITORY_NAME = 'woocommerce-android'
 GH_ORG_NAME = 'woocommerce'
 
-UPLOAD_TO_PLAY_STORE_JSON_KEY = File.join(Dir.home, '.configure', 'woocommerce-android', 'secrets', 'google-upload-credentials.json')
+UPLOAD_TO_PLAY_STORE_JSON_KEY = File.join(PROJECT_ROOT_FOLDER, 'google-upload-credentials.json')
 
 SUPPORTED_LOCALES = [
   { glotpress: 'ar', android: 'ar', google_play: 'ar', promo_config: {} },
@@ -476,8 +476,6 @@ platform :android do
     UI.important("Downloading latest translations for release: #{release_version_current}")
     UI.user_error!("Terminating as requested. Don't forget to run the remainder of this automation manually.") unless skip_confirm || UI.confirm('Do you want to continue?')
 
-    configure_apply(force: is_ci)
-
     # Don't check translation coverage in CI
     check_translation_progress_all unless is_ci
     download_translations
@@ -511,8 +509,6 @@ platform :android do
     UI.important("Finalizing release: #{release_version_current}")
     UI.user_error!("Terminating as requested. Don't forget to run the remainder of this automation manually.") unless skip_confirm || UI.confirm('Do you want to continue?')
 
-    configure_apply(force: is_ci)
-
     # Bump the release version and build code
     UI.message 'Bumping final release version and build code...'
     VERSION_FILE.write_version(
@@ -1485,8 +1481,11 @@ platform :android do
   end
 
   def firebase_secret(name:)
-    UI.user_error!('Unable to locale Firebase Secrets File – did you run `configure apply`?') unless File.file? GOOGLE_FIREBASE_SECRETS_PATH
-    key_file_secrets = JSON.parse(File.read(GOOGLE_FIREBASE_SECRETS_PATH))
+    begin
+      key_file_secrets = JSON.parse(File.read(GOOGLE_FIREBASE_SECRETS_PATH))
+    rescue StandardError
+      UI.user_error!('Unable to read Firebase Secrets File – did you run `echo "…encryption-key…" | base64 -d | git-crypt unlock -` on the repo?')
+    end
     UI.user_error!("Unable to find key `#{name}` in #{GOOGLE_FIREBASE_SECRETS_PATH}") if key_file_secrets[name].nil?
     key_file_secrets[name]
   end

diff --git a/firebase.secrets.json b/firebase.secrets.json
diff --git a/google-upload-credentials.json b/google-upload-credentials.json
diff --git a/secrets.properties b/secrets.properties
diff --git a/sentry.properties b/sentry.properties