Travis/Secrets
From charlesreid1
Contents
Encrypting strings
Encryption keys and encrypting strings: https://docs.travis-ci.com/user/encryption-keys/
Encrypting files
Instructions for encrypting/decrypting can be found in the Travis documentation here:
https://docs.travis-ci.com/user/encrypting-files/
Let Travis handle encryption automatically
The short version:
- Install the travis command line tool
brew install travis
- Encrypt the file with the travis command line tool
travis encrypt-file FILE
- Add the openssl command given here [1] to
.travis.yml
IMPORTANT: You can only encrypt ONE file per repository, so if you have multiple files to encrypt, put them in a tar file and encrypt the tar file.
Do encryption manually
if you are having trouble with Travis not automatically adding the encryption credentials above to the right repository (which you may have a problem with if you are dealing with forks), you may want to manually encrypt/decrypt secrets.
This is a three step process:
Step 1 - encrypt files
The first step is to pick a secret passphrase and use it to encrypt any secret file you have.
Use the following command to encrypt your file:
openssl aes-256-cbc -k "<your password>" -in secrets.tar.gz -out secrets.tar.gz.enc
Step 2 - add keys to Travis settings
Log in to Travis and navigate to the project. Modify the settings of the repository. There is a section where you can add environment variables.
Add a new environment variable named credentials_password
with the value of <your password>
(same password used in
the above command).
Step 3 - add decrypt step to .travis.yml
Now you can add the following command in your
.travis.yml
file to decrypt the secrets file:
before_install: - ... - cd tests/ - openssl aes-256-cbc -k "$credentials_password" -in secrets.tar.gz.enc -out secrets.tar.gz -d - ...
Once you've added the encrypted secrets file
(don't add the original, unencrypted secrets file!),
you can commit it along with the .travis.yml
file,
and Travis should be able to access the secrets
using the secret password provided via the environment
variable.
Example
See https://github.com/dcppc/centillion for an example of a repository that uses encrypted secrets to run Travis tests.