Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preserve API key integrity with Travis-CI build-notification hooks in a public repository

The Context:

I've open-sourced a repository, which is tested by Travis-CI. Travis offers build-notification hooks for the test runs, so you can get notified inside IRC, Flowdock, Campfire and HipChat. To configure these hooks you have to add settings to your .travis.yml config file, which is public. For Hipchat it looks like this:

notifications:
  hipchat: [api token]@[room name]

If I'd just put my token there in plain text everyone could see my API Token and access/spam my chatrooms. Among other things that's why Travis added secure environemt variables. Basically you can encrypt strings with your key and bind them specifically to the repository, so Travis can access the secret API keys.

What you do locally:

gem install travis
travis encrypt github-user/repo MY_SECRET_ENV=super_secret

What you put into .travis.yml

secure: <encrypted string here>

The Problem:

Unfortunately the documentation isn't overly verbose, google doesn't help, stackoverflow doesn't help yet and I can't get this to work.

Here is my first try:

travis encrypt github-user/repo HIPCHAT=super_secret

secure: <encrypted string here>
notifications:
  hipchat: <%= ENV['HIPCHAT'] %>@hipchat-room

As this doesn't work I went to travis irc on freenode and that's what they suggested

travis encrypt github-user/repo key@hipchat-room

notifications:
  hipchat:
    secure: <encrypted string here>

As you might have guessed (why am I writing this question again?) this doesn't work either. I hope you can help me fix this problem. Thank you very much

Edit: I'm very suspicious of myself. I tripple-checked the API key, it is working. It's up to Travis.

2Edit: As this appears to be a bug here is the corresponding GitHub issue

like image 808
Stephan Bönnemann-Walenta Avatar asked Dec 14 '12 21:12

Stephan Bönnemann-Walenta


1 Answers

Stephan,

Could you please try this:

notifications:
  hipchat:
    - secure: "encrypted string"

If you don't want to clutter up your commit history, you can push it on a separate branch and Travis should test that branch for you.

--Henrik

like image 122
sarahhodne Avatar answered Nov 08 '22 19:11

sarahhodne