10

I have Travis-ci on a public repository. After finishing the execution it generates a image that I want to upload to cloudinary.com, but it could be any other service.

The problem is that to do it, I need to add in .travis.yml the auth token. But I don't want to expose it publicly, and for that travis offers a way to secure Env variables: http://docs.travis-ci.com/user/environment-variables/#Secure-Variables. However they do not work on PULL requests:

Secure Env variables are not available on pull requests from forks due to security risk of exposing such information to unknown code. Encryption and decryption keys are tied to the repository. If you fork a project and add it to Travis CI, it will have different keys to the original.

Anyone has any idea about how could I add an hidden value that is available for PUSH and PULL REQUESTS?

Mark Booth
  • 7,605
  • 2
  • 68
  • 92
javigomez
  • 186
  • 2
  • 7
  • So simply merging the pull requests doesn't do the trick for you? – Odi Jul 08 '15 at 21:29
  • No, because I want to run the automated tests over pull requests that send unknown people. If they pass the tests, then I will merge these pulls. Travis will do comments automatically on these pull requests with the results of the tests. I can't use the reply in this answer http://stackoverflow.com/questions/18027115/committing-via-travis-ci-failing due to the same thing. It affects pull requests – javigomez Jul 16 '15 at 10:06
  • Did you figure out on how to use travis secure variables available for pull requests? – Saurabh Shah Jul 27 '16 at 20:32
  • Not yet @SaurabhShah – javigomez Sep 05 '16 at 12:01
  • If you post a link to your repository, I can have a look at it, and see how your `.travis.yml` differs from one which works, such as the one in our project: https://github.com/eclipse/scanning/blob/master/.travis.yml – Mark Booth Aug 10 '17 at 10:36

1 Answers1

1

As you already wrote in your question: according to the official Travis CI documentation https://docs.travis-ci.com/user/environment-variables you won't have access to these variables from untrusted builds such as pull requests. This makes sense, since someone could submit a pull request to your repository containing malicious code which then exposes your secret value.

Bottom line: if you want to make secret values available to pull requests, you have to assume they're not secret anymore - therefore you could also just hard code the unencrypted value to your .travis.yml and use it from there. Which doesn't seem like a good idea. ;-)

Possible solution in your case: you could just use an image hoster which provides anonymous uploading? You wouldn't need an auth key, so your pull requests would be able to upload, too.

finefoot
  • 9,914
  • 7
  • 59
  • 102