Jens A. Koch

Travis-CI – Encrypt Secrects via CLI commands using the “travis” gem

Travis encryption keys are used to store information, which you want to place into your  .travis.yml file or the Travis-CI backend, but keeping them private.
You might use the encrypted keys API tokens later in your build toolchain, e.g. for instance to push commits to a Github repository or deploy release artifacts to Github Releases.

Why do i provide this tutorial? Firstly, because building the “travis” gem isn’t that easy,  due to it’s dependencies and requirements, just to name a few: make, libffi-dev, ruby2-dev.
And, secondly, the official docs over at the Travis HQ spare this topic completely out, see yourself: https://docs.travis-ci.com/user/encryption-keys/.

So, without further ado, let’s get started…

By the way: these steps works on Debian and Ubuntu (and that means they work on the Linux subsystem for Windows, too ;))

1. fetch packages

Ok, we need to resolve a lot of dependencies, before we can compile the gem.

Let’s start with fetching “Ruby2-dev”:


sudo apt-get install python-software-properties
sudo apt-add-repository ppa:brightbox/ruby-ng
sudo apt-get update
sudo apt-get install ruby2.2 ruby2.2-dev ruby-switch
sudo ruby-switch --set ruby2.2

Check: ruby -v. You should get ruby 2.2.5p319 or something alike in return.

Secondly, let’s fetch the stuff needed to build the “travis” gem:


sudo apt-get installl ibffi-dev make

Notes:
– ruby2 is needed.
– libffi is a dependency of the travis gem.
– make is needed to build the native ruby extensions.
– ruby-switch is needed to switch from the old ruby version to th enew one easily.

2. build travis gem


sudo gem install travis

3. overview on travis cli commands

Run /usr/local/bin/travis


Shell completion not installed. Would you like to install it now? |y| y

Usage: travis COMMAND ...

Available commands:

accounts displays accounts and their subscription status
branches displays the most recent build for each branch
cache lists or deletes repository caches
cancel cancels a job or build
console interactive shell
disable disables a project
enable enables a project
encrypt encrypts values for the .travis.yml
encrypt-file encrypts a file and adds decryption steps to .travis.yml
endpoint displays or changes the API endpoint
env show or modify build environment variables
help helps you out when in dire need of information
history displays a projects build history
init generates a .travis.yml and enables the project
lint display warnings for a .travis.yml
login authenticates against the API and stores the token
logout deletes the stored API token
logs streams test logs
monitor live monitor for what's going on
open opens a build or job in the browser
pubkey prints out a repository's public key
raw makes an (authenticated) API call and prints out the result
report generates a report useful for filing issues
repos lists repositories the user has certain permissions on
requests lists recent requests
restart restarts a build or job
settings access repository settings
setup sets up an addon or deploy target
show displays a build or job
sshkey checks, updates or deletes an SSH key
status checks status of the latest build
sync triggers a new sync with GitHub
token outputs the secret API token
version outputs the client version
whatsup lists most recent builds
whoami outputs the current user

run /usr/local/bin/travis help COMMAND for more infos

4. encrypt key

/usr/local/bin/travis encrypt SOMEVAR=secretvalue -r owner/project

/usr/local/bin/travis encrypt GH_TOKEN=encrypt_this_key -r owner/project

output:

secure: ".... encrypted data ...."

5. insert into .travis.yml or Travis-CI backend


env:
global:
- secure: bla/7foo$"

Once you added the token and triggered a new build, you should see an entry similar to the following one logs:


Setting environment variables from .travis.yml
$ export GH_TOKEN=[secure]

Done.

Comments Off on Travis-CI – Encrypt Secrects via CLI commands using the “travis” gem

Comments are closed.