I'm trying to get a Travis CI build to work in both my own private fork and the repo of my organization.
I encrypted a config file using the travis encrypt-file command and it seems to have created two environment variables in the travis settings for my own fork that look like: "encrypted_d1234_key" and "encrypted_d1234_iv".
These are used when the build runs to decrypt the config file, like so:
openssl aes-256-cbc -K $encrypted_d1234_key -iv $encrypted_d1234_iv -in test.config.enc -out test.config -d
Can I somehow copy those secure environment variables over to the settings for my org's repo so that the build can decrypt the config file whether it's in my fork or my org's fork.
Or is there a better way to handle these situations?
This is might be the same issue as: What do I need for Travis-CI to decrypt secure variables on my fork?
I figured out a way to get this working. Since you can't get the keys that Travis generates for you, you just have to generate your own keys. Then, encrypt your secret goodies and push the keys into any private repo that needs them (and whose members you trust):
openssl aes-256-cbc -K 1000000000000000000000000000000000000000000000000000000000000001 -iv 10000000000000000000000000000001 -in test.config -out test.config.enc
Now, we give the keys to Travis, which stores them on a per-repo basis. These commands store them in whatever repo is set up as "origin" in git:
travis env set encrypted_d1234_key 1000000000000000000000000000000000000000000000000000000000000001
travis env set encrypted_d1234_iv 10000000000000000000000000000001
Also store them in your org's repo.
travis env set encrypted_d1234_key 1000000000000000000000000000000000000000000000000000000000000001 -r MyOrg/MyRepo
travis env set encrypted_d1234_iv 10000000000000000000000000000001 -r MyOrg/MyRepo
This is (partially) explained in the "Manual Encryption" section of the Encrypting Files docs.
Note that there are some Security Restrictions when testing Pull Requests. Travis supplies you with an environment variable so you can conditionally skip tests that require secure config.
Related
I am adding a Github actions workflow to execute terraform commands as part of the pipeline.
The terraform code refers refer to terraform modules from another repo as follows.
module <moduleName> {
source = "git::git#github.com:<orgName>/<moduleRepo>.git//<modulePath>?ref=<moduleTag>"
...
}
This will lead to fetching the code from given tag during terraform init command execution.
To ensure that https url is used instead of SSH git url. I am overriding the git config url as follows.
git config --global url."https://oauth2:$GITHUB_TOKEN#github.com/<orgName>/<moduleRepo>.git".insteadOf "ssh://git#github.com/<orgName>/<moduleRepo>.git"
But GITHUB_TOKEN does not allow git clone and this fails with the following error:
remote: Invalid username or password.
fatal: Authentication failed for
'https://github.com/<repoName>/<moduleRepo>.git/'
I also tried adding permission to the workflow for repositories as follows:
permissions:
repository-projects: read
The repo setting for action is set to : Allow all actions and reusable workflows
If I change the GITHUB_TOKEN with my PAT with repo permissions, then the workflow works without any issues.
Please let me know how to configure GITHUT_TOKEN with required permissions. I want to make it work with GITHUB_TOKEN rather than PAT.
Eventually I was able to figure out the issue. The GITHUB_TOKEN is made available to the Github Action workflow as a secret and not as an environment variable.
The issue was I was treating it as an environment variable and using it as such, which lead to the error.
I changed the workflow as follows to use it as a secret.
jobs:
<jobName>:
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
I updated the git config as follows to use the token properly:
git config --global url."https://oauth2:$GH_TOKEN#github.com/<orgName>/<moduleRepo>.git".insteadOf "ssh://git#github.com/<orgName>/<moduleRepo>.git"
The workflow now seems to work properly.
The usage is documented here: https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api#authentication-example-for-github-actions
Adding my answer here to help others facing similar issue.
To log in from GitHub to my external server I use/test appleboy/ssh-action. As soon as I am on the server I start a git pull to get the latest changes to the server. However, this also includes the .github/workflows folder. And in a GH action yml file is my SSH password. I would like to avoid this. But I don't know how. Somebody know how to do this?
You should not store the password in the YAML file itself. Instead, use the GitHub Actions secrets functionality in the repository settings to store the password as a secret, and then pass it in through the environment. For example, you can pipe a secret like so:
- run: echo $PASSWORD | my-program-here
env:
PASSWORD: ${{secrets.SSH_PASSWORD}}
You can see an example of how this kind of approach is use in the Git LFS release workflow.
We are looking at setting up continuous deployment for our ruby on rails apps which are currently deployed using Capistrano. They are stored in public repo's on github.
I have read the documentation on how to do this with travis-ci.org and it looks like you do something similar to the following:-
gem install travis
travis login
travis encrypt DEPLOY_KEY="password" --add
openssl aes-256-cbc -k "password" -in deploy_id_rsa -out config/deploy_id_rsa_enc_travis -a
Then add this to the travis.yml file
after_success:
- "openssl aes-256-cbc -k $DEPLOY_KEY -in config/deploy_id_rsa_enc_travis -d -a -out config/deploy_id_rsa"
- "bundle exec cap deploy"
and this to your deploy.rb file
set :ssh_options, keys: ["config/deploy_id_rsa"] if File.exist?("config/deploy_id_rsa")
Now my question is, how does this keep the private keys safe. I'm guessing you only commit the following files to the github public repo.
config/deploy_id_rsa_enc_travis
travis.yml
deploy.rb
and the that private key should be deleted, not committed.
Is there anything else I should look out for?
The sample code you provided is taking a private key named deploy_id_rsa and encrypting it with a password. That password is then stored in Travis as a "secret". This encrypted version of the key is called deploy_id_rsa_enc_travis. You can safely commit this file: the idea is that only someone who holds the password (i.e. Travis) will be able to decrypt it.
I would look out for:
Choose a complex and impossible to guess password to perform the encryption.
How "secret" are Travis secrets? Is there any chance that the $DEPLOY_KEY (password) will get echoed to the console output, for example? Can someone log into Travis and view the secrets?
Generate a deploy_id_rsa specifically for this purpose. Do not reuse an existing key.
Ensure the key corresponds to a deploy user that is locked down (e.g. does not have sudo abilities).
Never commit the original, unencrypted key: deploy_id_rsa.
Also consider moving your Capistrano deployment to a separate, private repo. Capistrano allows you to keep your app and your deployment configuration in separate places. That way information about your server infrastructure will not be visible to the public.
To encrypt GitHub tokens to use them in your .travis.yml you seem to need the Travis CI CLI tool - which I can't install right now.
Therefore I didn't put the GitHub token in my .travis.yml but rather created a new environment variable GITHUB_TOKEN in the repository settings at https://travis-ci.org and use it like this:
github_token: $GITHUB_TOKEN
Now I can use the token to deploy to GitHub releases, for example.
Is this safe? Or are my environment variables in Travis CI somehow publicly accessible?
I found out by now: No, in general, they're not public. Yes, if you follow some rules, it seems perfectly safe to use them for sensitive information. To quote directly from the docs at https://docs.travis-ci.com/user/environment-variables#Defining-Variables-in-Repository-Settings about environment variables:
Define variables in the Repository Settings that (...) contain sensitive data, such as third-party credentials.
Some reasonable rules to keep in mind:
Most importantly: Hide them from the logs with the ON/OFF switch in the settings.
By default, the value of these new environment variables is hidden from the export line in the logs. This corresponds to the behavior of encrypted variables in your .travis.yml. The variables are stored encrypted in our systems, and get decrypted when the build script is generated.
Define them correctly with " if necessary.
These values are used directly in your build, so make sure to escape special characters (for bash) accordingly. In particular, if a value contains spaces, you should put quotes around that value. E.g. my secret passphrase should be written "my secret passphrase".
Also important to know: even if your environment variables are hidden in the logs, someone could still submit a pull request to your repository with malicious code and access the variable this way. Therefore, the variables are not available within builds from pull requests:
Similarly, we do not provide these values to untrusted builds, triggered by pull requests from another repository.
I am having problems using setup releases with a github token. I like travis-ci but I am not willing to hand out my github password - I need to use the token and I read the documentation as this should be possible this way. Unfortunately it still asks for pasword:
$ travis login --github-token XXXXXXXXX
Successfully logged in as ligi!
$ travis whoami
You are ligi (ligi)
$ travis setup releases
Detected repository as ligi/gobandroid, is this correct? |yes|
Username:
Here's a route which doesn't involve typing your GitHub password into the terminal. I assume you have the travis CI installed. This assumes you're using travis-ci.org, but replacing --org with --com should work otherwise.
If github.com/your/repo was your repo:
Generate a Github personal access token with the following scope: read:org, public_repo, repo:status, repo_deployment, user:email, write:repo_hook
(Optional?) Login using travis login <github token> --org
Run echo <github token> | travis encrypt --org -r your/repo
Use that secret in your .travis.yml file as described in the documentation
You may need to provide full repo scope, but for the free tier of Travis, public_repo is enough. I'm also not sure which of the other scopes are mandatory.
echo is useful on Windows because Ctrl-D doesn't work properly in Powershell.
The Travis CI CLI will not send the GitHub password to Travis CI, instead it will send it to GitHub and use it to generate a GitHub token (the same is true for travis login).
However, if you still feel uncomfortable, you can configure the deployment manually.
Add the following to your .travis.yml:
deploy:
provider: releases
api_key: "GITHUB OAUTH TOKEN"
file: "FILE TO UPLOAD"
skip_cleanup: true
on:
tags: true
all_branches: true
You can encrypt the GitHub OAuth token via travis encrypt .... It is not necessary to be logged in via the CLI for this, and the encryption happens locally.
See http://docs.travis-ci.com/user/deployment/releases/ for the full documentation
I think you can use -t/--token option, e.g.
travis login --org --github-token G1tHu8T0K3N
travis setup releases --org -t G1tHu8T0K3N