travis-ci setup releases with --github-token - github

I am having problems using setup releases with a github token. I like travis-ci but I am not willing to hand out my github password - I need to use the token and I read the documentation as this should be possible this way. Unfortunately it still asks for pasword:
$ travis login --github-token XXXXXXXXX
Successfully logged in as ligi!
$ travis whoami
You are ligi (ligi)
$ travis setup releases
Detected repository as ligi/gobandroid, is this correct? |yes|
Username:

Here's a route which doesn't involve typing your GitHub password into the terminal. I assume you have the travis CI installed. This assumes you're using travis-ci.org, but replacing --org with --com should work otherwise.
If github.com/your/repo was your repo:
Generate a Github personal access token with the following scope: read:org, public_repo, repo:status, repo_deployment, user:email, write:repo_hook
(Optional?) Login using travis login <github token> --org
Run echo <github token> | travis encrypt --org -r your/repo
Use that secret in your .travis.yml file as described in the documentation
You may need to provide full repo scope, but for the free tier of Travis, public_repo is enough. I'm also not sure which of the other scopes are mandatory.
echo is useful on Windows because Ctrl-D doesn't work properly in Powershell.

The Travis CI CLI will not send the GitHub password to Travis CI, instead it will send it to GitHub and use it to generate a GitHub token (the same is true for travis login).
However, if you still feel uncomfortable, you can configure the deployment manually.
Add the following to your .travis.yml:
deploy:
provider: releases
api_key: "GITHUB OAUTH TOKEN"
file: "FILE TO UPLOAD"
skip_cleanup: true
on:
tags: true
all_branches: true
You can encrypt the GitHub OAuth token via travis encrypt .... It is not necessary to be logged in via the CLI for this, and the encryption happens locally.
See http://docs.travis-ci.com/user/deployment/releases/ for the full documentation

I think you can use -t/--token option, e.g.
travis login --org --github-token G1tHu8T0K3N
travis setup releases --org -t G1tHu8T0K3N

Related

Where are github secrets stored?

I'm on the CI part of the course
I'll start by saying all works well, and I could follow the process with ease. However, there something that works, and I cannot figure out how. Lets take this part of the main.yml file:
- name: Log in to GitHub Packages
run: echo ${GITHUB_TOKEN} | docker login -u ${GITHUB_ACTOR} --password-stdin docker.pkg.github.com
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
I have these params like GITHUB_ACTOR and GITHUB_TOKEN, that I didn't define as any part of my code, or write into a panel inside github. Are they automaticly filled in by github? If I change my token, will this code still work?
Thanks in advance
This is documented in "Automatic token authentication"
At the start of each workflow run, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow.
You can use the GITHUB_TOKEN to authenticate in a workflow run.
When you enable GitHub Actions, GitHub installs a GitHub App on your repository.
The GITHUB_TOKEN secret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow
You have Default environment variables, including:
GITHUB_ACTOR: The name of the person or app that initiated the workflow.
For example, octocat.

i am facing below issue in git based wiki updater task

I created Authentication token as well all permission for user which running pipeline is defined
If you checked Run with Build Agent Credentials as Authentication in the task. And the build account {ProjectName} build service ({OrganizationName}) was granted Read and Contribute permission in the Wiki Security page.
But you still encounter above error. It's probably because you have IIS Basic Authentication turned on in the Azure DevOps Server machine. When IIS Basic Authentication is enabled on your windows machine, it prevents you from using personal access tokens (PATs) as an authentication mechanism. See here.
We recommend you keep IIS Basic Authentication turned off at all times when using Azure DevOps Server. Only if necessary should you enable IIS Basic Authentication. When IIS Basic Authentication is enabled on your windows machine, it prevents you from using personal access tokens (PATs) as an authentication mechanism.
As workaround to this, you can add an extra header which includes a base 64 encoding of "user:PAT" to the Git requests when IIS Basic Authentication is enabled:
So you can run the pure git commands in a powershell task to update your wiki repo, instead of uisng the git based wiki updater task. See below example scripts in the powershell task (yaml format):
steps:
- powershell: |
git config --global user.email "your#eamil.com"
git config --global user.name "name"
$MyPat = "$(system.accesstoken)"
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
#clone the wiki repo
git -c http.extraHeader="Authorization: Basic $B64Pat" clone https://server/collection/_git/Document.wiki -q
cd Document.wiki
#add a new file
echo echo "some-text" > addnew.md
git add .
git commit -m message
#push to wiki repo
git -c http.extraHeader="Authorization: Basic $B64Pat" push https://server/collection/_git/Document.wiki -q
displayName: 'update wiki'
Check here for more information.
In order to use the Build Agent OAuth token $(system.accesstoken) in above script. You need click the Agent job 1 and Check the option Allow scripts to access the OAuth token

Travis Client - Login with BitBucket account

I'm trying to encrypt a service account file for Google Cloud and transfer over BitBucket to eventually deploy to GCP Kubernetes. I'm using the travis command line to do this, but whenever I try to log in via the command line it assumes I have a GitHub account associated with Travis CI not BitBucket.
travis encrypt-file service.json -r USERNAME/REPO
When I run this, Travis assumes I have trying to auth a GitHub account and asks me to login. It tries to validate my username and password against GitHub not BitBucket.
We need your GitHub login to identify you.
Is there an alternative command line command that lets me force a BitBucket login? Or a workaround for allowing me to encrypt the file and include in my .travis.yml build file?
You can use -t TRAVIS_TOKEN instead of authentication via login command (login command assumes that you want to login via GitHub)
Your encrypt command will look like this:
travis encrypt-file --pro --repo USER/REPO -t TRAVIS_TOKEN file --add
Steps to get user token:
Login into Travis (via BitBucket)
Click your user icon (top right corner) and select Settings
This will show you your Repositories with option to show Settings or Plan.
Select Settings
Click Copy token from API authentication
Or just click this link Travis CI preferences and Copy Token.

Get latest travis build status of a repo through travis API

I need to get the latest travis build status of a repo through their API. I need a behavior identical to that of build status badge i.e it shows passing when a "push" is passing, even if a newer "pull_request" is failing.
One way of achieving is to list all builds of a repo using this and then traverse in reverse direction until I find a build which is not a pull requests and then check its status.
However, there must be a short way of doing it because the same behavior is used by build status badge. Traversing the builds every time just to get the last build status seems like a pain.
What is the API endpoint use by build status batch to directly get the last "push" build status of a repo?
The easiest solution is to not use Travis API but the build status badge. The test "passing" or "failing" is embedded as text in the SVG image:
curl -s 'https://api.travis-ci.org/$USER/$REPO.svg?branch=$BRANCH' | grep pass
curl -s 'https://api.travis-ci.org/$USER/$REPO.svg?branch=$BRANCH' | grep fail
Unless you know the build.id, the best way I think is to use the API you are referring to and pass in the query parameter limit. Something like this:
repo/{repository.id}/builds/builds?limit=1
repo/{+repository.slug}/builds/builds?limit=1
Response would still be an array but index 0 will be the most recent build. limit is not documented but it is used by Travis for their pagination.
Thank you for your question, I am looking to accomplish the same objective, here are some detailed examples of how the API should work. From that I derived the following steps to get the build status of a repository default branch using Travis CI. Below are detailed instructions:
TLDR
travis status -r a-t-0/sponsor_example --com --token <your personal Travis token>
Detailed instructions
Open a terminal and login to use the Travis Api. You can do that by first getting a Travis token, by login in with git from your terminal:
travis login --com --auto
If that does not work(returning Not Found), you should add a GitHub Token manually.
Source: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token
2.1 To get this token, first verify your github email adress if you did not yet do that.
2.2 Go to: https://github.com/settings/tokens
2.3 Add a new token and select:
2.3.1 repo control of private repositories
2.3.2 admin:org control of orgs and teams, read and write org projects
2.3.3 admin:repo_hook Full control of repository hooks
2.3.4 admin:org_hook control of organization
2.4 Write down the secret personal access token from github. It can have a form like: 1somelettersandsomenumbersordigitsandth4
2.5 Next, use this token to login to either the --pro, --com or --org account types of Travis using:
travis login --pro --github-token 1somelettersandsomenumbersordigitsandth4
travis login --com --github-token 1somelettersandsomenumbersordigitsandth4
travis login --org --github-token 1somelettersandsomenumbersordigitsandth4
That should return: Successfully logged in as <your github username>!.
2.6 Note there are three types of api call licenses: pro, com, org. This is visible in `travis status -h
2.7 To get your pro token:
travis token --pro
Your access token is <somepersonalprotoken>
2.8 To get your --org token:
travis token --org
Your access token is <somepersonalorgtoken>
2.9 To get your --com token:
travis token --com
Your access token is <somepersonalcomtoken>
Export your travis token to terminal before running the tests with:
COM_TRAVIS_TOKEN="<your secret travis pro/com token>"
Get the build status with:
travis status -r {your GitHub username}/{your repo name} --com --token $COM_TRAVIS_TOKEN
E.g.
travis status -r a-t-0/sponsor_example --com --token $COM_TRAVIS_TOKEN

Committing via travis ci failing

I am trying to use grunt-gh-pages extension to commit to my gh-branch. It works fine locally but when I use TRAVIS-CI it fails. It gives the following error message -
Warning: fatal: remote error:
You can't push to git://github.com/tusharmath/tusharm.com.git
Use https://github.com/tusharmath/tusharm.com.git
Use --force to continue.
And when I update the repo option I get the following error -
Warning: remote: Anonymous access to tusharmath/tusharm.com.git denied.
fatal: Authentication failed for 'https://github.com/tusharmath/tusharm.com.git/'
Use --force to continue.
Aborted due to warnings.
So basically I just want Travis-ci to commit the files in the gh-pages branch of my repo. Is there a way to do that?
Update The final .travis.yml that solved the problem
language: node_js
node_js:
- '0.11'
before_script:
- git config --global user.email "tusharmath#gmail.com"
- git config --global user.name "Travis-CI"
after_script:
- git config credential.helper "store --file=.git/credentials"
- echo "https://${GH_TOKEN}:#github.com" > .git/credentials
- node ./node_modules/grunt-cli/bin/grunt release
env:
global:
secure: {"lots-of-seemingly-random-characters"}
You certainly can! The first issue, like you discovered, is due to using the git:// URL to push to, but the git protocol can only be used to clone repositories.
As for the "anonymous access denied" error, that's because you need to let Travis log in to your GitHub account in order to push to the repository. Now, you probably don't want to give Travis your GitHub password, and you certainly don't have to. Instead we're going to use OAuth tokens. If you have no idea what that means, don't worry, I'll explain. An OAuth token in most cases works like a password, but it's easier to revoke access to single things.
To generate an OAuth token, go to the GitHub Applications settings page and click "Create new token" under "Personal API Access Token". You probably want to add a note for what this is, that way it's easier to keep track of and easier to revoke if you need to in the future. Note that this token is essentially a password in that it gives access to the same things a password does.
Then, you need to add the token to your .travis.yml file. First, we'll encrypt the token so only Travis can see it. For this, you need the travis Rubygem installed: gem install travis.
travis encrypt GH_TOKEN="the-token-from-github" --add
Your .travis.yml should now look something like this:
…
env:
global:
- secure: "lots-of-seemingly-random-characters"
…
Now, in order for Travis to actually use this token, you need to add some more things to your .travis.yml too.
after_script:
- git config credential.helper "store --file=.git/credentials"
- echo "https://${GH_TOKEN}:#github.com" > .git/credentials
- node ./node_modules/grunt-cli/bin/grunt release
This first tells git to look for credentials in the .git/credentials file. This can be any file you want, really, but make sure it's not one you're going to push to GitHub. Then, we add the token to the .git/credentials file. Git now knows that for pushes to https://github.com, it can use your token to authenticate.
You should be all set!
PS: If you only want to push to GitHub if the build passes, you can change after_script to after_success.
The answer by henrikhodne is great, but the solution doesn't work with grunt-gh-pages because it creates another Git repository somewhere in .grunt/grunt-gh-pages/ sub-directory. Therefore git config made in after_script or after_success section is not used by grunt-gh-pages.
It's possible to add GH_TOKEN to repository URL used by grunt-gh-pages in Gruntfile.js like this:
'gh-pages': {
// your common gh-pages config
travis: {
options: {
repo: 'https://' + process.env.GH_TOKEN + '#github.com/dim2man/csbrowser.git',
silent: true
},
src: ['**']
}
}
Note the silent: true option, it prevents publishing your token value in Travis logs.
Then your after_script or after_success section can be modified like:
after_success: grunt gh-pages:travis