Reputation: 12164
pypi packaging and secrets: why does a github--intended .travis.yml hold a password?
I've always understood the rule #1 of secrets is you keep them out of public source control.
So, I was prepping to upload a new package to pypi.
In .travis.yml I see:
deploy:
provider: pypi
distributions: sdist bdist_wheel
user: mysuser
password:
secure: PLEASE_REPLACE_ME
on:
tags: true
repo: myuser/pynoorm
condition: $TOXENV == py27
Fair enough, and I guess I forgot to replace it.
But... the part that is really puzzling is when I pick a random .travis.yml on github and it has:
ANzomjrVPkzLO7MG9Zekl1Tz/Gxxx ... HmSQ3GRNPHMIRqf1xle+8/0IwDBuC/eTsOkit7WU1j9lgurCj8snXuTLUVEqf/SecAcLpmLrelRFvz//ZcOopIbwD66RJWT8pYGBH/L3MMIDFj1bIf0UIpXdBXgeTJhxW054+BhdFPGI66IvWU/kOlOcE606wqRqI9bdvop34OewJFnOQ9El...71dROWO4ETzz1wGXmO0dTVfCWMbqk7dT8OPft+tHsWWJqqeCEL3wj1uYEIYpCwLo9oSyVXwrhzRW0dysZfTCx/XfDaws3eFA6iMg6dUoBt12kwGZ5vCbgjBwPOmQrRMUEmYoyZz8n20HKojoxzUpwueFN/nbLv76arJbN8bLeb/GyE6r1Rw0DEzs8f0fBtv5agUnIpMh6EPOFYN4rwHMxt52HU7BB/Kg=
What is the point of adding a secure password to a file that you are uploading to github? What does it do? I thought the usual process was to log into github and then link your account to travis. In which case both services ought to know how to authenticate you, if you're logged into either one, without having to go through a password in a public settings file.
How dangerous/sensitive is this particular part of a github travis configuration?
Can I do without it?
The initial pypi package files were generated with CookieCutter cookiecutter-pypackage.
Upvotes: 3
Views: 100
Answers (1)
Reputation: 21520
A repository’s .travis.yml file can have "encrypted values", such as environment variables, notification settings, and deploy API keys. These encrypted values can be added by anyone, but are only readable by Travis CI.
This is what the secure: field name indicates. It's safe to include these encrypted values in your .travis.yml and safe to upload them to Github as well.
You can generate secure values by installing the travis gem and running it:
$ gem install travis
$ travis encrypt "secretvalue"
<encrypted string>
Upvotes: 2
Related Questions
- PyPi deployment from Travis CI: Invalid or non-existent authentication
- Can I use secure Travis env variables in .travis.yml to upload to PyPI?
- Travis not deploying tagged commit to pypi
- Travis pypi package version
- How is Travis-Ci's pypi deployment secure?
- Store secrets in Travis, not in github repo
- pypi deployment error: invalid option "--password="
- How do I include generic secrets/config file in github repository (for CI purposes) without deploying it to production
- Why is `api_key` required for GitHub Releases Uploading with Travis?
- TravisCI deploy cannot find setup.py