How to share credentials used in Travis-CI

Question

If I have a private registry, e.g. Artifactory, what is the best way to share the RW key with the development team? Of course, it is not desired that all dev have possession of the common RW key or credentials which is used by Travis-CI. (each dev has own).

I would like to encrypt the credentials with a private key and provide that key to Travis-ci. It would be then safe to distribute encrypted credentials and use the job settings in travis-ui. Travis would then decrypt the credentials and use them for the job.

The credentials are not leaked, DevOps person doesn't go crazy updating all keys in UI-setting manually and devs can set up new Travis job and use the encrypted version in Travis-ui. Everybody is happy. Is it possible?

Answer 1

Travis provides Encryption keys:

A repository’s .travis.yml file can have “encrypted values”, such as environment variables, notification settings, and deploy api keys. These encrypted values can be added by anyone, but are only readable by Travis CI. The repository owner does not keep any secret key material.

Please note that encrypted environment variables are not available for pull requests from forks.

How it works:

1. Download and install Travis CLI

    gem install travis
   

2. Encrypt the variable

    travis encrypt SOMEVAR="secretvalue"
   

3. Then you can use the encrypted value inside .travis.yml using secure: (that I guess is what you need in order not to change the environment variables in every repository)

    secure: ".... encrypted data ...."
   

   It is also possible to automatically include the encrypted value into your .travis.yml by executing:

    travis encrypt SOMEVAR="secretvalue" --add
   

While Travis executes the job, the encrypted key,

   env:
     - secure: "encrypted string"

becomes

   env:
     - "decrypted string"

I have the same problem in my pipelines and I will give a try.