safe to commit travis secrets into public repo?
Question
I'm using travis for some of my public github repos. For deployment step (.eg creating a release in github), I need to put in a OAuth token (encrypted by travis)
Is this encrypted token safe to be committed together in the public repo source code? Since it's public repo, I would imagine anyone can see the source code and get my encrypted token. Although they are not able to decrypt it but they can use the same token to create a release in my github repo?
But if not committing to the source code, what's the best way to manage it?
2 answers
solution1
1 ACCPTED 2018-08-01 01:40:02
Yes. It's safe to out encrypted environment variables in your .travis.yml . The encryption/decryption key is generated by Travis on a per-repo basis, so when others fork your repo or even if you rename it, the encrypted variable is invalidated and you have to encrypt it again.
According to Travis CI, nobody except the automated Travis process may decrypt the value.
The only possible leak is when one of your cooperators goes nuts and decides to reveal it by modifying build script. But since you have a trust system, this isn't going ti be an issue.
solution2
0 2018-08-01 01:32:38
You should never store secrets in public / private repo. You can store the info in an environment variable. You can add your .env file, for example, to .gitignore and you can store variables there or directly in the environment.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.