Travis CI可以在同一个回购的不同分支中使用加密文件吗? [英] Can Travis CI use an encrypted file in different forks of the same repo?
问题描述
我试图让Travis CI构建可以在我自己的私有分支和我的组织的回购库中工作。
我使用 travis encrypt-file 命令,它似乎在我自己的fork的travis设置中创建了两个环境变量,如下所示:encrypted_d1234_key和encrypted_d1234_iv。
当构建运行以解密配置文件时使用它们,如下所示:
openssl aes-256-cbc -K $ encrypted_d1234_key -iv $ encrypted_d1234_iv -in test.config.enc -out test.config -d
我可以以某种方式将这些安全环境变量复制到我的 org's repo 的设置中,以便构建可以解密配置文件,无论它在我的fork还是我的org的fork 。
或者是否有更好的方法来处理这些情况?
这可能与问题相同:我需要什么来让Travis-CI解密我的fork中的安全变量?
我想出了一种方法来实现这一目标。既然你无法得到特拉维斯为你生成的密钥,你只需要生成你自己的密钥。然后,加密你的秘密东西,并将密钥推入任何需要它们的私人回购(以及你信任的成员):
openssl aes-256-cbc -K 100000000000000000000000000000000000000000000000000000000001 -iv 1000000000000000000000000001 -in test.config -out test.config.enc
<现在,我们给Travis提供密钥,Travis将它们存储在每个回购的基础上。这些命令将它们存储在任何在git中设置为origin的repo中:
$ b $ pre $ trac env set encrypted_d1234_key 10000000000000000000000000000000000000000000000000000000000001
travis env set encrypted_d1234_iv 10000000000000000000000000000001
还将它们存储在您的组织回购库中。
travis env set encrypted_d1234_key 1000000000000000000000000000000000000000000000000000000000000001 -r MyOrg / MyRepo
travis env set encrypted_d1234_iv 10000000000000000000000000000001 -r MyOrg / MyRepo
这是(部分)在加密文件 docs。
请注意,有一些 Security Restri测试合并请求时的权限。 Travis为您提供了一个环境变量,因此您可以有条件地跳过需要安全配置的测试。
I'm trying to get a Travis CI build to work in both my own private fork and the repo of my organization.
I encrypted a config file using the travis encrypt-file command and it seems to have created two environment variables in the travis settings for my own fork that look like: "encrypted_d1234_key" and "encrypted_d1234_iv".
These are used when the build runs to decrypt the config file, like so:
openssl aes-256-cbc -K $encrypted_d1234_key -iv $encrypted_d1234_iv -in test.config.enc -out test.config -d
Can I somehow copy those secure environment variables over to the settings for my org's repo so that the build can decrypt the config file whether it's in my fork or my org's fork.
Or is there a better way to handle these situations?
This is might be the same issue as: What do I need for Travis-CI to decrypt secure variables on my fork?
I figured out a way to get this working. Since you can't get the keys that Travis generates for you, you just have to generate your own keys. Then, encrypt your secret goodies and push the keys into any private repo that needs them (and whose members you trust):
openssl aes-256-cbc -K 1000000000000000000000000000000000000000000000000000000000000001 -iv 10000000000000000000000000000001 -in test.config -out test.config.enc
Now, we give the keys to Travis, which stores them on a per-repo basis. These commands store them in whatever repo is set up as "origin" in git:
travis env set encrypted_d1234_key 1000000000000000000000000000000000000000000000000000000000000001
travis env set encrypted_d1234_iv 10000000000000000000000000000001
Also store them in your org's repo.
travis env set encrypted_d1234_key 1000000000000000000000000000000000000000000000000000000000000001 -r MyOrg/MyRepo
travis env set encrypted_d1234_iv 10000000000000000000000000000001 -r MyOrg/MyRepo
This is (partially) explained in the "Manual Encryption" section of the Encrypting Files docs.
Note that there are some Security Restrictions when testing Pull Requests. Travis supplies you with an environment variable so you can conditionally skip tests that require secure config.
这篇关于Travis CI可以在同一个回购的不同分支中使用加密文件吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
