loading...

How To Encrypt Multiple Files With Travis CI

mmphego profile image Mpho Mphego Originally published at blog.mphomphego.co.za on ・3 min read

post image

Originally published at blog.mphomphego.co.za on July 25, 2019.


The Story

I have been constantly improving one of my side project that scrapes e-commerce websites and extracts some data then uploads the data to a Google sheet. One of my recent updates was to add email notifications, but since I use Travis CI to run the script as a cron-job I needed to encrypt my Google Dev client_secret.json file (for obvious reasons) as well as my new email configuration file such that Travis CI runs my script which contains sensitive information on a public platform.

However, Travis CI doesn't support multiple file encryptions, which took me a while to realize...
image

To the point, where I stopped even counting the failed builds.
image

Note: The Travis CI Client overrides encrypted entries if you use it to encrypt multiple files, hence why my script kept failing to build.

In this post, I will detail a workaround to encrypt multiple files on Travis CI using the CLI client.

If you would like to check the project out, go here.

The How

Before we continue, we need to install some dependencies.

NOTE: These instructions assumes that you are running Ubuntu 18.04.

Installation

You need to install travis-ci cli client, follow this installation guide lines.

TL;DR: On your Ubuntu installation, else continue at own risk.

Run the following commands:

$ sudo apt update
$ sudo apt-get install ruby-full
$ gem install travis

If like me, you do not like installing packages in your system.
I have a Dockerfile which builds a Docker container and you can easily run travis client.

Go here for detailed installation instructions.

Testing

Verify the installation once it is done, run: travis version

Once we have a successful installation, login on travis using your GitHub username & password or token details.

$ travis login --com

The Walk-through

If you need to encrypt multiple files, first we need to create an archive of all sensitive files, encrypt it, and version control it then decrypts it during the build.

I needed to encrypt my sensitive email_config.ini and client_secret.jsonfiles, and this is how I did it.

$ tar cvf secrets.tar email_config.ini client_secret.json
# Adding `--add` arg automatically adds the decryption command to your .travis.yml
$ travis encrypt-file secrets.tar --add --com
$ git add secrets.tar.enc .travis.yml
$ git commit -m 'Archiving email config and client secret into secret.tar file.'
$ git push origin master

In your .travis.yml, you should notice a new command openssl ... this command decrypts your secrets.tar file and then you would have to add a command to extract the files.

before_install:
  - openssl aes-256-cbc -K $encrypted_*******_key -iv $encrypted_*******_iv -in secrets.tar.enc -out secrets.tar -d
  - tar xvf secrets.tar
script:
  - price_checker.py --email ./email_config.ini --json ./client_secret.json -s "Shopping List" --update

That's it, below is a screenshot of my SUCCESSFUL Travis Build.

image

Reference

Posted on by:

mmphego profile

Mpho Mphego

@mmphego

Software Engineer in Cape Town, South Africa

Discussion

pic
Editor guide