How To Encrypt Multiple Files With Travis CI.
4 Min Read
The Story
I have been constantly improving one of my side project that scrapes e-commerce websites and extracts some data then uploads the data to a Google sheet. One of my recent update was to add email notifications, but since I use Travis CI to run the script as a cron-job I needed to encrypt my Google Dev client_secret.json
file (for obvious reasons) as well as my new email configuration file such that Travis CI runs my script which contains sensitive information on a public platform.
However, Travis CI doesn’t support multiple file encryptions, which took me a while to realize…
To the point, where I stopped even counting the failed builds.
Note: The Travis CI Client overrides encrypted entries if you use it to encrypt multiple files, hence why my script kept failing to build.
In this post, I will detail a workaround to encrypt multiple files on Travis CI using the CLI client.
If you would like to check the project out, go here.
The How
Before we continue, we need to install some dependencies.
NOTE: These instructions assumes that you are running Ubuntu 18.04
.
Installation
You need to install travis-ci cli client
, follow this installation guide lines.
TL;DR: On your Ubuntu installation, else continue at own risk.
Run the following commands:
$ sudo apt update
$ sudo apt-get install ruby-full
$ gem install travis
If like me, you do not like installing packages in your system.
I have a Dockerfile which builds a Docker container and you can easily run travis client
.
Go here for detailed installation instructions.
Testing
Verify the installation once it is done, run: travis version
Once we have a successful installation, login on travis using your GitHub username & password or token details.
$ travis login --org
The Walk-through
If you need to encrypt multiple files, first we need to create an archive
of all sensitive files, encrypt it, and version control it then decrypts it during the build.
I needed to encrypt my sensitive email_config.ini
and client_secret.json
files, and this is how I did it.
$ tar cvf secrets.tar email_config.ini client_secret.json
# Adding `--add` arg automatically adds the decryption command to your .travis.yml
$ travis encrypt-file secrets.tar --add --com
$ git add secrets.tar.enc .travis.yml
$ git commit -m 'Archiving email config and client secret into secret.tar file.'
$ git push origin master
In your .travis.yml
, you should notice a new command openssl ...
this command decrypts your secrets.tar
file and then you would have to add a command to extract the files.
before_install:
- openssl aes-256-cbc -K $encrypted_*******_key -iv $encrypted_*******_iv -in secrets.tar.enc -out secrets.tar -d
- tar xvf secrets.tar
script:
- price_checker.py --email ./email_config.ini --json ./client_secret.json -s "Shopping List" --update
That’s it, below is screenshot of my SUCCESSFUL Travis Build.