fix(aio): ensure NGBUILDS_IO_KEY is not printed
Gaining access to another PR's JWT, would allow faking that PR's author wrt to GitHub team membership verification for as long as the JWT is valid (currently 90 mins).
This commit is contained in:
Georgios Kalpakas
committed by
Chuck Jazdzewski
Chuck Jazdzewski
parent
e40f81b564
commit
fd34a58e13
@ -18,8 +18,8 @@ Necessary secrets:
|
||||
|
||||
**Note:**
|
||||
`TEST_GITHUB_TOKEN` and `TEST_PREVIEW_DEPLOYMENT_TOKEN` can also be created similar to their
|
||||
non-TEST counterparts and they will be loaded when running `aio-verify-setup`, but it currently not
|
||||
clear if/how they can be used in tests.
|
||||
non-TEST counterparts and they will be loaded when running `aio-verify-setup`, but it is currently
|
||||
not clear if/how they can be used in tests.
|
||||
|
||||
|
||||
## Create secrets
|
||||
@ -33,6 +33,14 @@ clear if/how they can be used in tests.
|
||||
- Add it to `.travis.yml` under `addons -> jwt -> secure`.
|
||||
Can be added automatically with: `travis encrypt --add addons.jwt PREVIEW_DEPLOYMENT_TOKEN=<access-key>`
|
||||
|
||||
**Note:**
|
||||
Due to [travis-ci/travis-ci#7223](https://github.com/travis-ci/travis-ci/issues/7223) it is not
|
||||
currently possible to use the JWT addon (as described above) for anything other than the
|
||||
`SAUCE_ACCESS_KEY` variable. You can get creative, though...
|
||||
|
||||
**WARNING**
|
||||
TO avoid arbitrary uploads, make sure the `PREVIEW_DEPLOYMENT_TOKEN` is NOT printed in the Travis log.
|
||||
|
||||
|
||||
## Save secrets on the VM
|
||||
|
||||
|
||||
Reference in New Issue
Block a user