fd34a58e13
Gaining access to another PR's JWT, would allow faking that PR's author wrt to GitHub team membership verification for as long as the JWT is valid (currently 90 mins).
1.7 KiB
1.7 KiB
VM Setup - Set up secrets
Overview
Necessary secrets:
-
GITHUB_TOKEN- Used for:
- Retrieving open PRs without rate-limiting.
- Retrieving PR author.
- Retrieving members of the
angular-coreteam. - Posting comments with preview links on PRs.
- Used for:
-
PREVIEW_DEPLOYMENT_TOKEN- Used for:
- Decoding the JWT tokens received with
/create-buildrequests.
- Decoding the JWT tokens received with
- Used for:
Note:
TEST_GITHUB_TOKEN and TEST_PREVIEW_DEPLOYMENT_TOKEN can also be created similar to their
non-TEST counterparts and they will be loaded when running aio-verify-setup, but it is currently
not clear if/how they can be used in tests.
Create secrets
-
GITHUB_TOKEN- Visit https://github.com/settings/tokens.
- Generate new token with the
public_reposcope.
-
PREVIEW_DEPLOYMENT_TOKEN- Just generate a hard-to-guess character sequence.
- Add it to
.travis.ymlunderaddons -> jwt -> secure. Can be added automatically with:travis encrypt --add addons.jwt PREVIEW_DEPLOYMENT_TOKEN=<access-key>
Note:
Due to travis-ci/travis-ci#7223 it is not
currently possible to use the JWT addon (as described above) for anything other than the
SAUCE_ACCESS_KEY variable. You can get creative, though...
WARNING
TO avoid arbitrary uploads, make sure the PREVIEW_DEPLOYMENT_TOKEN is NOT printed in the Travis log.
Save secrets on the VM
sudo mkdir /aio-secretssudo touch /aio-secrets/GITHUB_TOKEN- Insert
<github-token>into/aio-secrets/GITHUB_TOKEN. sudo touch /aio-secrets/PREVIEW_DEPLOYMENT_TOKEN- Insert
<access-token>into/aio-secrets/PREVIEW_DEPLOYMENT_TOKEN. sudo chmod 400 /aio-secrets/*