When I change the setting below, the deploy stage throw error "GET https://api.github.com/user: 401 - Bad credentials ". I’m confused about it. Is it that I can’t use environment variables to set api_key of deploy
either, you put an awful long encrypted key in your .travis.yml
or, you put an unencrypted key in a travis environment variable, so that if any developer of the GitHub project can add in .travis.yml something like: echo "${API_TOKEN:0:1}%POISON%${API_TOKEN:1}"
he can get your private API_TOKEN secret by reading travis logs (even if your variable is not set as “DISPLAY VALUE IN BUILD LOG” since this hack disrupts the usual [secure] replacement in logs)
Reminder: since GitHub API_TOKEN are not restricted by repository, that “bad guy” can do anything with all your repositories (write access and read access to your private repo).
Your explanations are really clear. Sorry to intervene in this discussion but I have tried the two proposed approches (encrypted token and environment variable with unencrypted token) on a repository of mine and none worked, I still have the “401 - Bad credentials” error (the other parts of the build went good). The log is here. I even tried to give more permissions than just public_repo that was automatically set for the GitHub token created by running travis setup releases. Any idea of what I could have done wrongly?
Thanks for the advice. I also tried (unsuccessfully) to use:
api_key:
secure: $GITHUB_TOKEN
but with the secure: keyword (and perhaps this was wrong and I may try without this keyword) and environment variable GITHUB_TOKEN set in my Travis-CI settings. I also tried, as suggested in the doc. you have pointed, to just use:
The need to use the --pro option also applies to all other CLI commands that talk to your Travis project entry (which includes all commands that deal with encryption), including travis setup releases.