How to update encrypted secrets?


#1

Let’s say I have added 3 secret keys using

travis encrypt VAR_A="…" --add
travis encrypt VAR_B="…" --add
travis encrypt VAR_C="…" --add

how do I go about removing VAR_B and updating the values of VAR_A without affecting VAR_C?
do I have to remove the whole env.global.secret and start over again?


#2

You could manually edit .travis.yml.


#3

how can i tell each variables apart though?


#4

You cannot do that, I’m afraid. You can, however, going forward, commit each change to.travis.yml to correlate which change correspond to which secret. (You cannot change what’s already happened, of course.)


#5

@williamli

According to docs, you can encrypt any value in YAML config.
Also, according to docs, there are two ways of specifying env vars:

  1. by supplying a list of strings:
env:
- VAR_A=VALUE_A
- VAR_B=VALUE_B
- VAR_C=VALUE_C
  1. by supplying a mapping:
env:
  VAR_A: VALUE_A
  VAR_B: VALUE_B
  VAR_C: VALUE_C

So in the first case, the “value” in YAML struct is the whole key=val string, while in the second case only val part is a value, so you can encrypt only that thing:

env:
  VAR_A:
    secure: ...
  VAR_B:
    secure: ...
  VAR_C:
    secure: ...

WARNING

While what I described is used to work, there’s a recently introduced bug applying to random repos, because they use a different version of YAML parser.

I’ve filed it here:


With a demo test:

@BanzaiMan it looks like a fairly serious bug, do you mind checking the details?