OK to leave secure api_key in .travis-ci.yml?

I just used travis setup releases to set deployment to GitHub release. It created:

deploy:
  provider: releases
  api_key:
    secure: IUObYmt2/MGFzjXeLkN89...
  file: dist/*
  ...

Is it OK to check in this .travis.yml with api_key to our public GitHub repository?

If so, what stops a bad actor from forking our project and then putting up bad releases on our peoject? Thanks! ((I understand the basic theory of public and private keys, but don’t know how it is used here.)

  • Carl

Please read

From the docs, I’m still not clear if it is it OK to commit the .travis.yml with securre api_key to our public GitHub repository?

From searching GitHub code, it looks like some people leave the secure version of their key in their .travis.yml while others create an environment variable.

Yes, it is. And the linked document explains why. Satisfied? :slight_smile:

Thanks for the answer.

Even after reading the docs three times, I still don’t understand the “why”. If anyone wants to explain what stops a bad actor from forking our project and then putting up bad GitHub Releases on our project, I’d be grateful.

  • Carl

Travis associates an RSA key pair with each repository. The string after secure: is your value encrypted with the public key. To decrypt it, one needs the corresponding private key which is only available to Travis.

If someone forks your repository, they won’t be able to decrypt the secret values because that would be a different repository, with a different key pair.

Thanks for the explanation.

You can suggest improvement to the document’s text using the “Improve this page on GitHub” link on top.
You are in a better position for that than me since you know better which bits were missing or unclear.

Imprint