Letting Travis keep a secret
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.
More and more packages, be it for R or another language, are now interfacing different application programming interfaces (API) which are exposed to the web. And many of these may require an API key, or token, or account and password.
Which traditionally poses a problem in automated tests such as those running on the popular Travis CI service which integrates so well with GitHub. A case in point is the RPushbullet package where Seth Wenchel and I have been making a few recent changes and additions.
And yesterday morning, I finally looked more closely into providing Travis CI with the required API key so that we could in fact run continuous integration with unit tests following each commit. And it turns that it is both easy and quick to do, and yet another great showcase for ad-hoc Docker use.
The rest of this post will give a quick minimal run-down, this time using the gtrendsR package by Philippe Massicotte and myself. Start by glancing at the ‘encrypting files’ HOWTO from Travis itself.
We assume you have Docker installed, and a suitable base package. We will need Ruby, so any base Linux image will do. In what follows, I use Ubuntu 14.04 but many other Debian, Ubunti, Fedora, … flavours could be used provided you know how to pick the relevant packages. What is shown here should work on any recent Debian or Ubuntu flavour ‘as is’.
We start by firing off the Docker engine in the repo directory for which we want to create an encrypted file. The -v $(pwd):/mnt
switch mounts the current directory as /mnt
in the Docker instance:
edd@max:~/git/gtrendsr(master)$ docker run --rm -ti -v $(pwd):/mnt ubuntu:trusty root@38b478356439:/# apt-get update ## this takes a minute or two Ign http://archive.ubuntu.com trusty InRelease Get:1 http://archive.ubuntu.com trusty-updates InRelease [65.9 kB] Get:2 http://archive.ubuntu.com trusty-security InRelease [65.9 kB] # ... a dozen+ lines omitted ... Get:21 http://archive.ubuntu.com trusty/restricted amd64 Packages [16.0 kB] Get:22 http://archive.ubuntu.com trusty/universe amd64 Packages [7589 kB] Fetched 22.4 MB in 6min 40s (55.8 kB/s) Reading package lists... Done root@38b478356439:/#
We then install what is needed to actually install the travis
(Ruby) gem, as well as git
which is used by it:
root@38b478356439:/# apt-get install -y ruby ruby-dev gem build-essential git Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: # ... lot of output ommitted ... Processing triggers for ureadahead (0.100.0-16) ... Processing triggers for sgml-base (1.26+nmu4ubuntu1) ... root@38b478356439:/#
This too may take a few minutes, depending on the networking bandwidth and other factors, and should in general succeed without the need for any intervention. Once it has concluded, we can use the now-complete infrastructure to install the travis
command-line client:
root@38b478356439:/# gem install travis Fetching: multipart-post-2.0.0.gem (100%) Fetching: faraday-0.11.0.gem (100%) Fetching: faraday_middleware-0.11.0.1.gem (100%) Fetching: highline-1.7.8.gem (100%) Fetching: backports-3.6.8.gem (100%) Fetching: multi_json-1.12.1.gem (100% # ... many lines omitted ... Installing RDoc documentation for websocket-1.2.4... Installing RDoc documentation for json-2.0.3... Installing RDoc documentation for pusher-client-0.6.2... Installing RDoc documentation for travis-1.8.6... root@38b478356439:/#
This in turn will take a moment.
Once done, we can use the travis
client to login into GitHub. In my base this requires a password and a two-factor authentication code. Also note that we switch directories first to be in the actual repo we had mounted when launching docker
.
root@38b478356439:/# cd /mnt/ ## change to repo directory root@38b478356439:/mnt# travis --login Shell completion not installed. Would you like to install it now? |y| y We need your GitHub login to identify you. This information will not be sent to Travis CI, only to api.github.com. The password will not be displayed. Try running with --github-token or --auto if you don't want to enter your password anyway. Username: eddelbuettel Password for eddelbuettel: **************** Two-factor authentication code for eddelbuettel: xxxxxx Successfully logged in as eddelbuettel! root@38b478356439:/mnt#
Now the actual work of encrypting. For this particular package, we need a file .Rprofile
containing a short option()
segment setting a user-id and password:
root@38b478356439:/mnt# travis encrypt-file .Rprofile Detected repository as PMassicotte/gtrendsR, is this correct? |yes| encrypting .Rprofile for PMassicotte/gtrendsR storing result as .Rprofile.enc storing secure env variables for decryption Please add the following to your build script (before_install stage in your .travis.yml, for instance): openssl aes-256-cbc -K $encrypted_988d19a907a0_key -iv $encrypted_988d19a907a0_iv -in .Rprofile.enc -out .Rprofile -d Pro Tip: You can add it automatically by running with --add. Make sure to add .Rprofile.enc to the git repository. Make sure not to add .Rprofile to the git repository. Commit all changes to your .travis.yml. root@38b478356439:/mnt#
That’s it. Now we just need to follow-through as indicated, committing the .Rprofile.enc
file, making sure to not commit its input file .Rprofile
, and adding the proper openssl
invocation with the keys known only to Travis to the file .travis.yml
.
R-bloggers.com offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.