GITHUB_PAT needed in tests and pull requests on Travis


#1

I am working on a package where some tests depend on having a GITHUB_PAT environment variable. I’ve saved the GITHUB_PAT on Travis.

The environment variable is not accessible for external PRs i.e. tests fail in Travis builds of PRs made from an external fork.

How do you usually deal with this? At the moment these tests are skipped depending on the presence of GITHUB_PAT but it does not seem optimal?


#2

Steph Locke posted about this solution https://blog.algolia.com/travis-encrypted-variables-external-contributions/ I’m guessing nothing much simpler exists. :thinking:


#3

You could create a GITHUB_PAT with very limited scope permissions, perhaps using a dedicated testing account. I think you can turn on PR env var access. If not, you can define it in right in the testing code, possibly with some level of encryption/obfuscation so that it’s not available as plain text to crawlers.


#4

Thanks! In my specific use case, the GITHUB_PAT is used to create and delete repos so I can’t limit its scope. :grimacing:


#5

(it belongs to a testing account though https://github.com/chibimaelle)


#6

I haven’t really done anything about this in my pkgs. When I get a PR, I just know that certain failures are b/c of lack of a key.

maybe you can look for the TRAVIS_PULL_REQUEST env var and skip tests based on that https://docs.travis-ci.com/user/pull-requests#pull-requests-and-security-restrictions It does seem like it’s just not a good idea to have env vars avail. on forked PR’s


#7

I add a second environment variable, HAS_CARL_PAT="true" or something like that, and have these tests skipped if that is not set. (Checking that it has any PAT might not be robust, since it is common to have a PAT with no permissions just to get past rate limiting).

I also use a separate GitHub Machine account (as GitHub recommends, though you are only permitted one such account) to generate any such tokens, rather than deploy tokens that can access my account.