@azu/travis-scripts
Version:
Scripts that can help automate certain things using Travis CI
219 lines (148 loc) • 6.78 kB
Markdown
# Set up the SSH keys
#### 1. Enable Travis CI
If you haven't, [enable Travis CI for your
repository](https://docs.travis-ci.com/user/getting-started/#To-get-started-with-Travis-CI%3A)
by going to your Travis CI [profile page](https://travis-ci.org/profile)
and flicking the repository switch on.
#### 2. Set up the SSH keys
##### 2.1. Generate the SSH keys
:information_source: For this example I'm using `github_deploy_key` as
the base name for the files that contain the SSH keys, but you can use
whatever name you want.
```bash
ssh-keygen -t rsa -b 4096 -C "<your_email>" -f github_deploy_key -N ''
```
This will generate 2 keys in 2 different files:
* public key in `github_deploy_key.pub`
* private key in `github_deploy_key`
##### 2.2. Add the public key to GitHub
* Go to `https://github.com/<username>/<repository>/settings/keys`
and click on `Add deploy key`:
* Copy the public key (in this case, the content from
`github_deploy_key.pub`)
* Check the `Allow write access` checkbox
* Add the key!
* Remove the file containing the public key so that it's not
accidentally committed
```bash
rm github_deploy_key.pub
```
##### 2.3 [Install the Travis CLI](https://docs.travis-ci.com/user/encryption-keys/#Usage)
```bash
gem install travis
```
##### 2.4. [Login to Travis using the Travis CLI](https://docs.travis-ci.com/user/encrypting-files#Preparation)
```bash
travis login
```
##### 2.5. Encrypt the file containing the private key
:warning: Because of an [issue with the Travis
CLI](https://github.com/travis-ci/travis-ci/issues/4746), the following
**will not work** as intended if done **on Windows**!
* Use the Travis CLI to encrypt the file containing the private SSL key
```bash
travis encrypt-file github_deploy_key
```
The above will output something like:
```bash
encrypting github_deploy_key for <username>/<repository>
storing result as github_deploy_key.enc
storing secure env variables for decryption
openssl aes-256-cbc -K $encrypted_XXXXXXXXXXXX_key -iv $encrypted_XXXXXXXXXXXX_iv -in github_deploy_key.enc -out github_deploy_key -d
Pro Tip: You can add it automatically by running with --add.
Make sure to add github_deploy_key.enc to the git repository.
Make sure not to add github_deploy_key to the git repository.
Commit all changes to your .travis.yml.
```
:information_source: I didn't use `--add` to have the Travis CLI
automatically add the decrypt command to the `.travis.yml` file as
it usually screws up the formatting.
:information_source: The values of the `$encrypted_XXXXXXXXXXXX_key`
and `$encrypted_XXXXXXXXXXXX_iv` environment variables will be
automatically uploaded by the Travis CLI to Travis CI, see:
`https://travis-ci.org/<username>/<repository>/settings`.
Also, this is the reason why you needed to login to Travis using the
Travis CLI at [step `2.4.`](#24-login-to-travis-using-the-travis-cli).
* Remove the file containing the private key so that it's not
accidentally committed
```bash
rm github_deploy_key
```
##### 2.6. Set up SSH connection for Travis CI
:information_source: In the examples below, I'm presuming the encrypted
file generated at [step `2.5.`](#25-encrypt-the-file-containing-the-private-key)
(`github_deploy_key.enc`) is placed in the `.travis/` directory from the
root of the project.
Add the necessary commands to the `.travis.yml` file, and either:
* use the `travis-scripts'` helper function `set-up-ssh`:
```yml
after_success:
- |
$(npm bin)/set-up-ssh --key "$encrypted_XXXXXXXXXXXX_key" \
--iv "$encrypted_XXXXXXXXXXXX_iv" \
--path-encrypted-key ".travis/github_deploy_key.enc"
```
* write the necessary code yourself, e.g.:
```yml
after_success:
- |
declare -r SSH_FILE="$(mktemp -u $HOME/.ssh/XXXXX)"
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Decrypt the file containing the private key
# (Note: this is the same as what is generated by the Travis CLI at step 2.5)
openssl aes-256-cbc \
-K $encrypted_XXXXXXXXXXXX_key \
-iv $encrypted_XXXXXXXXXXXX_iv \
-in ".travis/github_deploy_key.enc" \
-out "$SSH_FILE" -d
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Enable SSH authentication
chmod 600 "$SSH_FILE" \
&& printf "%s\n" \
"Host github.com" \
" IdentityFile $SSH_FILE" \
" LogLevel ERROR" >> ~/.ssh/config
```
Note: The above is basically what the `set-up-ssh` script does behind
the scenes.
#### 3. Add the environment variables `GH_USER_NAME` and `GH_USER_EMAIL`
The travis scrips will use the values of the `GH_USER_EMAIL` and
`GH_USER_NAME` environment variables as the [email and user
name](https://git-scm.com/book/en/v2/Getting-Started-First-Time-Git-Setup#Your-Identity)
with which the commits will be made.
I personally don't recommend [specifying their values
directly](https://docs.travis-ci.com/user/environment-variables/#Defining-Variables-in-.travis.yml)
as that would mean they will be public. Instead, you should encrypt
them by generating a secure key using the Travis CLI:
```bash
travis encrypt -r "<username>/<repository>" \
GH_USER_EMAIL="<your_email>" \
GH_USER_NAME="<your_name>"
```
The above will output something like:
```bash
Please add the following to your .travis.yml file:
secure: "<secure_key_value>"
Pro Tip: You can add it automatically by running with --add.
```
:information_source: I didn't use `--add` to have the Travis CLI
automatically add the secure key to the `.travis.yml` file as that
usually screws up the formatting.
Then, once you have the secure key, add it to your `.travis.yml` file
```yml
env:
global:
- secure: "<secure_key_value>"
```
---
<div align="center">
<a href="install.md">← previous step</a> |
<a href="../README.md#usage">table of contents</a> |
<a href="usage.md">next step →</a>
</div>