在用于系统测试的开源项目中保护 travis ci 环境变量
Securing travis ci environmental variables in a open-source project for system testing
我正在构建一个开源库,为第 3 方服务提供 API。在此期间,我正在学习测试、git-flow 和持续部署,并遇到了与保护开源项目的环境变量相关的问题。
我目前已经通过 travis cli 生成了秘密环境变量:
travis encrypt key=value,用于自动化系统测试。
在推送功能更新时,运行ches 或 pull-requests 注意到测试由 travis ci 自动 运行,这太棒了。但是我开始想知道是什么保护我免受某人发出拉取请求的伤害,该拉取请求 malici 粗暴地收集 process.env 对象并将其推送到外部对象,从而揭示了我之前的 cious 环境变量。
如何真正确保环境凭据(例如 API 凭据)在 travis ci 中受到保护以进行系统测试?
我是否应该创建系统测试? 还是我应该伪造对外部服务的请求?
Travis CI 文档说:
For the protection of secure data, Travis CI makes it available only
on pull requests coming from the same repository. These are considered
trustworthy, as only members with write access to the repository can
send them.
Pull requests sent from forked repositories don’t have this data
available in their builds. All data that’s considered confidential
will not be added to the build’s environment.
https://docs.travis-ci.com/user/pull-requests#Security-Restrictions-when-testing-Pull-Requests
我正在构建一个开源库,为第 3 方服务提供 API。在此期间,我正在学习测试、git-flow 和持续部署,并遇到了与保护开源项目的环境变量相关的问题。
我目前已经通过 travis cli 生成了秘密环境变量:travis encrypt key=value,用于自动化系统测试。
在推送功能更新时,运行ches 或 pull-requests 注意到测试由 travis ci 自动 运行,这太棒了。但是我开始想知道是什么保护我免受某人发出拉取请求的伤害,该拉取请求 malici 粗暴地收集 process.env 对象并将其推送到外部对象,从而揭示了我之前的 cious 环境变量。
如何真正确保环境凭据(例如 API 凭据)在 travis ci 中受到保护以进行系统测试?
我是否应该创建系统测试? 还是我应该伪造对外部服务的请求?
Travis CI 文档说:
For the protection of secure data, Travis CI makes it available only on pull requests coming from the same repository. These are considered trustworthy, as only members with write access to the repository can send them.
Pull requests sent from forked repositories don’t have this data available in their builds. All data that’s considered confidential will not be added to the build’s environment.
https://docs.travis-ci.com/user/pull-requests#Security-Restrictions-when-testing-Pull-Requests