Amphtml: JWT deprecation: Figure out how to test on Sauce labs during PR checks

Created on 26 Jan 2018 · 15Comments · Source: ampproject/amphtml

Deprecation announcement: https://blog.travis-ci.com/2018-01-23-jwt-addon-is-deprecated

This will prevent us from using a secure JWT encrypted sauce labs token to run unit and integration tests during PR checks.

Figure out a workaround to use our sauce labs token on PR builds.

High Priority Bug infra

Source

rsimha

All 15 comments

@erwinmombay @cramforce @choumx

rsimha on 26 Jan 2018

This is a high priority issue but it hasn't been updated in awhile. @erwinmombay Do you have any updates?

ampprojectbot on 19 Feb 2018

Update: Here is the original issue that tracked the addition of JWT to Travis: https://github.com/travis-ci/travis-ci/issues/1946

We're losing the JWT plugin on April 17, with no alternative in sight. I've pinged the Travis team at https://github.com/travis-ci/travis-ci/issues/8007#issuecomment-367405330

rsimha on 21 Feb 2018

See https://blog.algolia.com/travis-encrypted-variables-external-contributions/ for a possible solution

rsimha on 10 Mar 2018

You can add environment variable to your travis project settings like this:

I just updated one of my open source project and it works without publicaly show the env var value: https://travis-ci.org/jeromemacias/nodium/jobs/353888114#L444

jeromemacias on 15 Mar 2018

@jeromemacias That won't help, since Travis does not allow pull requests to use secure environment variables. We have a different solution in the works.

rsimha on 15 Mar 2018

@rsimha My job is on a pull request, but maybe I missed something

jeromemacias on 15 Mar 2018

@jeromemacias I don't think that was a pull request from a fork of the main branch.

rsimha on 15 Mar 2018

@rsimha You're right, that what I missed, I'm on a branch of the main repo!

jeromemacias on 15 Mar 2018

👍1

This is blocked by https://github.com/travis-ci/travis-ci/issues/9350

rsimha on 16 Mar 2018

New approach: manually start / stop the sauce connect proxy on Travis. Fix coming up in #14034

rsimha on 30 Mar 2018

At long last, this is fixed. Since Travis is effectively dropping support for sauce_connect for PR builds form forked branches, we wrote our own replacement for Travis' native Sauce Labs addon.

rsimha on 30 Mar 2018

🎉1

You have this solution available @rsimha ?

alexanmtz on 3 Apr 2018

@alexanmtz See build-system/sauce_connect for our replacement to Travis' sauce_connect addon. You will have to set env vars for SAUCE_USERNAME and SAUCE_ACCESS_KEY before running the script that starts Sauce Connect.

To use a JWT encoded token instead of your permanent Sauce access key, you can write a server that encodes the key using the payload format described in the Travis docs.

For example:

const jwt = require('jsonwebtoken');

const SAUCE_ACCESS_KEY = '<your sauce access key>';
const JWT_TOKEN_LIFETIME_SECS = 5400; // 90 minutes.

const pull_request = process.env.TRAVIS_PULL_REQUEST ? process.env.TRAVIS_PULL_REQUEST : '';
const issuedAtSecs = Date.now() / 1000;
const expirationSecs = issuedAtSecs + JWT_TOKEN_LIFETIME_SECS;
const payload = {
  "iss": "<your project name>",
  "slug": "saucelabs-sample-test-frameworks/Java-TestNG-Selenium",
  "pull-request": pull_request,
  "exp": expirationSecs,
  "iat": issuedAtSecs
};

const token = jwt.sign(payload, SAUCE_ACCESS_KEY);
// Have your server return this temporary token whenever a Travis job wants to start Sauce Connect.

rsimha on 4 Apr 2018

👍1

Thanks @rsimha , I will try it out!

alexanmtz on 5 Apr 2018

Was this page helpful?

0 / 5 - 0 ratings