Tldr: Travis build failure on PRs due to impossibility to decrypt the deploy key

Created on 3 Feb 2019  路  9Comments  路  Source: tldr-pages/tldr

Travis fails to build pull requests because on PRs the variables $encrypted_973441be79af_key and $encrypted_973441be79af_iv are not defined (for obvious security reasons). Since those are not defined, the ssh-add command waits for a passphrase on standard input, making the build time out and fail.

My eye didn't unfortunately spot this rather simple mistake when reviewing #2747, whoops :(

The solution is simple: only deploy when on the master branch. I'm working on a PR to solve this and will submit it as soon as possible.

bug tooling
Source
picture mebeim

Most helpful comment

Travis only makes available encrypted variables in PRs only if it's a PR from the inside the repo. Any pull request from a fork will not have access to them.

See https://docs.travis-ci.com/user/pull-requests#pull-requests-and-security-restrictions for more info.

picture MasterOdin on 4 Feb 2019
👍2

All 9 comments

We are already deploying on the master branch. The error is due to the ssh commands being executed prior. Looks like we need to move those ssh commands back into the build script.

But I wonder why it didn't fail when I posted the PR.

agnivade picture agnivade on 3 Feb 2019

That is indeed strange. I wonder what happened there :thinking:

mebeim picture mebeim on 3 Feb 2019

This error is quite strange. I would really want to understand the why of this

mfrw picture mfrw on 4 Feb 2019

@mfrw yeah, me too...

The build for @agnivade's PR should have failed since those variables should not be defined inside a PR build. If what happened is real, it looks like a major security flaw in the Travis CI build system. :thinking: :thinking: :thinking:

mebeim picture mebeim on 4 Feb 2019

Travis only makes available encrypted variables in PRs only if it's a PR from the inside the repo. Any pull request from a fork will not have access to them.

See https://docs.travis-ci.com/user/pull-requests#pull-requests-and-security-restrictions for more info.

MasterOdin picture MasterOdin on 4 Feb 2019
👍2

Ah that's right ! This was the reason due to which we moved tldr-bot to a dedicated server. And I forgot about it :)

agnivade picture agnivade on 4 Feb 2019

Ohhh, thanks @MasterOdin, I did not know about that subtle difference. Now it all makes sense.

mebeim picture mebeim on 4 Feb 2019

I see. So I guess we'll have to move it to the bot after all?

sbrl picture sbrl on 4 Feb 2019

@sbrl nah, not necessary to move to the bot ;) it wouldn't improve security, just make the process more complicated.

mebeim picture mebeim on 4 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pascaliske picture pascaliske  路  3Comments
FukurouMakoto picture FukurouMakoto  路  3Comments
mikerouxfr picture mikerouxfr  路  3Comments
waldyrious picture waldyrious  路  4Comments
Wesalius picture Wesalius  路  3Comments