Travis Fatal Could Not Read From Remote Repository
Private Dependencies GitHub
- Deploy Central
- User Cardinal
- Password
- API Token
- Dedicated User Account
Some of the features described hither are currently only available for private repositories on travis-ci.com.
When testing a private repository, you might demand to pull in other private repositories every bit dependencies via git submodules, a custom script, or a dependency management tool like Bundler or Composer.
Git submodules must be cloned early in the build procedure, so must use either the Deploy Key or User Key method.
If the dependency is besides on GitHub, there are four different means of fetching the repository from within a Travis CI VM. Each one has advantages and disavantages, so read each method carefully and selection the ane that applies best to your situation.
| Authentication | Protocol | Dependency URL format | Gives access to | Notes |
|---|---|---|---|---|
| Deploy Fundamental | SSH | git@github.com/… | unmarried repository | used by default for master repository |
| User Key | SSH | git@github.com/… | all repos user has access to | recommended for dependencies |
| Password | HTTPS | https://… | all repos user has access to | password can be encrypted |
| API token | HTTPS | https://… | all repos user has access to | token tin be encrypted |
Y'all can utilize a dedicated CI user account for all but the deploy primal approach. This allows you to limit admission to a well divers listing of repositories, and make sure that access is read only.
Deploy Primal #
GitHub allows you lot to ready SSH keys for a repository. These deploy keys have some swell advantages:
- They are not bound to a user account, so they volition not get invalidated past removing users from a repository.
- They do not requite admission to other, unrelated repositories.
- The aforementioned cardinal tin can be used for dependencies non stored on GitHub.
Still, using deploy keys is complicated past the fact that GitHub does not allow you to reuse keys. And then a unmarried private key cannot access multiple GitHub repositories.
You could include a unlike private key for every dependency in the repository, peradventure encrypting them. Maintaining complex dependency graphs this way can exist complex and difficult to maintain. For that reason, we recommend using a user key instead.
User Key #
Custom SSH keys are currently only bachelor for individual repositories on travis-ci.com.
You tin can add SSH keys to user accounts on GitHub. Most users have probably already done this to be able to clone the repositories locally.
This fashion, a single key tin can access multiple repositories. To limit the list of repositories and type of admission, it is recommended to create a dedicated CI user account.
Repository settings - forks #
Repository security settings for forked repositories on Git are available starting March 1st, 2022.
For Git repositories, you may manage per repository how the environment variables and the custom SSH keys](/user/private-dependencies/#user-key) will be handled in Travis CI when a build triggered as an outcome of filing a Pull Request from a forked repository. Two settings are available specifically for this purpose, allowing you to customize your security vs. collaboration setup.
base repository - a Git repository, which is forked by someone else fork or forked repository - any Git repository forked from the base repository PR - Pull Request (due east.g. in GitHub, BitBucket, GitLab) or Merge Request (in Assembla).
Please note: Repositories activated in Travis CI before March 1st, 2022 will accept the
Share encrypted environment variables with forks (PRs)setting ready to OFF. Please verify your collaboration model if necessary (specially for public repositories). TheShare SSH keys with forks (PRs)will be set to ON for private repositories non to break too many collaboration setups. Repository settings will be set by default to OFF for any repository activated in Travis CI after March 1st, 2022. For repositories activated in Travis CI after March 1st, 2022, you lot may want to consider changing the default settings depending on your collaboration model.
Please Note: The 'Share SSH keys with forks (PRs)' repository setting is applicable merely for private repositories in the travis-ci.com surroundings.
This setting determines if the custom SSH keys from the base of operations repository volition exist shared with the forked repository in a fork-to-base pull request (changes are merged from the fork repository into the base repository). In the case of a base-to-base pull asking (changes are merged from the base repository into itself), the custom SSH keys will e'er be available.
In the example of a fork-to-fork pull asking (changes are merged from the forked repository into itself), the custom SSH keys from the base repository will never be available.
In the case of a fork-to-base pull request:
- if this setting is ON, the custom SSH keys from the base of operations repository volition be available to the forked repository, which means that the build in the forked repository will be able to use the custom SSH keys from the base repository. Consider setting to ON if your collaboration model requires working with Pull Requests (PRs) from forked repositories or there are dependencies divers, which rely on SSH central from base repository.
- If this setting is OFF and the build is relying on custom SSH keys i.e. for fetching some additional dependencies, it volition neglect with a no access fault.
Please Annotation: In the travis-ci.com, secrets may besides be stored in encrypted environment variables, bachelor for both public and private repositories. Read more than about encrypted surroundings variables.
Using an existing key #
Assumptions:
- The repository you lot are running the builds for is chosen "myorg/master" and depends on "myorg/lib1" and "myorg/lib2".
- You have a cardinal already set up on your machine, for instance under
~/.ssh/id_rsa(default on Unix systems).
Yous can add a new key using the repository settings. Paste the contents of ~/.ssh/id_rsa into the "Private Key" text field and requite it a nice clarification.
Alternatively, yous tin can use the following CLI command to add together the primal to Travis CI:
$ travis sshkey --upload ~/.ssh/id_rsa -r myorg/main Key clarification: Primal to clone myorg/lib1 and myorg/lib2 updating ssh central for myorg/principal with key from ~/.ssh/id_rsa Electric current SSH key: Key to clone myorg/lib1 and myorg/lib2 You tin can omit the -r myorg/principal if your current working directory is a clone of the "myorg/main" repository.
Generating a new cardinal #
Assumptions:
- The repository you lot are running the builds for is called "myorg/main" and depends on "myorg/lib1" and "myorg/lib2".
- Y'all know the credentials for a user business relationship that has at least read access to all three repositories.
The travis control line tool can generate a new key for y'all and set it up on both Travis CI and GitHub. In order to do and so, it will ask you for a GitHub user name and countersign This is very handy if you accept but created a dedicated user or if you don't have a key set up on your motorcar that you desire to use.
The credentials will just be used to admission GitHub and will non be stored or shared with whatever other service.
$ travis sshkey --generate -r myorg/chief We need the GitHub login for the business relationship you lot want to add the key to. This data will not be sent to Travis CI, merely to api.github.com. The password will not be displayed. Username: ci-user Password for ci-user: ************** Generating RSA key. Uploading public cardinal to GitHub. Uploading private key to Travis CI. You can store the individual cardinal to reuse information technology for other repositories (travis sshkey --upload FILE) . Store private key? |no| Current SSH key: key for fetching dependencies for myorg/chief You can omit the -r myorg/chief if your current working directory is a clone of the "myorg/master" repository.
At the end of the procedure, it will ask y'all whether you desire to store the generated key somewhere, usually it is safe to say "no" here. Afterwards all, you can only generate a new key as necessary. See beneath for instructions on storing and reusing a generated key.
Reusing a generated fundamental #
Assumptions:
- The repository you are running the builds for is chosen "myorg/main" and depends on "myorg/lib1" and "myorg/lib2".
- You lot know the credentials for a user account that has at least read access to all three repositories.
- You only want to generate a single key, so you tin can revoke information technology hands or employ it for accessing other sourced for dependencies or deploy targets.
This is absolutely optional, nothing keeps you lot from generating new keys for all the repositories you are testing.
You follow the steps above, merely choose to shop the cardinal. It volition ask you for a path to store it under.
$ travis sshkey --generate -r myorg/main --description "CI dependencies" We need the GitHub login for the business relationship you desire to add the key to. This information will non exist sent to Travis CI, only to api.github.com. The password will not be displayed. Username: ci-user Password for ci-user: ************** Generating RSA key. Uploading public key to GitHub. Uploading individual key to Travis CI. You can shop the private primal to reuse information technology for other repositories (travis sshkey --upload FILE) . Store private key? |no| yep Path: |id_travis_rsa| myorg_key Current SSH key: CI dependencies And as ever, you can omit the -r myorg/chief if your current working directory is a clone of the "myorg/main" repository.
You lot can then upload the key for myorg/main2:
$ travis sshkey --upload myorg_key -r myorg/main2 --description "CI dependencies" updating ssh key for myorg/primary with key from myorg_key Current SSH key: CI dependencies Starting with the 1.vii.0 release of the travis command line tool, you lot are able to combine it with the repos command to set up up the key non only for "main" and "main2", but all repositories under the "myorg" organization.
$ travis repos --active --possessor myorg --com | xargs -I % travis sshkey --upload myorg_key -r % --description "CI dependencies" updating ssh key for myorg/main with primal from myorg_key Current SSH central: CI dependencies updating ssh central for myorg/main2 with primal from myorg_key Current SSH key: CI dependencies updating ssh cardinal for myorg/lib1 with key from myorg_key Current SSH fundamental: CI dependencies updating ssh cardinal for myorg/lib2 with central from myorg_key Current SSH cardinal: CI dependencies Notation that if you're yet using travis-ci.org you need to use
--orginstead of--com.
Password #
Assumptions:
- The repository you lot are running the builds for is called "myorg/master" and depends on "myorg/lib1" and "myorg/lib2".
- You know the credentials for a user business relationship that has at least read access to all three repositories.
To pull in dependencies with a password, you volition have to apply the user name and countersign in the Git HTTPS URL: https://ci-user:mypassword123@github.com/myorg/lib1.git.
Alternatively, you tin also write the credentials to the ~/.netrc file:
machine github.com login ci-user password mypassword123 You can also encrypt the password and then write it to the netrc in a before_install step in your .travis.yml:
$ travis env set up CI_USER_PASSWORD mypassword123 --private -r myorg/main before_install: - echo -e "machine github.com \n login ci-user \n password $CI_USER_PASSWORD " > ~/.netrc It is besides possible to inject the credentials into URLs, for example, in a Gemfile, information technology would look like this:
source 'https://rubygems.org' gemspec if ENV [ 'CI' ] # use HTTPS with password on Travis CI git_source :github exercise | repo_name | repo_name = " #{ repo_name } / #{ repo_name } " unless repo_name . include? ( "/" ) "https://ci-user: #{ ENV . fetch ( "CI_USER_PASSWORD" ) } @github.com/ #{ repo_name } .git" end stop gem 'lib1' , github: "myorg/lib1" gem 'lib2' , github: "myorg/lib2" In case of private git submodules, be aware that the
git submodule update --init recursivecommand runs before the~/.netrccredentials are updated. If you are writing credentials to~/.netrc, disable the automated loading of submodules, update the credentials and add an explicit step to update the submodules:git : submodules : imitation before_install : - echo -e "machine github.com\due north login ci-user\n password $CI_USER_PASSWORD" >~/.netrc - git submodule update --init --recursive
API Token #
Assumptions:
- The repository you are running the builds for is chosen "myorg/main" and depends on "myorg/lib1" and "myorg/lib2".
- Yous know the credentials for a user business relationship that has at least read access to all three repositories.
This arroyo works just similar the password approach outlined higher up, except instead of the username/password pair, yous utilise a GitHub API token.
Under the GitHub account settings for the user you desire to use, navigate to Settings > Developer settings, and then generate a "Personal access tokens". Make sure the token has the "repo" scope.
Your ~/.netrc should look similar this:
car github.com login the-generated-token You tin also use information technology in URLs directly: https://the-generated-token@github.com/myorg/lib1.git.
Use the encrypt command to add the token to your .travis.yml.
$ travis env set up CI_USER_TOKEN the-generated-token --private -r myorg/master You lot can then have Travis CI write to the ~/.netrc on every build.
before_install : - echo -e "machine github.com\n login $CI_USER_TOKEN" > ~/.netrc It is also possible to inject the token into URLs, for example, in a Gemfile, it would look similar this:
source 'https://rubygems.org' gemspec if ENV [ 'CI' ] # utilise HTTPS with token on Travis CI git_source :github exercise | repo_name | repo_name = " #{ repo_name } / #{ repo_name } " unless repo_name . include? ( "/" ) "https:// #{ ENV . fetch ( "CI_USER_TOKEN" ) } @github.com/ #{ repo_name } .git" end terminate precious stone 'lib1' , github: "myorg/lib1" gem 'lib2' , github: "myorg/lib2" In instance of private git submodules, be aware that the
git submodule update --init --recursivecommand runs before the~/.netrccredentials are updated. If you are writing credentials to~/.netrc, disable the automatic loading of submodules, update the credentials and add an explicit step to update the submodules:git : submodules : simulated before_install : - repeat -e "\north\nmachine github.com\north login $CI_USER_TOKEN\n" >~/.netrc - git submodule update --init --recursive
The
.netrcfile is deleted for security reasons right after having cloned the repository of which the build and its submodules are executed!
Defended User Business relationship #
As mentioned a few times, it might make sense to create a dedicated CI user for the following reasons:
- The CI user volition only have admission to the repositories you want it to have access to.
- You can limit the admission to read admission.
- Less risk when it comes to leaking keys or credentials.
- The CI user will not leave the organisation for non-technical reasons and accidentally suspension all your builds.
In order to do then, y'all need to register on GitHub as if you would be signing up for a normal user. Registering users cannot exist automated, since that would violate the GitHub Terms of Service.
Source: https://docs.travis-ci.com/user/private-dependencies/
0 Response to "Travis Fatal Could Not Read From Remote Repository"
Post a Comment