PyPi and Anaconda Tokens

[kzscisoft]

Currently tokens are stated in the .travis.yml file, this should not be the case especially in a public repository! These should either be masked or alternative methods used.

[bobturneruk]

Ayup @kzscisoft! The public strings are not the tokens, but keys to enable Travis to decrypt and use the tokens (the private information is stored on Travis, behind Travis security).

We've double checked that decrypted tokens can't be induced to appear in logs https://travis-ci.org/github/ScottishCovidResponse/data_pipeline_api/jobs/773809583 (thanks to @willfurnass for the "ethical hacking").

I hope this sets your mind at rest.

However, we did have a task for moving to GitHub actions for all this (and we've already stopped supporting conda packages) https://github.com/ScottishCovidResponse/SCRCIssueTracking/issues/776

I'll leave it to the properly active developers to decide if this remains a priority. I think travis-ci.org will stop on 15th June (transitioning to travis-ci.com). Let me know if I can help.

This may be of interest for any using GitHub actions CI with tokens https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/

[ghost]

@bobturneruk that's a relief! I'm not familiar with travis so it looked a bit worrying, but you're correct that it won't matter when we get to migrating to GitHub actions.

[bobturneruk]

Yeah, it looks well sketchy and was never completely ideal.