Support publishing to Echidna using a token

[jyasskin]

In order to use bikeshed echidna on TravisCI, I'd need to save my password as a secret variable, which lets anyone with write access to the repository exfiltrate it. Instead, it'd be nice if Bikeshed could accept a token, as recommended in https://github.com/w3c/echidna/wiki/Setting-up-Echidna-as-a-GitHub-hook.

[tabatkins]

! This is the first I'm learning of this! Yeah, I'd be glad to add it.

[tabatkins]

Or rather, I would be glad to add it, if I had a single clue what they were talking about wrt the encrypted token. I was never given anything of the sort, and I don't understand what it is we're supposed to be encrypting. I'm also curious if it really is necessary to install a ruby library for travis just to get this done.

I'm gonna have to poke around and see if I can figure any of this out. Do you have any info from your own attempts?

[jyasskin]

The token is something you get from a team contact when you ask to use Echidna for one of your specs (https://github.com/w3c/echidna/wiki/Token-creation).

It looks like the Echidna endpoint at https://labs.w3.org/echidna/api/request expects either an unauthenticated request holding "url + token + decision" or a request authenticated with your username+password holding "tar + decision". So it'll probably take an extension to Echidna to accept a tar+token+decision, like Bikeshed will need.

[jyasskin]

You use the travis command to encrypt that token so you can put it into the published .travis.yml, and then Travis CI decrypts it into an environment variable that you can use as an argument to the bikeshed echidna command in after_success. See https://docs.travis-ci.com/user/environment-variables/#Defining-encrypted-variables-in-.travis.yml for their documentation on this.

That is, bikeshed doesn't need to deal with any of the encryption or decryption.

[tabatkins]

Yeah, Bikeshed currently uses the latter method to talk to Echidna.

[tabatkins]

Chatted with denis and tripu on #pub, and now have an issue open on Echidna (https://github.com/w3c/echidna/issues/492) to support encrypting your un/pw with a public key and sending it to Echidna that way.

You still need to protect the encrypted un/pw token with Travis's secrets infrastructure, so it's not available to anyone other than repo maintainers, but it avoids revealing your pw to anyone.