Basic TravisCI Information

Support HackTricks


TravisCI directly integrates with different git platforms such as Github, Bitbucket, Assembla, and Gitlab. It will ask the user to give TravisCI permissions to access the repos he wants to integrate with TravisCI.

For example, in Github it will ask for the following permissions:

  • user:email (read-only)

  • read:org (read-only)

  • repo: Grants read and write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations.

Encrypted Secrets

Environment Variables

In TravisCI, as in other CI platforms, it's possible to save at repo level secrets that will be saved encrypted and be decrypted and push in the environment variable of the machine executing the build.

It's possible to indicate the branches to which the secrets are going to be available (by default all) and also if TravisCI should hide its value if it appears in the logs (by default it will).

Custom Encrypted Secrets

For each repo TravisCI generates an RSA keypair, keeps the private one, and makes the repository’s public key available to those who have access to the repository.

You can access the public key of one repo with:

travis pubkey -r <owner>/<repo_name>
travis pubkey -r carlospolop/t-ci-test

Then, you can use this setup to encrypt secrets and add them to your .travis.yaml. The secrets will be decrypted when the build is run and accessible in the environment variables.

Note that the secrets encrypted this way won't appear listed in the environmental variables of the settings.

Custom Encrypted Files

Same way as before, TravisCI also allows to encrypt files and then decrypt them during the build:

travis encrypt-file super_secret.txt -r carlospolop/t-ci-test

encrypting super_secret.txt for carlospolop/t-ci-test
storing result as super_secret.txt.enc
storing secure env variables for decryption

Please add the following to your build script (before_install stage in your .travis.yml, for instance):

    openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d

Pro Tip: You can add it automatically by running with --add.

Make sure to add super_secret.txt.enc to the git repository.
Make sure not to add super_secret.txt to the git repository.
Commit all changes to your .travis.yml.

Note that when encrypting a file 2 Env Variables will be configured inside the repo such as:

TravisCI Enterprise

Travis CI Enterprise is an on-prem version of Travis CI, which you can deploy in your infrastructure. Think of the ‘server’ version of Travis CI. Using Travis CI allows you to enable an easy-to-use Continuous Integration/Continuous Deployment (CI/CD) system in an environment, which you can configure and secure as you want to.

Travis CI Enterprise consists of two major parts:

  1. TCI services (or TCI Core Services), responsible for integration with version control systems, authorizing builds, scheduling build jobs, etc.

  2. TCI Worker and build environment images (also called OS images).

TCI Core services require the following:

  1. A PostgreSQL11 (or later) database.

  2. An infrastructure to deploy a Kubernetes cluster; it can be deployed in a server cluster or in a single machine if required

  3. Depending on your setup, you may want to deploy and configure some of the components on your own, e.g., RabbitMQ - see the Setting up Travis CI Enterprise for more details.

TCI Worker requires the following:

  1. An infrastructure where a docker image containing the Worker and a linked build image can be deployed.

  2. Connectivity to certain Travis CI Core Services components - see the Setting Up Worker for more details.

The amount of deployed TCI Worker and build environment OS images will determine the total concurrent capacity of Travis CI Enterprise deployment in your infrastructure.

Support HackTricks

Last updated