travis.rb icon indicating copy to clipboard operation
travis.rb copied to clipboard

Published 20 hours ago verified publisher icon travis-ci

Do not require github username / password

Open chrissound opened this issue 5 years ago • 2 comments

https://github.com/travis-ci/travis.rb/issues/645

This is horrifying that you require a username / password of github just to "encrypt" some variables. It's a serious security issue, and should probably be handled by Oath with Github's API instead.

chrissound avatar Jan 15 '20 11:01 chrissound

TravisCi doesn't ever ask you for your Github password. It logs in to your Github account using tokens.

However, there is a related issue that travis-ci.com requires way more permission than necessary just to login from CLI, namely:

  • read:org
  • repo
  • user:email

If you've already got an account with TravisCI then it's already been granted OAuth permissions. In which case the token to login from CLI shouldn't require any scopes at all i.e. You're just proving to TravisCI that you are a particular Github user; that's it.

Benjamin-Dobell avatar Jan 22 '20 04:01 Benjamin-Dobell

As you can see above, it will ask you for your GitHub user name and password, but not send these to Travis CI. Instead, it will use them to create a GitHub API token

vatosarmat avatar Feb 03 '20 16:02 vatosarmat