I am using environment variables in secrets.yml for production environment in my rails app. I am sending http post request with api key and password. I can pass my local tests in test environment by using the password. But my password can't be exposed, so how do I pass travis ci tests on github?
You can encrypt your secrets.yml and push encrypted file to the repository.
travis encrypt-file secrets.yml
which will give you secrets.yml.enc add it to repository. Remember not to push secrets.yml.
You need to decrypt that file in before_script
before_script: openssl aes-256-cbc -K $encrypted_0a6446eb3ae3_key -iv $encrypted_0a6446eb3ae3_key -in secrets.yml.enc -out secrets.yml -d
You can directly add above command to travis.yml using --add option:
travis encrypt-file secrets.yml --add
Refer this documentation for more details - Encrypting Files in Travis
Related
I am encoding and decoding JSON web tokens using Rails secret_key_base, my secret_key_base is in the credentials.yml.enc file. In one of the test, I am using this function to decode JWT,locally the tests are running fine but on github action it is failing, I found out the the value of Rails.application.crendentials.secret_key_base is nil when running the test on github action. I fixed those tests by mocking like this
allow(Rails.application.credentials).to receive(:secret_key_base).
and_return("secret")
Is there a way I don't have to do this on github action for other credentials. Also since the master.key was not committed I hoped that I would see this error
ActiveSupport::MessageEncryptor::InvalidMessage
while reading from the credentials file but that also didn't happen.
This is a link to my project if that clears things up.
In Rails 6, you can create credentials.yml.enc file per environment.
In vscode:
EDITOR="code --wait" rails credentials:edit --environment production
EDITOR="code --wait" rails credentials:edit --environment test
it gives you production.key, production.yml.enc, test.key, test.yml.enc.
You can then commit test.key to github for testing or even better, set this key in RAILS_TEST_KEY env.
Though it gets a little bit tricky to maintain both env files. You can create credenetials.yml.example file with empty envs for reference
I think 'the cleanest/right way' to do this is to add master key(value from config/master.key) into github secrets.
Go to repository settings->secrets(left side menu)->new repository secret.
It makes sense to name it RAILS_MASTER_KEY.
And then in your workflow file add
env:
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
And that's it, Rails will be smart enough to use that variable in credentials decryption.
No need to make additional credentials files. For me it's working with only one credentials.yml.enc
EDIT: Even better, if you can skip using credentials, add heroku config variable SECRET_KEY_BASE and in config/application.rb add
config.secret_key_base = ENV['SECRET_KEY_BASE']
and for production use Rails.configuration.secret_key_base,
for test/development Rails.application.secrest.secret_key_base that's set by rails
ex.
SECRET_KEY = Rails.env.production? ? Rails.configuration.secret_key_base : Rails.application.secrets.secret_key_base
This way you don't have to store master key on every machine that's running your app. ex. coworkers, github actions, staging, production.
I am using capistrano for deployment of my rails application. In my config/deploy.rb file how should I give the repo url.
I am following this tutorial:
https://gorails.com/deploy/ubuntu/14.04
Instead of
set :repo_url, 'git#github.com:excid3/myapp.git'
what should be given there if I am using bitbucket
For bitbucket, you would use:
git#bitbucket.org:accountname/reponame.git
or
ssh://git#bitbucket.org/accountname/reponame.git
See "Use the SSH protocol with Bitbucket"
Note: the comments of the tutorial mentioned in the question add:
Your local key in ~/.ssh/id_rsa will be tried against the server's /home/deploy/authorized_keys file.
Capistrano won't allow password authentication, so you must make sure you ran the ssh-copy-id to add your pub key to the server deploy user's authorized_keys file.
When I deploy a Rails app to Amazon EC2 server with using Capistrano, I get
** [IP.compute-1.amazonaws.com :: out] Permission denied (publickey).
** [IP.compute-1.amazonaws.com :: out] fatal: The remote end hung up unexpectedly
while executing the
git clone
command.
I think it has something to do with Github keys, but I don't know how to set it up.
I would be grateful for every advise!
Thanks!
EDIT:
I generated the new key on Github, put it into id_rsa.pub and on my EC2 server I created the file .ssh/authorized_keys with this key, but it still doesn't work.
What's wrong with that?
To use ssh agent:
ssh_options[:forward_agent] = true
To use your pem file:
ssh_options[:auth_methods] = ["publickey"]
ssh_options[:keys] = ["/path/to/file.pem"]
To enable agent in your local
$ ssh-add
You will have to execute this command each time, I don't know the scope of 'each time', I added ssh-add to run each time I open a new tab in terminal with echo ssh-add >> ~/.bashrc, depending in your OS and configuration.
The process, as far as I understand is this:
You have an ssh-agent in your local
You connect to server you are deploying with pem file, as you do with ssh, but this time through Capistrano
Remote server uses your agent to use your key to checkout git repo inside deploy machine.
Can you first SSH to your EC2 instance and then second, clone your github repo from the EC2 instance using the ssh keys that are installed on your EC2 instance?
With all of these distributed workflows things can get a little confusing, so let me try and puzzle out what you're doing wrong.
The id_rsa.pub that you installed on Github corresponds with private key. Usually, this is in ~/.ssh/id_rsa This keypair enables a holder of the private key to SSH to github.
.ssh/authorized_keys is an SSH server configuration. authorized_keys contains the public keys (i.e., id_rsa.pub) to enables an SSH server to accept incoming connections from machines with the corresponding private key. The authorized_keys file is not relevant to your cloning issue.
The EC2 instance is trying to contact the Github repository in order to clone the repository from Github, and failing. The EC2 instance needs a private key configured to match up with the corresponding public (Github) key for the account.
Generate a new keypair on the EC2 instance, and add the public key from the new keypair to your Github account.
I'm on ubuntu 11.10. When I need to deploy using capistrano, unless I write
eval `ssh-agent`
ssh-add
the deploy process asks for the git repository password as well as the server access password. Can I set something in my terminal config to stop me having to do this?
I think you can able to solve your issue by using ssh public/private key, I think following references helps you to solve it.
capistrano problem, Capistrano asks for password when deploying, despite SSH keys
I am deploying an app that works locally to heroku. My heroku logs produce the following error:
/usr/ruby1.9.2/lib/ruby/1.9.1/syck.rb:145:in
`initialize': No such file or
directory -
/app/2c325e9f-adb9-420e-b7d8-a80f8aa4c4e6/home/config/facebook.yml
My facebook.yml file is in the /config directory and is formatted as such:
development:
app_id
secret_key
test:
app_id
secret_key
production:
app_id
secret_key
My guess is that you forgot to...
git add facebook.yml
git commit -m 'new file' .
prior to
git push heroku master
Althouh DigitalRoss answer works may not always be a best practice.
Adding yaml files to repository you put sensitive information into your git account
leaving security issues (eg. if code is shared in github or else).
Here's what heroku suggest.