Defining secure environment variables for multiple repositories in a single .travis.yml

Question

I am working on a project that is using Travis CI. Some of our tests require secure credentials to be defined in environment variables, or else they are skipped. We are using the encrypt command of the Travis CLI gem to define a secure environment variable for our primary repository, owner/Project. This variable is included in our .travis.yml file as follows:

Single-Repository Configuration

env:
  secure: "av9hxTZp/Dhe9xAOq6WlhTNDoWjjczN3lFanG6h/3h4kW7DsxhfXMRA96z6MambbC6c9ARFiwsQ24NeCAfPQ1m6r9uZwNkusqnRDOwZQeVQcmopnoNNG4Kd/9oclIVgsAlSG6WfhkyQPUG2p7PkOvxFV4/YjDSViYDR3eoih3JA="

travis encrypt has encrypted these variables using the private key for our owner/Project, and Travis runs the credentialed tests successfully for that repository.

However we have another repository, contributor/Project, which is also used for development. When Travis is run in that repository, the secure environment variables are not available, and the credentialed tests are skipped.

I used travis encrypt to encrypt a set of credentials for contributor/Project, and tried to add it to the .travis.yml like this:

Causes Extra Builds

env:
  - secure: "av9hxTZp/Dhe9xAOq6WlhTNDoWjjczN3lFanG6h/3h4kW7DsxhfXMRA96z6MambbC6c9ARFiwsQ24NeCAfPQ1m6r9uZwNkusqnRDOwZQeVQcmopnoNNG4Kd/9oclIVgsAlSG6WfhkyQPUG2p7PkOvxFV4/YjDSViYDR3eoih3JA="
  - secure: "TcOCPDytGQpQgiP4w4LRdLXn+pUvhf5SjJF4J3TXjaPUCfomNfod2WTZn3v4WBR2kg3UCaeqFo2BmGUdwCdPbrAZ3cF2W749HLNU0Z2zxFWru5W+GAGgUi2FXIzzjF+U8Hb/2fLZ6GoUiSlNzVHKo/+kvLDAyuGnGFwfH7dpEb8="

This resulted in Travis running two different versions of the build. One attempted to use each set of secure credentials. Since only one set was valid for a given repository, this would result in the test suite being run twice, once with credentials and once without. You can see an example build here.

This extra build is wasteful and unnecessary. If the test is running in an environment where neither set of secure credentials are available (such as a pull request from a fork), the test suite will be run without credentials twice. Adding more sets of credentials would be even worse; you'd have several redundant uncredentialed builds for every credentialed build.

How can I define secure environment variables for multiple repositories in a single Travis configuration without causing extra builds to occur?

Answer 1

When I defined multiple secure values directly under env, they seemed to be treated as though I had used the matrix key, which defines multiple variations of a build. It was as though I had written:

Causes Extra Builds

env:
  matrix:
    - secure: "TcOCPDytGQpQgiP4w4LRdLXn+pUvhf5SjJF4J3TXjaPUCfomNfod2WTZn3v4WBR2kg3UCaeqFo2BmGUdwCdPbrAZ3cF2W749HLNU0Z2zxFWru5W+GAGgUi2FXIzzjF+U8Hb/2fLZ6GoUiSlNzVHKo/+kvLDAyuGnGFwfH7dpEb8="
    - secure: "av9hxTZp/Dhe9xAOq6WlhTNDoWjjczN3lFanG6h/3h4kW7DsxhfXMRA96z6MambbC6c9ARFiwsQ24NeCAfPQ1m6r9uZwNkusqnRDOwZQeVQcmopnoNNG4Kd/9oclIVgsAlSG6WfhkyQPUG2p7PkOvxFV4/YjDSViYDR3eoih3JA="

Instead, I need to specify the secure credentials under the global key, so that they will all be applied to every build:

Works Nicely

env:
  global:
    - secure: "TcOCPDytGQpQgiP4w4LRdLXn+pUvhf5SjJF4J3TXjaPUCfomNfod2WTZn3v4WBR2kg3UCaeqFo2BmGUdwCdPbrAZ3cF2W749HLNU0Z2zxFWru5W+GAGgUi2FXIzzjF+U8Hb/2fLZ6GoUiSlNzVHKo/+kvLDAyuGnGFwfH7dpEb8="
    - secure: "av9hxTZp/Dhe9xAOq6WlhTNDoWjjczN3lFanG6h/3h4kW7DsxhfXMRA96z6MambbC6c9ARFiwsQ24NeCAfPQ1m6r9uZwNkusqnRDOwZQeVQcmopnoNNG4Kd/9oclIVgsAlSG6WfhkyQPUG2p7PkOvxFV4/YjDSViYDR3eoih3JA="

Travis will attempt to use each of the secure variables in a single build. It will only be able to decode and use the one (or none) that are appropriate to the repository and build conditions. In this way you are able to add secure environment variables for as many repositories as you want to a single Travis configuration.