I'm building an open-source library that provides an API for a 3rd party service. During which I'm learning testing, git-flow and continuous deployment and came across an problem related to securing environmental variables for open-source project.
I currently have generated secret environment variables through the travis cli: travis encrypt key=value, that are used for automated system testing.
On pushing updates to feature branches or pull-requests noticed that tests are automatically ran by travis ci, which is awesome. But I started to wonder what protects my against someone making a pull requests that maliciously gathers the process.env object and pushes it to something external, thus revealing my precious environmental variables.
How does one truly be sure that environment credentials (such as API credentials) are protected in travis ci for system testing?
Should I even by creating system tests? Or should I fake the requests to the external service?
Travis CI documentation says:
For the protection of secure data, Travis CI makes it available only on pull requests coming from the same repository. These are considered trustworthy, as only members with write access to the repository can send them.
Pull requests sent from forked repositories don’t have this data available in their builds. All data that’s considered confidential will not be added to the build’s environment.
https://docs.travis-ci.com/user/pull-requests#Security-Restrictions-when-testing-Pull-Requests