angular-docs-cn/aio/aio-builds-setup/docs/vm-setup--set-up-secrets.md

# VM Setup - Set up secrets


## Overview

Necessary secrets:

1. `GITHUB_TOKEN`
   - Used for:
     - Retrieving open PRs without rate-limiting.
     - Retrieving PR author.
     - Retrieving members of the `angular-core` team.
     - Posting comments with preview links on PRs.

2. `PREVIEW_DEPLOYMENT_TOKEN`
   - Used for:
     - Decoding the JWT tokens received with `/create-build` requests.

**Note:**
`TEST_GITHUB_TOKEN` and `TEST_PREVIEW_DEPLOYMENT_TOKEN` can also be created similar to their
non-TEST counterparts and they will be loaded when running `aio-verify-setup`, but it is currently
not clear if/how they can be used in tests.


## Create secrets

1. `GITHUB_TOKEN`
   - Visit https://github.com/settings/tokens.
   - Generate new token with the `public_repo` scope.

2. `PREVIEW_DEPLOYMENT_TOKEN`
   - Just generate a hard-to-guess character sequence.
   - Add it to `.travis.yml` under `addons -> jwt -> secure`.
     Can be added automatically with: `travis encrypt --add addons.jwt PREVIEW_DEPLOYMENT_TOKEN=<access-key>`

**Note:**
Due to [travis-ci/travis-ci#7223](https://github.com/travis-ci/travis-ci/issues/7223) it is not
currently possible to use the JWT addon (as described above) for anything other than the
`SAUCE_ACCESS_KEY` variable. You can get creative, though...

**WARNING**
TO avoid arbitrary uploads, make sure the `PREVIEW_DEPLOYMENT_TOKEN` is NOT printed in the Travis log.


## Save secrets on the VM

- `sudo mkdir /aio-secrets`
- `sudo touch /aio-secrets/GITHUB_TOKEN`
- Insert `<github-token>` into `/aio-secrets/GITHUB_TOKEN`.
- `sudo touch /aio-secrets/PREVIEW_DEPLOYMENT_TOKEN`
- Insert `<access-token>` into `/aio-secrets/PREVIEW_DEPLOYMENT_TOKEN`.
- `sudo chmod 400 /aio-secrets/*`
feat(aio): support passing secrets as files to the docker container 2017-02-28 14:09:44 -05:00			`# VM Setup - Set up secrets`


			`## Overview`

			`Necessary secrets:`

			1. `GITHUB_TOKEN`
			`- Used for:`
			`- Retrieving open PRs without rate-limiting.`
			`- Retrieving PR author.`
			- Retrieving members of the `angular-core` team.
			`- Posting comments with preview links on PRs.`

			2. `PREVIEW_DEPLOYMENT_TOKEN`
			`- Used for:`
			- Decoding the JWT tokens received with `/create-build` requests.

			`Note:`
			`TEST_GITHUB_TOKEN` and `TEST_PREVIEW_DEPLOYMENT_TOKEN` can also be created similar to their
fix(aio): ensure `NGBUILDS_IO_KEY` is not printed Gaining access to another PR's JWT, would allow faking that PR's author wrt to GitHub team membership verification for as long as the JWT is valid (currently 90 mins). 2017-03-05 09:32:44 -05:00			non-TEST counterparts and they will be loaded when running `aio-verify-setup`, but it is currently
			`not clear if/how they can be used in tests.`
feat(aio): support passing secrets as files to the docker container 2017-02-28 14:09:44 -05:00

			`## Create secrets`

			1. `GITHUB_TOKEN`
			`- Visit https://github.com/settings/tokens.`
			- Generate new token with the `public_repo` scope.

			2. `PREVIEW_DEPLOYMENT_TOKEN`
			`- Just generate a hard-to-guess character sequence.`
			- Add it to `.travis.yml` under `addons -> jwt -> secure`.
			Can be added automatically with: `travis encrypt --add addons.jwt PREVIEW_DEPLOYMENT_TOKEN=<access-key>`

fix(aio): ensure `NGBUILDS_IO_KEY` is not printed Gaining access to another PR's JWT, would allow faking that PR's author wrt to GitHub team membership verification for as long as the JWT is valid (currently 90 mins). 2017-03-05 09:32:44 -05:00			`Note:`
			`Due to [travis-ci/travis-ci#7223](https://github.com/travis-ci/travis-ci/issues/7223) it is not`
			`currently possible to use the JWT addon (as described above) for anything other than the`
			`SAUCE_ACCESS_KEY` variable. You can get creative, though...

			`WARNING`
			TO avoid arbitrary uploads, make sure the `PREVIEW_DEPLOYMENT_TOKEN` is NOT printed in the Travis log.

feat(aio): support passing secrets as files to the docker container 2017-02-28 14:09:44 -05:00
			`## Save secrets on the VM`

			- `sudo mkdir /aio-secrets`
			- `sudo touch /aio-secrets/GITHUB_TOKEN`
			- Insert `<github-token>` into `/aio-secrets/GITHUB_TOKEN`.
			- `sudo touch /aio-secrets/PREVIEW_DEPLOYMENT_TOKEN`
			- Insert `<access-token>` into `/aio-secrets/PREVIEW_DEPLOYMENT_TOKEN`.
			- `sudo chmod 400 /aio-secrets/*`