fix(aio): ensure `NGBUILDS_IO_KEY` is not printed

Gaining access to another PR's JWT, would allow faking that PR's author wrt to
GitHub team membership verification for as long as the JWT is valid (currently
90 mins).

aio/aio-builds-setup/docs/01. VM setup - Set up secrets.md

@@ -18,8 +18,8 @@ Necessary secrets:
 
 **Note:**
 `TEST_GITHUB_TOKEN` and `TEST_PREVIEW_DEPLOYMENT_TOKEN` can also be created similar to their
-non-TEST counterparts and they will be loaded when running `aio-verify-setup`, but it currently not
-clear if/how they can be used in tests.
+non-TEST counterparts and they will be loaded when running `aio-verify-setup`, but it is currently
+not clear if/how they can be used in tests.
 
 
 ## Create secrets
@@ -33,6 +33,14 @@ clear if/how they can be used in tests.
    - Add it to `.travis.yml` under `addons -> jwt -> secure`.
      Can be added automatically with: `travis encrypt --add addons.jwt PREVIEW_DEPLOYMENT_TOKEN=<access-key>`
 
+**Note:**
+Due to [travis-ci/travis-ci#7223](https://github.com/travis-ci/travis-ci/issues/7223) it is not
+currently possible to use the JWT addon (as described above) for anything other than the
+`SAUCE_ACCESS_KEY` variable. You can get creative, though...
+
+**WARNING**
+TO avoid arbitrary uploads, make sure the `PREVIEW_DEPLOYMENT_TOKEN` is NOT printed in the Travis log.
+
 
 ## Save secrets on the VM
 

aio/scripts/deploy-preview.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 
-set -eux -o pipefail
+# WARNING: NGBUILDS_IO_KEY should NOT be printed.
+set +x -eu -o pipefail
 
 
 INPUT_DIR=dist/

scripts/ci/env.sh

@@ -74,6 +74,7 @@ if [[ ${TRAVIS:-} ]]; then
 
   # If NGBUILDS_IO_KEY not set yet, export the NGBUILDS_IO_KEY using the JWT token that Travis generated and exported for SAUCE_ACCESS_KEY.
   # This is a workaround for travis-ci/travis-ci#7223
+  # WARNING: NGBUILDS_IO_KEY should NOT be printed
   export NGBUILDS_IO_KEY=${NGBUILDS_IO_KEY:-$SAUCE_ACCESS_KEY}
 
   # Used by karma and karma-chrome-launcher