Is CODECLIMATE_REPO_TOKEN a secret?

[jimmycuadra]

Should the value of CODECLIMATE_REPO_TOKEN be encrypted when checked into a .travis.yml on an open source project or is it a public key? I'm not entirely clear what the purpose of this token is. I'm probably not the only one wondering, so it might be useful to clarify this in the project README and the documentation on the Code Climate website.

[noahd1]

Hey @jimmycuadra --

Thanks for pointing this out and asking.

The purpose of the token is to identify to Code Climate which repository the coverage data should be associated with. It is specific to each repo.

The token that we provide is only used for this purpose -- it provides no other write access than this, and 0 read access.

I would say it's probably best practice to keep this kind of thing secret, but because of its limited capabilities, it's also not a huge problem should it leak out.

Hope that helps.

[jimmycuadra]

Another related question: Coveralls doesn't seem to have an equivalent of this token when integrating with Travis CI. Is this a vulnerability of their approach or is there a way to automatically identify the repository by name without the need to use a special token?

I'm interested in adding an option to use Code Climate's test coverage tracking in some plugin generators in a project of mine, and it'd be ideal to be able to automatically generate all the code needed for this integration without requiring the plugin developer to make a separate commit adding the token.

[sgerrand]

@jimmycuadra: Coveralls do use a repo_token key in their configuration file(under 'Configuration'), which seems to be equivalent.

[jimmycuadra]

This is only needed for repos not using a CI and should be kept secret -- anyone could use it to submit coverage data on your repo's behalf.

They seem to have some sort of whitelisting behavior for coverage data sent from trusted CI services like Travis. If that's the best way to approach this, then I guess what I'm asking for is more of a feature request. @noahd1, let me know if you want me to open another issue to track this or if this works for you.

[jonathancadepowers]

I'm closing this one out, as we now have a help doc on this issue: http://docs.codeclimate.com/article/276-should-i-keep-my-test-coverage-token-secret

[XedinUnknown]

The doc returns a 404. It is now available here.

[jakeasmith]

Did this move again? I'm not immediately seeing a direct answer to this.

[davehenton]

Hey @jakeasmith -- sorry for the confusion here. This information is now found at the bottom of this page. Let me know if you have any further questions. Happy to help.