2

I have a library that I build with FAKE, pack, and push to NuGet. Works fine.

Now, I want to do all that, including the "push" part, in continuous mode, via Travis CI. I know there are security concerns, but it seems that I can do this securely (at least in principle) by putting the NuGet API key in a Travis environment variable, so it's not available to external pull requests, and pushing only when building a special dedicated branch.

The problem comes when FAKE meets Travis.

  1. Turns out, when I use the Paket.Push helper, the whole paket.exe command line is emitted as FAKE's output, complete with my NuGet API key.
  2. At the same time, it turns out that Travis lets any non-authenticated nosy individual to see full build logs of any project. With my NuGet API key right in there.

I know that I can disable the whole output from FAKE by redirecting it to /dev/null (in .travis.yml), but I'd like to keep most of the output, just hide that specific part with the key.

I could not find any relevant parameters in the PaketPushParams structure, and Google didn't turn up anything either. The next step would be to look through FAKE source code to see if the output is even conditional, but I thought I'd ask first. I can't be the first person to hit this. :-)

Fyodor Soikin
  • 78,590
  • 9
  • 125
  • 172

1 Answers1

2

I didn't find an answer with Google either, but I did know more or less where to look in the FAKE source code, so I went ahead and did that.

It looks like the Paket.Push helper calls ExecProcess to actually run the relevant task. ExecProcess eventually calls ExecProcessWithLambdas to do the work, and the line in ExecProcessWithLambdas that prints the process name and arguments out to the FAKE log checks the enableProcessTracing variable first, and will not output the process name and arguments if that variable is false. The enableProcessTracing variable is undocumented, but mutable so you should be able to set it. I have not tried this myself yet, but in principle you should be able to do:

ProcessHelper.enableProcessTracing <- false // Logging off
// Do security-sensitive work here
ProcessHelper.enableProcessTracing <- true  // Logging back on for rest of build

Does that do what you need?

rmunn
  • 34,942
  • 10
  • 74
  • 105