Instructions: Using a GitHub OAuth token with Composer & Travis CI

I use GitHub to host my open-source projects. Most of them are PHP libraries.

For testing those libraries, I use Travis CI. Every commit I push to the GitHub repository gets tested by their CI (Continuous Integration) server.

Of course, I use Composer for managing dependencies on my PHP projects.

Usually everything works out fine, but sometimes the dependency installation fails because I reached the GitHub API limit. That's 60 calls per hour per IP address for unauthenticated requests. Since Travis runs a lot of tests for various projects, it is possible that an earlier project already exhausted the API limit.

Because composer keeps waiting for input of a username and password, Travis aborts the build after 10 minutes, and it shows up as errored.

The bad solution

I have seen other blogs suggesting to create an OAuth token, and just include it in your repository. That is a very bad idea! The token grants unlimited access to your account via the GitHub API. If someone else got a hold of it, they can do all kinds of bad stuff to your account.

The good solution

Travis supports encrypted environment variables. That is great news, as we can encrypt or OAuth token and put it in an environment variable, right? Now the only thing Composer needs to do is read the env variable and use that token to authenticate to the API.

Unfortunately, it is not that simple. Composer does look for an OAuth environment variable.

The ugly solution

Luckily, Composer does read ~/.composer/config.json, and merges it with the package's composer.json. So, it's just a matter of getting the environment variable in the configuration file.

Step 1: Encrypt the environment variable

Travis provides a gem that helps you to set up secure environment variables. Go ahead and install it.
Note: You'll need ruby and rubygems to install the travis gem.

[code language="bash"]gem install travis[/code]

Next, we need an OAuth token to reach the GitHub API. Go to the Applications section of your account settings, and add a personal API token.

It is time to encrypt the token. Navigate to the project directory, and encrypt the environment variable.

[code language="bash"]travis encrypt GH_OAUTH=4584c14558afe5580abec2d57c2256e6cb804cbf --add env.global[/code]

The encrypted variable gets added to the project's .travis.yml automatically.

Step 2: Write a script to generate ~/.composer/config.json

We still need a script to create the configuration file. It is a very basic script.

[code language="bash"]if [ "$TRAVIS_SECURE_ENV_VARS" = "true" ];
then
mkdir ~/.composer/
echo '{ "config": {"github-oauth":{"github.com": ' > ~/.composer/config.json
echo "\"$GH_OAUTH\"" >> ~/.composer/config.json
echo '}}}' >> ~/.composer/config.json
fi[/code]

First, it checks whether Travis has secure env variables enabled. For security purposes, they get disabled when testing a pull request.

Then, create the ~/.composer directory and write the configuration to the configuration file.

Step 3: Add setup script to .travis.yml

Finally, the script has to be run before any Composer command is executed. Add the setup script in .travis.yml. You may also need to chmod +x the script before it will execute.
To disable all interactive questions Composer may ask, add COMPOSER_NO_INTERACTION=1 to your environment variables.

That's it

You may want to do this for every project using Composer and Travis. It is important to run travis encrypt separately for each project, as the encryption key is different for each project.

If you rather learn by example, you may want to look at vierbergenlars/defer@8eae9b

Update: The nice guys from travis-ci have added an API token for GitHub.