tag:help.appveyor.com,2012-11-13:/discussions/questions/20900-secure-variablesAppVeyor: Discussion 2018-08-25T02:28:44Ztag:help.appveyor.com,2012-11-13:Comment/453307462018-05-22T19:39:49Z2018-05-22T19:39:51Zsecure variables<div><p>I am having trouble with access to a secure variable. Sometimes the variable seems to be available and other times not. I am always trying to use it in deploy_script.<br>
In the first method I generate a token at <a href="https://github.com/settings/tokens">https://github.com/settings/tokens</a>, then encrypt it at <a href="https://ci.appveyor.com/tools/encrypt">https://ci.appveyor.com/tools/encrypt</a>, then insert it in appveyor.yml as shown on that page.<br>
1. Not really an appveyor question, but do you know if the token from github is repository specific, i.e. is it good at all repositories I own and repositories I am a collaborator on?<br>
2. When I encrypt the token, is that encryption repository specific or should it be good for all repositories I own or am a collaborator on?<br>
3. Is the token encryption user specific? If a build is triggered by another collaborator, different from the one that generated and encrypted the token, can that build decrypt the token I generated and encrypted and placed in the shared appveyor.yml file?</p>
<p>In the second method I set an locked environmental variable in<br>
<a href="https://ci.appveyor.com/project/myself/collabproject-*****/settings">https://ci.appveyor.com/project/myself/collabproject-*****/settings</a> on the environment pane. The Github repository on the general pane is<br>
someoneelse/collabproject, i am a collaborator but not the owner.<br>
Will this work when the owner or other collaborator triggers builds, or do they need to also setup the variable in their settings for this repository?</p></div>tom stevenstag:help.appveyor.com,2012-11-13:Comment/453307462018-05-22T22:35:40Z2018-05-22T22:35:40Zsecure variables<div><p>Hi Tom,</p>
<ul>
<li>
<p>Reason you are not seeing secure variables available sometimes is probably becase they are not allowed in Pull requests for security reasons. Some details in the bottom of <a href="https://www.appveyor.com/docs/build-configuration/#interpreters-and-scripts">this</a> part of documentation. There is a UI-only option <code>Enable secure variables in Pull Requests from the same repository only</code> for public projects and both <code>Enable secure variables in all Pull Requests</code> and <code>Enable secure variables in Pull Requests from the same repository only</code>for private projects.</p>
</li>
<li>
<p>GitHub token is not repository specific, at least per my knowledge.</p>
</li>
<li>
<p>Encryption of secure variable is specific to <strong>AppVeyor</strong> <a href="https://www.appveyor.com/docs/team-setup/#account">account</a> and unrelated to GitHub. As long as project belong to the account, and build is not a PR, build can decrypt the token.</p>
</li>
<li>
<p>Encrypting variable in UI will works too, as long as your <a href="https://www.appveyor.com/docs/team-setup/#role">role</a> allows to update project setting. Common mistake here is double-encryption. If you use UI and "lock", paste clear text variable and then press "lock". Do not encrypt it with <a href="https://ci.appveyor.com/tools/encrypt">https://ci.appveyor.com/tools/encrypt</a> in this case.</p>
</li>
<li>
<p>What are you trying to script? Maybe you can use <a href="https://www.appveyor.com/docs/deployment/github/">1st class GitHub deployment</a> support?</p>
</li>
</ul></div>Ilya Finkelshteyn