As of April 17, 2018, the experimental
addon will be discontinued.
jwt addon was introduced back in August, 2016 to provide a means of
sharing secrets with third parties (most importantly with Pull Request authors).
At the time of the introduction, we had hoped that the addon would prove
useful and secure, so that many other service providers may adopt it for their
services for our mutual users’ benefit.
Upon further consideration and investigation, however, we have determined that the addon has shortcomings that we are unable to overcome.
Unfortunately, there is no replacement or workaround for the
at this time.
We understand that your workflows (especially the ones involving Pull Requests) may be
affected, but we ask that you phase out the use of this addon by the deadline
for security reasons.
- Starting immediately, jobs using the
jwtaddon will include a deprecation warning with the link pointing back to this blog post, and the deprecation date. The addon will continue to function.
- At the scheduled date of April 17, 2018, the addon will cease to function.
Travis CI Enterprise instances with versions after 2.1.13 will also see the deprecation warning. Full deprecation on Travis CI Enterprise will be announced and documented in the changelog.
If you have used
jwt addon in the past or are currently using it, we suggest that
any credential you may have used be invalidated in order to ensure that the credentails
are not compromised.
Please direct your further questions to firstname.lastname@example.org.