Travis

Travis CI's use of GitHub API Scopes

When you sign in to Travis CI for the first time, we ask for permission to access some of your data on GitHub. Read the GitHub API Scope Documentation for general information about this, or pick an explanation of what data we need and why we need it.

Access rights for Travis CI GitHub OAuth App #

When you sign in to travis-ci.com using GitHub for the first time, you will receive a message from GitHub saying:

Travis CI by travis-pro wants to access your [account name] account.

and in the repositories section it will state:

This application will be able to read and write all public and private repository data.

This is not how Travis CI accesses your data, however we can explain it later in the process.

The warning is triggered due to GitHub OAuth App permissions which Travis CI uses, and due to the available granularity of permission scopes (see GitHub Scopes for OAuth Apps documentation ).

Travis CI does not access all your repositories by default.

Once you acknowledge the access rights, you will see Travis CI OAuth application present in your GitHub Authorized OAuth Apps list, however you need to explicitly configure which repositories Travis CI has access to within your travis-ci.com account. The configuration is done during the activation of Travis CI for your repositories. You can use either the ‘All repositories’ option or the ‘Only select repositories’ option during the activation process.

When the Travis CI activation has completed, you will see the actual Travis CI GitHub Application installed in Installed GitHub Apps section.

Travis CI uses OAuth permissions in the following way:

1) Travis CI’s system synchronizes certain metadata with GitHub. This metadata is required for proper service functioning. In particular, we sync users, orgs, memberships, repos, permissions and, (optionally) branches. This type of sync happens either once a day by schedule or per the user’s request. You can find more information and source code in this repository

2) In order to run builds, Travis CI’s system clones a repository, from which the build is triggered, to the build environment. The build environment is an isolated virtual machine or an LXD container, which gets terminated as soon as the build finishes. Cloning happens only after a build request, and therefore only for the repositories explicitly enabled at GitHub settings.

3) To set up a build environment and prepare the build, Travis CI’s system fetches and processes the .travis.yml config file from the repository and the branch explicitly specified in the build request, triggered by GitHub.

4) Travis CI’s system reports build results back to GitHub via its Checks API.

Travis CI for Open-Source and Private Projects #

On https://travis-ci.com, via our GitHub Apps integration, we ask for the following permissions:

  • Read access to code.
  • Read access to metadata and pull requests.
  • Read and write access to administration, checks, commit statuses, and deployments.
  • Synchronize user email to send notifications and important information.

Legacy WebHooks #

Before GitHub Apps, we used scoped OAuth tokens to integrate with GitHub. As of May 2018, OAuth-based integration is considered our “Legacy” integration.

Private and Public Repositories #

The following section shows how to use Repositories on https://travis-ci.com (Private and public).

  • user:email (read-only)

    We synchronize your email addresses so we can email you the build notifications.

    Your email address can be hidden from the GitHub profile, which also hides it from us.

  • read:org (read-only)

    When you’re logged in on Travis CI, we show you all of your repositories, including the ones from any organization you’re part of.

    The GitHub API hides any organizations you’re a private member of without this scope. So, to make sure we show you all of your repositories, we require this scope.

    Note that this scope allows access to the basic information about both private and public repositories, but not on any of the stored data or code.

  • repo

    Grants read and write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations.

    We need this level of access because GitHub does not provide the read:org (read-only) scope for private repositories.