Using Travis? Make sure you use a Github PAT

[This article was first published on R – It's a Locke, and kindly contributed to R-bloggers]. (You can report issue about the content on this page here)
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

We’re in the fantastic situation where lots of people are using Travis-CI to test their R packages or use it to test and deploy their analytics/ documentation / anything really. It’s popularity has been having a negative side-effect recently though! GitHub rate limits API access to 5000 requests per hour so sometimes there are more R related jobs running on Travis per hour than this limit, causing builds to error typically with a message that includes

403 forbidden

This error will cause your build to fail, even if you didn’t do anything wrong. To solve it short-term you can wait a little while and restart your build.

How to restart a build in Travis-CI
How to restart a build in Travis-CI

That is a very short-termist solution and does not solve the problem for future you or other users of the service. The real solution to resolving this issue is to get off the default API access credentials and use your own.

The R integration in Travis makes good use of the devtools. The devtools package looks for an environment variable called GITHUB_PAT that holds a personal access token (PAT) for using the GitHub API and if it doesn’t find one it uses a default token. When we get our own PAT and store it in Travis, devtools will pick up our token and use it, meaning you’ll only ever get rate limited if you do more than 5000 builds in an hour, which is an achievement I’d love to hear about.

How to

  1. Create a PAT with no permissions i.e. untick all the permissions boxes
  2. Copy the key
  3. Go to your repo’s settings on Travis e.g.
  4. Add an environment variable called GITHUB_PAT and paste in your key. There is a toggle next to it that defaults to not show the value in the log. This key has no permissions but still, keep it private and don’t toggle!

Stay secure

If you followed the instructions above your key will be conforming to the principle of least privileges because it will only be able to perform public actions that anyone can take i.e. read and clone a public repository. That being said, it’s never wise to let credentials escape out into the wilderness unless you can avoid it. This is where the bit about ensuring the value doesn’t get printed to the log comes in. If it never gets printed, the only time this key is available for stealing is when you’re creating it and adding it to Travis.

Verifying it worked

When you next run a build, you should see some (or all) of the following signs of success, over and above a lack of a 403 error:

Setting environment variables from repository settings
$ export GITHUB_PAT=[secure]

$ Rscript -e 'devtools::install_github("stephlocke/tfsR",dependencies=TRUE)'
Using GitHub PAT from envvar GITHUB_PAT

The post Using Travis? Make sure you use a Github PAT appeared first on It's a Locke.

To leave a comment for the author, please follow the link and comment on their blog: R – It's a Locke. offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

Never miss an update!
Subscribe to R-bloggers to receive
e-mails with the latest R posts.
(You will not see this message again.)

Click here to close (This popup will not appear again)