.travis.yml

env:
    global:
        - secure: "PDI+1T2dLlhGYhMnLq4h3ChrZ9nmJWsLWVtmnueWVO9njnPF/JPc0ZP30/ObLmH98yr6qWQFr5c/a7i4iUWHb3IB9wyfRSw87jSj05aiDMWEWttXMcD5ImIPjiuyJqO9kjVoC6jRmJu6jYlb2gXDJ7nsgAzfIKxiLua8kI8zM3/6X07i3yX/p2HkkJyIT6tLLDKUcYCOXTzEFNx3LInwpOKBfoiP7KQtizFJsGaZ92AjvZGS1tHn4G23VhGh2bFqscXS13D0yr8LVWQ8W6O3b3fNsHY0DN2aCEQRRw+gNV+0uDJeIlOEHwX9K1bYoBA46dFkTnuNEmYh53MSDeS4V2hcWbjvbrH4pZxw4oj8G20IuAquAKgbijKBbCtGiTvcbWGrPjEgPGvb1IHYopZ1ONStkKIXhero4iMIqzfIVSghv66rJpfD4pHOF5EYZak2QAP5tJQYk5/DejjAYVO0g+uAuiACKHfsPQwSvjigDgy1G0emANLS8bMj7Cq6Yv3zmVYdnM8Gtxl4XDNDuFUm7aNU3hODbd1OchYJ8h+N0hYQGICSqBGcaxP/JkntxJKbF9+Dkgi+F/ct6DPFP5x2f/VCosQKuSdfHRuJaZ/JZcVTH+5/IXatt4Q7FC3j7Q/mWFLbH2rHVjwJ7P6nySRv46x4froCB/wI5DvYuwTcGHM="
        - secure: "YDYdT2ue5hZjubmazDWzrkq8NPWWBDx5rFhvq+7XInS5Zkcxk76M6B0GCDw90w8XotzcAyC89geDaCUEuLYHYSe+muNi81k7gZtWazKnA2FvOURg+yjyPq01spLuxLjo1dCmXzdCLOL+4lzmz3tJBO/exMuvIPq4IqFCgUvtOXOOAVsaYTl48XWLOCY5WU+97n3zud69IA8UkQTYo66wfmodRIzpgnOc1VlCMb7ejpzwPrQux6dR0u9J7FVg6lWAR99TxSiG4uSogduUdfex2P8RY3SFcdi026xOMvzfb+78cy89pS7umhz2tsjaFyfkMx5lIW4XqVDRT16mO4U8awIRWVvrP+nJJr609U5siyGSKYo/RInlF1JYi22+oyksbRt0Vyhv7HLvE2XPJADYuby4L+XaZoVUO2/fOlBrwGRWjO/GVvdpB2hCje/qEBwjPUdsRSD/oa31/GDEe4gVBZTA0ueBYzQskwOM+Tdp0JiqpB1NCLRdPO5G/mQYHvcS1+PExBK4ihnCRVRJ4thy/M/8xWzidmqhWb7j4j2F90lAO/nS07DjDmZmaaSp+FWQQTQtlp3BXiqWu4ntydw1/O6GlNn3Nl6vXl1pAVloAvzWRIc5HCX4CzX5I0AQBFjnbOz/hBzEGOfe6OTZ4JnE8eyGud6+e9Y/aspqcB4TrkA="
        - secure: "MmQZv2HLfX7bVKeEBFBBeeHBMxL8IwvoaoCEg2fnb7NQO/6UGmzPeIycLj5w3h5Rg8BkxrW57mnj2j8t62I7HLb2C5v5u0HEjaa1rpqcoi3AKkVJKKFNmH3Hg8YoBsKCvzxukYuF17HkhFSHBkPMUjC4RRnNYI1kQQq3ao0OzO8yEjqORBLRZ43nAmyNkUqhUUlDIickcwJ0S6nwbsF+saFUOoXT/MScRUvma4eoUzH17yIUC7cSFGe1sLj0P12F/Dz2kgM9IRVIjH/xmgx6917zGZ2Pivqw4W+kJvv3F1GQjVkO/Uw6mFu6JuUPuwSFcMVjUgBSja8AqwTs8ymXR92kY2fE63dZ+8smVBAsxvMXn/go4mO0+xyBDaXs0fo9X8AJnGizW5BSCXTLJ5dFJy1ssdKN/2iQtmmwVq5OBHQd5Q1lTbP2Js8Qtw79G+a97J4cuIyTpYAFW6oh3i86x2RLf8IwCqNkGgLTLaALao620MU709hDvTHBGaAbk9ymREPEikAS1iRoCyydWi7GmTFNBPqp9ZH5U9FoTlIw9jyKuVTug51QiypdZ5gHiCBuH5J2PnEAgqwxOAzLhRJqcBWT6C0JMxQLxXRzQEMbuXz2Z5ZP/3216zhHcdtggT1cFmgwmeuR4hNn/omI/sgwfX9UvAJ+tp211dYDRI7qyKI="
        - secure: "Mhsy1O0PwtfNX1loHNyCn41RBhS3dyAhmfiwjg5fV/BeR3w/BZC3qOEFrYY4hrqWumCkMqip3QvGIaq575iRK6QfQ26P8jIhlTEZK7D3zJ5ynCKGOwdgw36KPsp6T/BjZ+1MDRwamqFRgPT3qnK8KqzdYsRujQ09L17kNQ83Rks0EyFkO6CurXazlIGzjokRvwu0y9raWVSTNT3ufFVCYz4alruHitcYe0hAyDs2zwxZr8tu++9jOGT+2IxPNAe9Uq+KKPKkQ1f7DbqdiUv01no56Nutx+R9Kaim3TSR8TTe56pMqFEWRt3aatUOBdaKOHgDCXRaid1jlT4DzlH1SrqK91/u/HiCajeOQ9eGrz6D9w9eCn0wMb/8k2nKtkPDQKV75pcsj3FomASxcdm1JwhAX8lEYzQMBurAoh3ch7MYDFAbOiCJYpjVsbtU9siIgdxevP1/5NoYXqhMIAJ5LUMr6x/zJBi1koUap+6sUuZakN2Yz+h60bygBNcdMrT9iZ33zAKo2N82O5k5OxLo55uZIDbG660GCWh/VIdurGnDYbbGt/6P1uGcOQ0+GTxecwWSzhTJXGbZCK9gVZU0cQ9QNy+ICK8Cc/qTkdfodnNZ+KJlGqzJ1phyIRDB79aLxqa57X6ffEA0V1GW5vDbdS1SfmwkE3Jjz98uRQC+kkE="


# Abuse YAML notation to make a heredoc. This will be ignored by the CI.
.__heredoc__: &__heredoc__
    - | 
        __doc__="""
        ============
        TRAVIS-CI INSTRUCTIONS
        ============

        This file was designed to be used as a template. You can adapt it to
        new projects with a few simple changes.  Namely perform the following
        search and replaces.

        ```bash
        cat .gitlab-ci.yml | \
            sed 's|git_sync|<YOUR-REPO>|g' | \
            sed 's|travis-ci-Erotemic|<YOUR-GPG-ID>|g' | \
            sed 's|CI_GITHUB_SECRET|<YOUR_CI_SECRET>|g' | \
            sed 's|github.com/Erotemic|github.com/<YourName>|g' | \
        tee /tmp/repl && colordiff .gitlab-ci.yml /tmp/repl
        ```

        To use this script you need the following configurations on your GitHub
        / TravisCI account.

        GITHUB SECRETS
        --------------

        Almost all of the stages in this pipeline can be performed on a local
        machine (making it much easier to debug) as well as the travis-ci
        machine. However, there are a handeful of required environment
        variables which will contain sensitive information. These variables are

        * TWINE_USERNAME - this is your pypi username
            twine info is only needed if you want to automatically publish to
            pypi

        * TWINE_PASSWORD - this is your pypi password 

        * CI_GITHUB_SECRET - We will use this as a secret key to
            encrypt/decrypt gpg secrets This is only needed if you want to
            automatically sign published wheels with a gpg key.

        * PERSONAL_GITHUB_PUSH_TOKEN - 
            This is only needed if you want to automatically git-tag release
            branches. This token is global to an entire account, so it only
            needs to be done once per user.

            To create this token go to:
            https://github.com/settings/tokens/new

            And create a token with "write:packages" checked. 
            Name (via the Note field) the token something like "github-push-token".
            Copy the value of that token and store it somewhere secure (like a
            secret environment file). 
            The environment variable should have the form:

            PERSONAL_GITHUB_PUSH_TOKEN="{token-name}:{token-password}"

            For instance it may look like this: 
            PERSONAL_GITHUB_PUSH_TOKEN=git-push-token:62zutpzqga6tvrhklkdjqm

        ENCRYPTING SECRETS
        ------------------
        The following script demonstrates how to securely encrypt a secret GPG
        key. It is assumed that you have a file secret_loader.sh that looks
        like this

        ```bash
            source secretfile
        ```

        and then a secretfile that looks like this
        ```bash
            #!/bin/bash
            echo /some/secret/file 

            export TWINE_USERNAME=<pypi-username>
            export TWINE_PASSWORD=<pypi-password>
            export CI_GITHUB_SECRET="<a-very-long-secret-string>"
            export PERSONAL_GITHUB_PUSH_TOKEN='git-push-token:<token-password>'
        ```

        You should also make a secret_unloader.sh that points to a script that
        unloads these secret variables from the environment.

        You will also need the travis CLI utility to encrypt your secrets. On
        Ubuntu these can be installed via

        ```bash
        sudo apt install ruby ruby-dev -y
        sudo gem install travis
        ```

        Given this file-structure setup, you can then run the following
        commands verbatim. Alternatively just populate the environment
        variables and run line-by-line without creating the secret
        loader/unloader scripts.

        ```bash
        # Load or generate secrets
        source $(secret_loader.sh)
        echo $TWINE_USERNAME
        echo $TWINE_PASSWORD
        echo $CI_GITHUB_SECRET
        echo $PERSONAL_GITHUB_PUSH_TOKEN

        # In your repo directory run the command to ensure travis recognizes the repo
        # It will say: Detected repository as <user>/<repo>, is this correct? |yes|
        # Answer yes before running the encrypt commands.
        travis status

        # encrypt relevant travis variables (requires travis cli)
        SECURE_TWINE_USERNAME=$(travis encrypt --no-interactive TWINE_USERNAME=$TWINE_USERNAME)
        SECURE_TWINE_PASSWORD=$(travis encrypt --no-interactive TWINE_PASSWORD=$TWINE_PASSWORD)
        SECURE_CI_GITHUB_SECRET=$(travis encrypt --no-interactive CI_GITHUB_SECRET=$CI_GITHUB_SECRET)
        SECURE_PERSONAL_GITHUB_PUSH_TOKEN=$(travis encrypt --no-interactive PERSONAL_GITHUB_PUSH_TOKEN=$PERSONAL_GITHUB_PUSH_TOKEN)
        echo "
        Add the following lines to your .travis.yml

        env:
            global:
                - secure: $SECURE_TWINE_USERNAME
                - secure: $SECURE_TWINE_PASSWORD
                - secure: $SECURE_CI_GITHUB_SECRET
                - secure: $SECURE_PERSONAL_GITHUB_PUSH_TOKEN
        "

        # HOW TO ENCRYPT YOUR SECRET GPG KEY
        IDENTIFIER="travis-ci-Erotemic"
        KEYID=$(gpg --list-keys --keyid-format LONG "$IDENTIFIER" | head -n 2 | tail -n 1 | awk '{print $1}' | tail -c 9)
        echo "KEYID = $KEYID"

        # Export plaintext gpg public keys, private keys, and trust info
        mkdir -p dev
        gpg --armor --export-secret-keys $KEYID > dev/travis_secret_gpg_key.pgp
        gpg --armor --export $KEYID > dev/travis_public_gpg_key.pgp
        gpg --export-ownertrust > dev/gpg_owner_trust

        # Encrypt gpg keys and trust with CI secret
        TSP=$CI_GITHUB_SECRET openssl enc -aes-256-cbc -md MD5 -pass env:TSP -e -a -in dev/travis_public_gpg_key.pgp > dev/travis_public_gpg_key.pgp.enc
        TSP=$CI_GITHUB_SECRET openssl enc -aes-256-cbc -md MD5 -pass env:TSP -e -a -in dev/travis_secret_gpg_key.pgp > dev/travis_secret_gpg_key.pgp.enc
        TSP=$CI_GITHUB_SECRET openssl enc -aes-256-cbc -md MD5 -pass env:TSP -e -a -in dev/gpg_owner_trust > dev/gpg_owner_trust.enc
        echo $KEYID > dev/public_gpg_key

        source $(secret_unloader.sh)

        # Look at what we did, clean up, and add it to git
        ls dev/*.enc
        rm dev/gpg_owner_trust dev/*.pgp
        git status
        git add dev/*.enc
        git add dev/public_gpg_key
        ```

        TEST GIT_PUSH_TOKEN 
        -------------------
        To auto-tag a github hosted project we need to generate a personal
        access token with write access.

        First go to: 
        https://github.com/settings/tokens/new

        And create a token with "write:packages" checked. Name the token something like
        github-push-token
        copy that token and store it somewhere secure. 

        PERSONAL_GITHUB_PUSH_TOKEN=<token-name>:<secret-value>

        Also go to your github project settings page and add a new secret
        variable named PERSONAL_GITHUB_PUSH_TOKEN with the secret value.

        <token-name>:<secret-value>

        for example: github-push-token:ffjdksajklfdsjak

        https://github.com/Erotemic/git_sync/settings/secrets
        
        # Also here
        https://travis-ci.org/github/Erotemic/xdoctest/settings

        # Test that this works in a docker image
        URL_HOST=$(git remote get-url origin | sed -e 's|https\?://.*@||g' | sed -e 's|https\?://||g')
        echo "URL_HOST = $URL_HOST"
        git config user.email "travis-ci@github.com"
        git config user.name "Travis-CI"
        git tag "test-tag-v5"
        git push --tags "https://${PERSONAL_GITHUB_PUSH_TOKEN}@${URL_HOST}"


        REFERENCES
        ----------

        https://stackoverflow.com/questions/51465858/how-do-you-push-to-a-gitlab-repo-using-a-gitlab-ci-job
        https://github.com/travis-ci/travis.rb
        https://docs.travis-ci.com/user/encrypting-files/
        
        """ # "  # hack for vim yml syntax highlighter
       
language: python
sudo: false

cache: 
    apt: true
    directories:
        - $HOME/.pip-cache
        - $HOME/gpg_install_prefix
        - $HOME/.cache/pip
        - $HOME/download

python:
  - "2.7"
  - "3.5"
  - "3.6"
  - "3.7"
  - "3.8"
  #
before_install:
  - pip install pip -U
  - pip install -r requirements.txt -U

install:
  - travis_retry pip install -e .
    
script: 
  - travis_wait ./run_tests.py 

after_success: 
    - codecov 
    - gpg --version
    - gpg2 --version
    - export GPG_EXECUTABLE=gpg2
    - openssl version
    - |
        # Install a more recent version of GPG
        # https://gnupg.org/download/
        export GPG_INSTALL_PREFIX=$HOME/gpg_install_prefix
        export LD_LIBRARY_PATH=$GPG_INSTALL_PREFIX/lib:$LD_LIBRARY_PATH
        export PATH=$GPG_INSTALL_PREFIX/bin:$PATH
        export CPATH=$GPG_INSTALL_PREFIX/include:$CPATH
        export GPG_EXECUTABLE=$GPG_INSTALL_PREFIX/bin/gpg
        ls $GPG_INSTALL_PREFIX
        ls $GPG_INSTALL_PREFIX/bin || echo "no bin"
        # try and have travis cache this
        if [[ ! -f "$GPG_INSTALL_PREFIX/bin/gpg" ]]; then
            # This part of the script installs a newer version of GPG on the CI
            # machine so we can sign our releases.
            mkdir -p $GPG_INSTALL_PREFIX
            echo $GPG_INSTALL_PREFIX
            OLD=$(pwd)
            cd $GPG_INSTALL_PREFIX
            pip install ubelt

            ERROR_FPATH=$(python -c "import ubelt as ub; print(ub.grabdata(
                'https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.36.tar.bz2',
                hash_prefix='6e5f853f77dc04f0091d94b224cab8e669042450f271b78d0ea0219',
                dpath=ub.ensuredir('$HOME/.pip-cache'), verbose=0))")
            GCRYPT_FPATH=$(python -c "import ubelt as ub; print(ub.grabdata(
                'https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.5.tar.bz2',
                hash_prefix='b55e16e838d1b1208e7673366971ae7c0f9c1c79e042f41c03d1',
                dpath=ub.ensuredir('$HOME/.pip-cache'), verbose=0))")
            KSBA_CRYPT_FPATH=$(python -c "import ubelt as ub; print(ub.grabdata(
                'https://gnupg.org/ftp/gcrypt/libksba/libksba-1.3.5.tar.bz2',
                hash_prefix='60179bfd109b7b4fd8d2b30a3216540f03f5a13620d9a5b63f1f95',
                dpath=ub.ensuredir('$HOME/.pip-cache'), verbose=0))")
            ASSUAN_FPATH=$(python -c "import ubelt as ub; print(ub.grabdata(
                'https://gnupg.org/ftp/gcrypt/libassuan/libassuan-2.5.3.tar.bz2',
                hash_prefix='e7ccb651ea75b07b2e687d48d86d0ab83cba8e2af7f30da2aec',
                dpath=ub.ensuredir('$HOME/.pip-cache'), verbose=0))")
            NTBLTLS_FPATH=$(python -c "import ubelt as ub; print(ub.grabdata(
                'https://gnupg.org/ftp/gcrypt/ntbtls/ntbtls-0.1.2.tar.bz2',
                hash_prefix='54468208359dc88155b14cba37773984d7d6f0f37c7a4ce13868d',
                dpath=ub.ensuredir('$HOME/.pip-cache'), verbose=0))")
            NPTH_FPATH=$(python -c "import ubelt as ub; print(ub.grabdata(
                'https://gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2',
                hash_prefix='2ed1012e14a9d10665420b9a23628be7e206fd9348111ec751349b',
                dpath=ub.ensuredir('$HOME/.pip-cache'), verbose=0))")
            GPG_FPATH=$(python -c "import ubelt as ub; print(ub.grabdata(
                'https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.17.tar.bz2',
                hash_prefix='a3cd094addac62b4b4ec1683005a2bec761ea2aacf6daf904316b',
                dpath=ub.ensuredir('$HOME/.pip-cache'), verbose=0))")

            tar xjf $ERROR_FPATH
            tar xjf $GCRYPT_FPATH
            tar xjf $KSBA_CRYPT_FPATH
            tar xjf $ASSUAN_FPATH
            tar xjf $NTBLTLS_FPATH
            tar xjf $NPTH_FPATH
            tar xjf $GPG_FPATH
            (cd libgpg-error-1.36 && ./configure --prefix=$GPG_INSTALL_PREFIX && make install)
            (cd libgcrypt-1.8.5 && ./configure --prefix=$GPG_INSTALL_PREFIX && make install)
            (cd libksba-1.3.5 && ./configure --prefix=$GPG_INSTALL_PREFIX && make install)
            (cd libassuan-2.5.3 && ./configure --prefix=$GPG_INSTALL_PREFIX && make install)
            (cd ntbtls-0.1.2 && ./configure --prefix=$GPG_INSTALL_PREFIX && make install)
            (cd npth-1.6 && ./configure --prefix=$GPG_INSTALL_PREFIX && make install)
            (cd gnupg-2.2.17 && ./configure --prefix=$GPG_INSTALL_PREFIX && make install)
            echo "GPG_EXECUTABLE = '$GPG_EXECUTABLE'"
            cd $OLD
        fi
    # Decrypt and import GPG Keys / trust
    - $GPG_EXECUTABLE --version
    - openssl version
    - $GPG_EXECUTABLE --list-keys
    - TSP=$CI_GITHUB_SECRET openssl enc -aes-256-cbc -md MD5 -pass env:TSP -d -a -in dev/travis_public_gpg_key.pgp.enc | $GPG_EXECUTABLE --import 
    - TSP=$CI_GITHUB_SECRET openssl enc -aes-256-cbc -md MD5 -pass env:TSP -d -a -in dev/gpg_owner_trust.enc | $GPG_EXECUTABLE --import-ownertrust
    - TSP=$CI_GITHUB_SECRET openssl enc -aes-256-cbc -md MD5 -pass env:TSP -d -a -in dev/travis_secret_gpg_key.pgp.enc | $GPG_EXECUTABLE --import 
    - $GPG_EXECUTABLE --list-keys
    - MB_PYTHON_TAG=$(python -c "import setup; print(setup.MB_PYTHON_TAG)")
    - VERSION=$(python -c "import setup; print(setup.VERSION)") 
    - |
        pip install twine
        if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then
          pip install six pyopenssl ndg-httpsclient pyasn1 -U --user
          pip install requests[security] twine --user
        elfi
        if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then
          pip install six twine
          pip install --upgrade pyOpenSSL
        fi
    # Package and publish to pypi (if on release)
    - |
        echo "TRAVIS_BRANCH = $TRAVIS_BRANCH"

        KEYID=$(cat dev/public_gpg_key)
        echo "KEYID = '$KEYID'"
        if [[ "$TRAVIS_BRANCH" == "release" ]]; then
            export CURRENT_BRANCH=$TRAVIS_BRANCH
            TAG_AND_UPLOAD=yes
        else
            TAG_AND_UPLOAD=no
        fi
        MB_PYTHON_TAG=$MB_PYTHON_TAG \
            USE_GPG=True \
            GPG_KEYID=$KEYID \
            CURRENT_BRANCH=$TRAVIS_BRANCH \
            TWINE_PASSWORD=$TWINE_PASSWORD \
            TWINE_USERNAME=$TWINE_USERNAME \
            GPG_EXECUTABLE=$GPG_EXECUTABLE \
            DEPLOY_BRANCH=release \
            TAG_AND_UPLOAD=$TAG_AND_UPLOAD \
            ./publish.sh

        # TODO: incorporate git tagging into release script 
        if [[ "$TRAVIS_BRANCH" == "release" ]]; then
            URL_HOST=$(git remote get-url origin | sed -e 's|https\?://.*@||g' | sed -e 's|https\?://||g')
            echo "URL_HOST = $URL_HOST"
            git config user.email "travis-ci@github.com"
            git config user.name "Travis-CI"
            VERSION=$(python -c "import setup; print(setup.VERSION)")
            git tag $VERSION -m "tarball tag $VERSION"
            git push --tags "https://${PERSONAL_GITHUB_PUSH_TOKEN}@${URL_HOST}"
        fi