As of April 17, 2018, the experimental jwt addon will be discontinued.

The jwt addon was introduced back in August, 2016 to provide a means of sharing secrets with third parties (most importantly with Pull Request authors). At the time of the introduction, we had hoped that the addon would prove useful and secure, so that many other service providers may adopt it for their services for our mutual users’ benefit.

Upon further consideration and investigation, however, we have determined that the addon has shortcomings that we are unable to overcome.

Unfortunately, there is no replacement or workaround for the jwt addon at this time. We understand that your workflows (especially the ones involving Pull Requests) may be affected, but we ask that you phase out the use of this addon by the deadline for security reasons.

Timeline

• Starting immediately, jobs using the jwt addon will include a deprecation warning with the link pointing back to this blog post, and the deprecation date. The addon will continue to function.
• At the scheduled date of April 17, 2018, the addon will cease to function.

Travis Enterprise

Travis CI Enterprise instances with versions after 2.1.13 will also see the deprecation warning. Full deprecation on Travis CI Enterprise will be announced and documented in the changelog.

Further considerations

If you have used jwt addon in the past or are currently using it, we suggest that any credential you may have used be invalidated in order to ensure that the credentails are not compromised.

Please direct your further questions to security@travis-ci.com.

Thank you.