.travis.sh

## .travis.sh
#!/bin/sh -e

if [ -z "$SNAPCRAFT_SECRET" ]; then
    # Run `sh seed.sh` on your local machine so SNAPCRAFT_SECRET is set.
    exit 0
fi

mkdir -p ".encrypted"
if [ ! -e ".encrypted/snapcraft.cfg.enc" ]; then
    echo "Seeding a new macaroon."
    echo "$SNAPCRAFT_CONFIG" > ".encrypted/snapcraft.cfg.enc"
fi

mkdir -p "$HOME/.config/snapcraft"
# Decrypt the macaroon (secret).
openssl enc -aes-256-cbc -base64 -pass env:SNAPCRAFT_SECRET -d -in ".encrypted/snapcraft.cfg.enc" -out "$HOME/.config/snapcraft/snapcraft.cfg"

if docker run -v $HOME:/root -v $(pwd):/cwd snapcore/snapcraft sh -c 'cd /cwd; snapcraft'; then
    docker run -v $HOME:/root -v $(pwd):/cwd snapcore/snapcraft sh -c "cd /cwd; snapcraft push *.snap --release edge"
fi

# The macaroon (secret) has been refreshed; re-encrypt it.
openssl enc -aes-256-cbc -base64 -pass env:SNAPCRAFT_SECRET -out ".encrypted/snapcraft.cfg.enc" < "$HOME/.config/snapcraft/snapcraft.cfg"
rm -f "$HOME/.config/snapcraft/snapcraft.cfg"

## .travis.yml
sudo: required
dist: trusty
services:
    - docker
cache:
    directories:
        - .encrypted
script:
    - ./.travis.sh

## seed.sh
#!/bin/sh
# 1. Get a macaroon (secret) from the Store for publishing snaps
# 2. Create a private key that only Travis can decrypt
# 3. Then use it to encrypt the macaroon
#
# As encrypted variables are only available to Travis commit runs,
# pull requests won't be able to steal the macaroon and publish
# under your name.

snapcraft login
export SNAPCRAFT_SECRET=$(pwgen 20 -1)
export SNAPCRAFT_CONFIG="$(openssl enc -aes-256-cbc -base64 -pass env:SNAPCRAFT_SECRET < ~/.config/snapcraft/snapcraft.cfg)"
travis encrypt SNAPCRAFT_SECRET=$SNAPCRAFT_SECRET -a
travis env set SNAPCRAFT_CONFIG "$SNAPCRAFT_CONFIG"

# Don't forget to commit the changes back to your .travis.yml.