Is there a sanctioned way to either script or bypass the Heroku Toolbelt's login prompt? I've come across a number of hacks which claim to provide a solution (expect, environment variables, interpolating environment variables in .netrc, etc.), but I'd really like to find a stable solution.

набиячлэвэли

From what I see in the docs, there's three ways one can go about this.

Method 1: Login via CLI

The first one is to authenticate via Login&Password (bleh). Knowing the input format - login on one line, password on the other - we can cat or echo the data in:

Via secure env vars:

(
  echo "$HEROKU_CREDENTIALS_EMAIL"  # or you can plaintext it, if you're feeling adventurous
  echo "$HEROKU_CREDENTIALS_PASSWORD"
) | heroku login

Highlighted the important parts (variable names and security).

Or via an encrypted file:

Prepare a file named .heroku_cred in the repo root:

pdoherty926@gmail.com
IAmPdohertyAndThisIsMyPasswordIWorkHereWithMyOldMan

Then encrypt it:

travis encrypt-file .heroku_cred

That'll give you two things: a file named .heroku_cred.enc in the repo root and a command that'll decrypt the file on Travis. git add the encrypted file (be careful to not grab the unencrypted file by accident!) and add the command to before_install. Then, to the place where you want to authenticate with Heroku add:

cat .heroku_cred | heroku login

Now, this method sucks for two reasons: first, you're using your literal password, which is terrible, because if it leaks you're 100% fucked and if you ever change it your builds will start spuriously failing.

Method 2: Environment Variable

The next method is using the HEROKU_API_KEY env var, which might "interfere with the normal functioning of auth commands", but that doesn't matter, because you're not authenticating in other ways anyway.

Doing this requires no changes to .travis.yml, only a secure environment variable named HEROKU_API_KEY containing the output from

heroku auth:token

Ran on your machine (where you're probably authenticated).

Highlighted the important parts (variable names and security).

This method combines both security (OAuth token used, which can just be revoked) and simplicity of setup.

Method 3: Write directly to token storage file

There's the third way, too: using ~/.netrc, which'll cooperate with the whole ecosystem as if you authenticated via the CLI with username and password (but you're using an OAuth token instead, which is better).

The steps to follow on this one are similar to 1.2:

First create a file named .heroku-netrc, which contains the part of your ~/.netrc responsible for authenticating with Heroku (details) like this:

machine api.heroku.com
  login me@example.com
  password c4cd94da15ea0544802c2cfd5ec4ead324327430
machine git.heroku.com
  login me@example.com
  password c4cd94da15ea0544802c2cfd5ec4ead324327430

Then, to encrypt it, run:

travis encrypt .heroku-netrc

You'll get a decryption command (add it to before_install) and .heroku-netrc.enc, which you should git add (be careful not to add the unencrypted .heroku-netrc). Afterwards, add this to the install step: