Clarity on "Permissive building of fork pull requests"

DanielBrierton · December 12, 2016, 3:08pm

Hi,

We’re trying to set up our CircleCI environment so we can have all our PRs from contributors build, but not expose our environment variables set up through the Circle web UI.

The settings page and docs are out of sync with each other (docs referencing settings that don’t exist), so we’re getting very confused by the behaviour we’re seeing.

My understanding that by setting “Permissive building of fork pull requests” to “Off”, our PRs would still build, but the exporting of the environment variables would not happen. When we set this to Off, our PRs don’t build at all. Setting it to “On” will trigger builds of PRs, and will not export the environment variables, but previously, without any settings changes, it would export the environment variables.

Can someone please provide some clarity on this? I don’t want to allow permissive building and have it expose our environment variables down the line.

Thanks,
Daniel

nathanleiby · December 15, 2016, 8:48pm

Hey Daniel-- I don’t have an answer to your question, unfortunately, but here’s a similar one I asked in case it gets a response.

https://discuss.circleci.com/t/fully-disable-pass-secrets-to-builds-from-forked-pull-request-for-an-org/8805

drazisil · December 16, 2016, 3:19am

Sorry about the docs being out of date. The settings UI just recently changed, so we have not had a change to update them yet.

To have the prior behavior that the docs say the one setting would be, you want Build Forked PR builds on, and share envs off.

sjackman · December 19, 2016, 7:58pm

I would like to be able to upload artifacts from a forked PR build to a server. I would like to be able to set an environment variable containing credentials that are used to upload the artifacts to the server in a final deploy step, but are not exposed to the forked build.

drazisil · December 19, 2016, 8:14pm

Then you want the settings in my post above.

sjackman · December 19, 2016, 9:56pm

Hi, Joseph. Thanks for your reply. If I set Build Forked PR builds on, and share envs off, how will the fork build have access to the credentials needed to upload build artifacts to our server?

drazisil · December 19, 2016, 10:01pm

I’m sorry, I misread. You can either share or not share, not share for part. You would need to create a new feature request for something like that.

Topic		Replies	Views
Environment Variable not set if build triggered by someone who is not me Build Environment	2	1148	November 3, 2019
CI_PULL_REUQEST and other PR environment variables are missing Build Environment envars	1	1546	January 8, 2021
Build PR with environment variables like AWS and others Build Environment	3	495	April 17, 2019
CIRCLE_PULL_REQUEST not being set Build Environment	23	9746	August 15, 2018
"Pass secrets to builds from forked pull requests" ignored Feedback & Bug Reports	1	628	June 18, 2018

Clarity on "Permissive building of fork pull requests"

Related Topics