Environment Variable not set if build triggered by someone who is not me

Hi there,

I have enabled a sensitive environment variable (lets call it MY_ENV_VAR) in My projects settings --> Build --> Environment variables.

I have a build, which I triggered via push. I ssh into the build and find that MY_ENV_VAR is being set. Great!

However, when someone else triggers the next build via PR, I notice it fails because the env var is not set. Rerunning and SSHing into the build I can confirm MY_ENV_VAR is NOT set.

In my config.yml, I do not set or edit MY_ENV_VAR. The only place where it is set is in the Build --> Environment variables menu in the Circle web app.

How can I enable this variable to be set for both builds triggered by me and by builds triggered by others?


Welcome Alex!

From what you’ve described I suspect that the other person is opening the PR from a fork of your repo.

There is a setting in the “Advanced Settings” page for your project called “Pass secrets to builds from forked pull requests” which will make those env-vars available to forks.

Have a good read of https://circleci.com/docs/2.0/oss/#pass-secrets-to-builds-from-forked-pull-requests and be sure you’ve considered the security implications before you turn that setting on.
If it’s possible for untrusted people to open a fork PR against your repo then enabling this setting could leak sensitive data to a malicious fork.

If you have a private repo, and if you trust everybody with the ability to create a fork PR then this isn’t so much of a concern.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.