I have enabled a sensitive environment variable (lets call it MY_ENV_VAR) in My projects settings --> Build --> Environment variables.
I have a build, which I triggered via push. I ssh into the build and find that MY_ENV_VAR is being set. Great!
However, when someone else triggers the next build via PR, I notice it fails because the env var is not set. Rerunning and SSHing into the build I can confirm MY_ENV_VAR is NOT set.
In my config.yml, I do not set or edit MY_ENV_VAR. The only place where it is set is in the Build --> Environment variables menu in the Circle web app.
How can I enable this variable to be set for both builds triggered by me and by builds triggered by others?
From what you’ve described I suspect that the other person is opening the PR from a fork of your repo.
There is a setting in the “Advanced Settings” page for your project called “Pass secrets to builds from forked pull requests” which will make those env-vars available to forks.
Have a good read of https://circleci.com/docs/2.0/oss/#pass-secrets-to-builds-from-forked-pull-requests and be sure you’ve considered the security implications before you turn that setting on.
If it’s possible for untrusted people to open a fork PR against your repo then enabling this setting could leak sensitive data to a malicious fork.
If you have a private repo, and if you trust everybody with the ability to create a fork PR then this isn’t so much of a concern.