We have a project, that would need a project level environment variable only available in some builds.
The problem is if anyone creates a PR for the project and inserts
echo $MY_SECRET_VARIABLE they can get the value.
It should be solved with a project-level environment variable with conditions.
Conditions can be:
- If it is not a PR then it would not be added.
- If pr has no ‘trusted’ label then do not add it.
- or the best would be: Run a command (that is problably not in the same repository, or it can be uploaded) that returns if the variable should be set. (e.g. curl request with a pipe returning 1 or empty string)