My project is configured to build pull requests from forked repositories, but security reasons I have to keep “Pass secrets to builds from forked pull requests” turned off, which makes the build fail for people who are submitting PR’s to my repo. Obviously my own PRs work fine in this workflow.
My ideal workflow would be:
- I turn on “Pass secrets”
- User submits PR from forked repo
- CircleCI build does not begin until I comment “ok to test” on the pull request
This gives me the opportunity to review the code to make sure secrets aren’t being dumped out of the CircleCI build on purpose by the person who submitted the PR.
Can anyone provide any insight into how I can accomplish this or where the logic for this would go? It’s somewhat unclear to me how or where CircleCI processes the incoming webhook and if I can insert additional logic around when it decides to trigger a build.