Preventing forked pull requests from modifying CircleCI configuration


I’m a maintainer of the gatsby-plugin-s3 open source project. Since our project’s purpose is to deploy to S3, the only way we can accurately test our plugin is to use it to deploy something to S3.

We’ve set up a CircleCI workflow that does the following:

  1. Lint
  2. Build
  3. Notify maintainers
  4. Wait for maintainer approval
  5. Run E2E tests (with secrets)

We’ve put the “wait for approval” step in there so that someone can manually review the PR to ensure that it’s not going to expose our secrets.

The issue is that we’ve done a few tests and found that when contributors submit their PR, they can modify config.yml and remove the approval step.

Is there a way we can configure CircleCI to use the config.yml from the master branch when running checks on a PR?