Sharing secrets for forked PRs with approval

bkabrda · July 26, 2019, 1:24pm

Hey folks, so I have a project that would need some secrets exposed for testing community PRs and obviously I don’t want to leak these. I think I could use manual approvals [1] to hold PR testing until I inspect the PR and make sure it’s not malicious. The only thing I would need to make sure about is that the circle config.yml is always taken from master branch (because otherwise an attacker could change the config in their PR to remove the manual approval step and leak my secrets). Is there any guarantee/setting that would make sure that the config file is always taken from master (or a given branch)?

Thanks!

[1] https://circleci.com/docs/2.0/workflows/#holding-a-workflow-for-a-manual-approval

liene · July 26, 2019, 10:36pm

Hey there, and welcome to Discuss!

There isn’t currently a way to ensure that your config only runs on a given branch (although you can use your config file to restrict your tests to a given branch, but the manual approval idea sounds like a good solution.

If you find that a different process would work better down the road, please feel free to submit a suggestion on our Ideas page, which heavily influences how we prioritize feature requests.

Let us know if you need anything else!

Topic		Replies	Views
Allowing Forked PRs to access Secrets Ecosystem	0	882	October 18, 2019
Hold back testing pull request until a comment has been made Deployments	1	1377	August 25, 2018
Preventing forked pull requests from modifying CircleCI configuration Build Environment github , 2.0	0	1000	July 5, 2020
Require Manual Approval based on a condition Feedback & Bug Reports	4	2091	June 2, 2019
Pull requests not tested anymore? Feedback & Bug Reports workflow	6	1172	June 18, 2018

Sharing secrets for forked PRs with approval

Related topics