Sharing secrets for forked PRs with approval

Hey folks, so I have a project that would need some secrets exposed for testing community PRs and obviously I don’t want to leak these. I think I could use manual approvals [1] to hold PR testing until I inspect the PR and make sure it’s not malicious. The only thing I would need to make sure about is that the circle config.yml is always taken from master branch (because otherwise an attacker could change the config in their PR to remove the manual approval step and leak my secrets). Is there any guarantee/setting that would make sure that the config file is always taken from master (or a given branch)?



Hey there, and welcome to Discuss!

There isn’t currently a way to ensure that your config only runs on a given branch (although you can use your config file to restrict your tests to a given branch, but the manual approval idea sounds like a good solution.

If you find that a different process would work better down the road, please feel free to submit a suggestion on our Ideas page, which heavily influences how we prioritize feature requests.

Let us know if you need anything else!

1 Like