Secure secrets in public github repo for use in PR's

jezz.santos's Avatar


10 Mar, 2017 10:05 PM

Hey guys, just run into this yesterday, and explored it with Ilya.
There seems to be no widely known durable and secure solution for this yet.

The Problem

  • You have a public github repo, and you want to accept PR's from people's own fork of your repo. (i.e. not from a branch of the origin repo).
  • During build and test, you need to inject a secret key into the test code.
  • The secret key cannot be stored (in plain text) in the repo.
  • The secret key cannot be discovered (i.e. output to build output) by people creating a PR, and injecting malicious code in their PR to display it.

Do we know of any good solutions to this?

  1. Support Staff 1 Posted by Feodor Fitsner on 11 Mar, 2017 12:18 AM

    Feodor Fitsner's Avatar

    Hi Jezz,

    The main question here - do you trust those people or they are strangers?

  2. 2 Posted by jezz.santos on 11 Mar, 2017 08:49 AM

    jezz.santos's Avatar

    Hey Feodor,

    I like to trust most people submitting a PR, god knows we can never get enough of them, but the secret I am protecting needs me to take some responsible precautions.

  3. 3 Posted by jezz.santos on 11 Mar, 2017 08:58 AM

    jezz.santos's Avatar

    As suggested here, for want of a better solution, how do I stop AppVeyor from building PR's?

    As suggested here?

  4. 4 Posted by jezz.santos on 11 Mar, 2017 09:00 AM

    jezz.santos's Avatar

    Found it: go to the github webhook for AppVeyor and deselect the PR option.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:


Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac