Home → Questions →

Pull Request from fork just triggered deploy with credentials.

• Edit

micah

21 May, 2016 01:44 AM

This pull request (https://github.com/Zoltu/bags-admin-client/pull/7), which is a PR from a fork, just triggered a full build and deploy of my service in AppVeyor (https://ci.appveyor.com/project/Zoltu/bags-admin-client/build/14).

My appveyor.yml has branches: only: master as seen here: https://github.com/Zoltu/bags-admin-client/blob/master/appveyor.yml

I also have a secure parameter required to deploy yet the deploy appears to have been successful.

I have no problem with the auto-build on PR and in fact it is desirable. However, I am concerned that a PR from a fork was able to deploy my site using secure variables. I was under the impression that PR builds didn't have access to secure credentials?

1. 1 Posted by micah on 21 May, 2016 01:53 AM

   

   Looking into it more, it appears that master was built when the PR was submitted. So I guess this isn't a security issue but rather confusion on why master was built when a pull request was submitted.

   On PR, I would like a build to be triggered but no deploy to occur. I'm guessing I need to remove the branches: only: master bit but I'm not sure what to do to stop it from trying to deploy?

   • Edit

2. Support Staff 2 Posted by Feodor Fitsner on 21 May, 2016 02:27 AM

   

   What are deployment lines in that build log?

   -Feodor

   On Fri, May 20, 2016 at 6:53 PM -0700, "micah" <[email blocked]> wrote:

     
       
       
     
     
       
         
           
             

   // Please reply above this line
    ==================================================

   • Edit

3. 3 Posted by micah on 21 May, 2016 02:29 AM

   

   Ah, I think I interpreted publishing artifacts as publishing to azure when really it is just publishing artifacts to AppVeyor's artifact storage.

   I think this was just me being confused, thanks!

   • Edit

4. Support Staff 4 Posted by Feodor Fitsner on 21 May, 2016 02:31 AM

   

   Yep, artifacts are published on PRs, but deployment won't occur.

   -Feodor

   On Fri, May 20, 2016 at 7:30 PM -0700, "micah" <[email blocked]> wrote:

     
       
       
     
     
       
         
           
             

   // Please reply above this line
    ==================================================
             

               From: micah <[email blocked]>
             
             

   Ah, I think I interpreted publishing artifacts as
   publishing to azure when really it is just publishing
   artifacts to AppVeyor's artifact storage.

   I think this was just me being confused, thanks!
             
               

   On Fri, May 20 at 07:27 PM PDT, Feodor Fitsner wrote:
               
                 

   What are deployment lines in that build log?

   -Feodor

   • Edit

5. Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 02:06 AM.