Secure variables for Pull Request
What should I put in appveyor.yml to "Enable secure variables in all Pull Requests" or "Enable secure variables in Pull Requests from the same repository only"? Or this can be only doable in GUI?
I don't see any relevant entries in appveyor.yml reference.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Feodor Fitsner on 07 Sep, 2016 01:42 PM
Obviously, this can be enabled on UI only. Otherwise the person submitting PR could enable secure variables for themselves in appveyor.yml coming with PR.
2 Posted by Gopinath Sabapa... on 07 Sep, 2016 04:20 PM
Cool. Thanks Feodor
3 Posted by Joel B on 28 Oct, 2016 10:57 PM
Is there a recommended, secure way to allow PRs without potentially exposing secure variables? Is using AppVeyor UI settings (and especially the "ignoring appveyor.yml" checkbox) recommended for this scenario?
We have a repo that we want to be publicly available, but we also need it to run tests and build actions on PRs without exposing our SSH and other sensitive details.
4 Posted by Ilya Finkelshte... on 29 Oct, 2016 07:38 PM
Hi Joel,
By default secure variables are not exposed on PRs, so you are safe. If you want you can set "Enable secure variables in Pull Requests from the same repository only" to allow trusted contributors to use them.
--ilya.
5 Posted by Joel Barker on 29 Oct, 2016 08:00 PM
Right, I understand that by default secure variables are NOT exposed on
PRs. However, in our situation, where we "have a repo that we want to be
publicly available, but we also need it to run tests and build actions on
PRs", I understand that our only option is to "Enable secure variables in
all Pull Requests", right? But that's super dangerous!
Hence my question: "Is there a recommended, secure way to allow PRs without
potentially exposing secure variables? Is using AppVeyor UI settings
[instead of an _appveyor.yml_ file] recommended for this scenario?" I'm
just trying to figure out what the recommended "best practice" is for this.
Thanks.
6 Posted by Ilya Finkelshte... on 29 Oct, 2016 08:20 PM
Sorry, I wrote wrong setting in previous answer (changed now).
In this situation, you can use "Enable secure variables in Pull Requests from the same repository only". With it you can control who is trusted contributors by controlling access to the public repository.
7 Posted by kev_bite on 30 Nov, 2016 09:19 AM
Is there a way to Enable secure variables in all Pull Requests, I understand that you could just output the secure variable in the PR but I've got a small open source project which I'd rather take the hit if someone outputted the variables (which is an API key) to the console then I'd have to change it than my tests not being run on every pull request.
I understand you're trying to safeguard people but I feel that if you understand the risk you should be able to allow it.
For my personal refrence: https://github.com/kevbite/CompaniesHouse.NET/issues/56
Thanks
8 Posted by Ilya Finkelshte... on 01 Dec, 2016 03:24 AM
Sorry we don't have this option for open source projects, this is too risky.
Maybe you can just create access token with very limited scope on https://github.com/settings/tokens and just keep in in clear text?
--ilya.
9 Posted by dragon788 on 01 Dec, 2016 03:55 PM
@kev_bite I think the only way for this to currently work is to add the users making pull requests to the repository as a contributor, this should give them permissions to run the build with the secure variables (own repo only) setting but probably only if they are going from a branch on the main repo. Definitely non-optimal.
Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 02:09 AM.