Unable to access Secure Environment variable in Pull Request
Secure environment variables are unavailable in PR's (for security reasons) unless the UI has "Enable secure variables in Pull Requests from the same repository only" ticked.
I have this ticked but I still cannot access the secure env var.
Now my guess is this => it's not the same repository.
I fork upstream into my own repo (called origin) ... change code, submit a PR from origin -> upstream. Upstream CI kicks off .... and secure is not available.
So here's my problem:
When a PR arrives, I need to get a code coverage report. So I calculate the code coverage and wish to send the report up codecov.io so when I jump into the PR to review it, I can see a nice pretty chart with the current PR's code coverage stats. I can't push the codecov report up because the secure variables are not available.
Is this possible?
-PK-
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Feodor Fitsner on 04 Mar, 2020 06:32 PM
Any PR from external repository is considered potentially insecure. Once the secret reaches build VM there is no way to prevent someone from revealing it if they can submit arbitrary code in the PR. Having full access to VM during the build there is no way to hide/encrypt the secret (or it's hard to implement reliably).
How do you send those code coverage stats? Maybe we could implement a deployment provider that can be configured as environment?...
2 Posted by Pure Krome on 04 Mar, 2020 11:22 PM
Yep - I fully understand and agree re: insecurity. Hmm..
Great question, here's a snippet of my appveyor.yml. I'm trying to use a MATRIX so I do a DEBUG and RELEASE build (at the same time). DEBUG builds do the code coverage. RELEASE builds does the test (with no code coverage).
Ok. So here we can see that, for DEBUG, we:
notice this bit: =>
-t $env:codecov_token
I originally had this:
but we know that's not going to work now.
Questions:
after_test
phase? No, but it feels right.So that's the workflow I'm looking at playing with.
Lastly, I would have thought this is a solved problem already -> meaning, I'm not the first person to be doing this?
Support Staff 3 Posted by Feodor Fitsner on 04 Mar, 2020 11:27 PM
You are probably the first who is asking to do that in fork PRs...Anyway,
codecov.sh
looks non-trivial - there is no way we could re-implement that in C# :)That codecov token - does it have full rights to your CodeCov account or it has only "upload" permissions?
Support Staff 4 Posted by Feodor Fitsner on 04 Mar, 2020 11:28 PM
I was wrong about CodeCov client: https://github.com/codecov/codecov-exe
Support Staff 5 Posted by Feodor Fitsner on 04 Mar, 2020 11:34 PM
OK, let's imaging we add a new "CodeCov" deployment environment being able to upload CodeCov
*.xml
reports... Again, you'd need to allow deployments during PRs then which is also not good, right?6 Posted by Pure Krome on 04 Mar, 2020 11:34 PM
So each github repo inside CodeCov has it's own token. It looks like it's an UPLOAD ONLY token.
here's a screenie of one repo, for our GH org:
Note the text there:
Note: Token not required for public repositories uploading from Travis, CircleCI or AppVeyor.
This is a PRIVATE repo.
7 Posted by Pure Krome on 04 Mar, 2020 11:36 PM
Yep, agreed.
One thought I had was: if this was a PRIVATE REPO, then does that mean all the people with access are "trusted"?
If public, then we don't need a token (based on what that screen shot says).
Support Staff 8 Posted by Feodor Fitsner on 04 Mar, 2020 11:41 PM
Exactly! If it's a private repo then it's assumed the people are trusted as they already have access to the base repo. So, you just need to allow
Enable secure variables in all Pull Requests
then.9 Posted by Pure Krome on 05 Mar, 2020 12:55 AM
Yep - i have already done that, though :( And it's not working because that check box is only for PR from the same repo.
Forks are not the same repo.
Hence my problem :(
EDIT: Exact text from UI is:
Enable secure variables in Pull Requests from the same repository only
Support Staff 10 Posted by Feodor Fitsner on 05 Mar, 2020 12:57 AM
What a minute...
Enable secure variables in all Pull Requests
is visible for private projects only. You said that was a private repo?11 Posted by Pure Krome on 05 Mar, 2020 01:01 AM
/me checks.
12 Posted by Pure Krome on 05 Mar, 2020 01:03 AM
Oh FFS. it's public (which is ok) - i thought this was a private repo.
Ok. so the tick box is useless for a public repo.
codecov doesn't need a token for public repo's it seems.
I'm going to test this out (no token AND the codecov script detects it's AppVeyor) and then confirm back.
I've got a feeling that I might have just wasted your time and I'm starting to feel really bad, now.
EDIT:
(FWIW: we are a paying customer, though, with 2x parallel builds :) )
13 Posted by Pure Krome on 05 Mar, 2020 03:24 AM
Yep - confirmed. Eeks - all is good.
It's a public repo, so codecov didn't need the upload token (which is sorta scary) and if this was a private repo, then that checkbox would work.
Sorry Feodor to have potentially wasted some of your time.
Pure Krome closed this discussion on 05 Mar, 2020 03:24 AM.