Allow some foreign PRs to use secret variables (e.g. for select authors, or on demand)

For our project we need to use proprietary tools, however we want to have a very open community. We’d like to avoid directly sharing the link to these due to piracy concerns, hence why we’re using a secret variable for the URL. However, there does not exist a solution to share these URLs with incoming pull requests as this would lead to security issues (Though being able to enable these would be a nice to have feature as we could report suspicous behavior to the correct authorities). What is the best way to approach this? There’s no service or method to allow only travis to download specific files or archives, so we’re kinda stuck here. For now we’ve disabled the travis checks, but this requires a lot of (unnecessary) manual testing.

Anything that is accessible to untrusted code is effectively public knowledge.

So just make them regular variables.
Or bury them somewhere deep inside the build logic to have some sense of security – in that it will protect them from lazy/clueless harvesters.

If you wish to protect a publicly-available service from abuse but still make it freely available, you have to do that at that service’s side: make it filter requests based on some patterns.

E.g. you can allow access only from Travis’ infrastructure by filtering by IP.

If you wish to deny your users access to some part of the product, your best bet may be to

  • run a reduced set of checks in external PRs
  • examine the changes manually for suspicious actions (i.e. make the code cross the trust boundary)
  • clone the PR branch into your repo and make an internal PR with the full set of checks

This means, of course, that you, rather than the contributor, will be responsible for diagnosing and fixing any problems that arise from the closed-source part and interacting with it – since doing that requires access to it, and it’s impossible to grant and not grant access at the same time.

  • It may be possible to give some users (e.g. those who signed an NDA) rights to run PRs in a trusted environment by adding them into your Travis organization or something. Only @BanzaiMan or someone else from the Travis staff can say that.

The following Feature Request would allow to provide PRs with credentials if an upstream developer made the last commit in the PR branch.
In this light, you would be able to “approve” a PR and allow it to run with the full set of checks by an upstream developer pushing a dummy commit to the PR branch.