Pass the PR origin's Repository Settings alongside Github Pull Request


#1

The issue: Cannot accurately test Pull Requests from outside repositories when the Travis-CI tests require secure environment variables.

Proposal: If the origin of the PR has environment variables in its Repository Settings, include those variables for the Travis-CI tests.

Example:

If Travis-CI included my repo’s Repository Settings when testing PR originating from my repo, then that PR would have passed CI.

To distinguish something, PR-Target envs still won’t be included because the PR can expose the secure envs. I’m only proposing that we include PR-Origin envs because the Origin of the PR will control the code which is being tested through CI.

This maintains security because the origin of the PR is aware (or should be aware) of the Travis-CI tests prior to sending the PR.

Alternatively, if the commit has already passed CI (as in the example above), then skip CI tests on PR.


#2

I do not think this is a good idea. Broadly speaking, you can grant the upstream repo access to your secrets, but then the upstream can now do whatever they want with your secrets, just as granting PRs access to the repository’s secrets allows the PRs to do whatever a malicious PR wants to do with them.

What if the tests used your GitHub API token? Or uploaded files to S3 buckets with your credentials, or started EC2/GCE instances (and left them running after the builds)? The upstream may not do it now, but they may choose to do so at a later time.


#3

Oh, no. I’m not suggesting to “grant the upstream repo access to your secrets.”

I’m suggesting that your secrets are used only for that one PR test sent at the time the PR is created. This would be the same CI test ran on your own fork (for the same commit) prior to the PR. Future changes to the upstream branch would not use your secrets.