Pull req should not expose env vars

Pull requests should use the head_branch for branch restrictions not the target branch.

For example: if i have a deployment env var restricted to master… every pull req to master shouldn’t be running with the secure deployment env vars. Only approved/merged stuff should run with those env vars.

I know that env vars on pull reqs are restricted to members only… but this is still an unexpected behavior that could compromise the intended security.

Pull requests don’t have access to secure variables. So I cannot quite get what you want.

If you give an example of a build and what you expect to be different that would hopefully make it more clear.