Secrets are not imported in the pipeline

Hi all,

I have an odd scenario, a repo in github in an organization and a forked repo from that in my personal account. I do changes, and my personal forked repo run the pipeline properly and the secrets are imported with no issues and run as expected; however the PR associated to changes in a branch of my repo does not import the secrets defined in the organization repository where a try to merge the changes too.

More information can be seen here: https://github.com/freeipa/freeipa-openshift-container/pull/9#issuecomment-681912783

I thought I was impacted by this: Missing text from job output when using ANSI escape sequences

But I don’t see the repo of the organization is at travis-ci.com so I discard that scenario.

How can I fix this situation?

Thank you and regards!

Secret variables are per-repo-slug since they are encrypted with a key that is per-repo-slug. You won’t have them in your personal fork. AFAICS you only have them in your personal fork because you created them anew there in Travis project settings.

External PR builds (builds where the PR branch is from another repo) also don’t have access to secret variables because they are presumed to have untrusted code. Only internal PRs (where the PR branch is from the same repo) have access to them. It’s currently impossible to grant some external users acess to secret variables – see Allow foreign PRs to use secret variables (and you may wish to upvote that FR).

So if you want to have your PR build have access to secret variables, you need to create it not from your personal fork but from a topic branch in the organization’s repo.

Hi native-api, thank you for your response, and sorry, I didn’t explained myself properly.

  • I have the same secrets defined at the forked repo, and in the organization repo.
  • Of course, each of them they have different values, because in each case the credentials are different.
  • The pipeline running from my forked repo, the secrets are imported with no issues.
  • The pipeline where is running the PR (in the organization repo), the secrets (defined in the travis-ci settings for the organization repo), are not being imported.

As I said, it’s an external PR:

avisiedo wants to merge 12 commits into freeipa:master from avisiedo:idmocp-80-add-delivery-stage

Now I got you! I understood in a different way! thank you native-api!

But still something does not fit. I have this settings in the repository of the organization:

And MY_SECRET_VAR is empty when running the pipeline in freeipa. However MY_PUBLIC_VAR has the defined value. What am I missing?

MY_SECRET_VAR was defined with the value: this_is_my_public+value

“Running the pipeline in freeipa” is not specific enough to understand what’s happening: as I pointed out earlier, it also matters what kind of build this is.

Please link to an affected build and point out what shows that it’s “empty” when initially received (i.e. not tampered with).

Sorry if I forget some information. Let me know if more details are needed. Below I provide the links to the builds:

The quick test I did was:

There’s a message about it right there: https://travis-ci.org/github/freeipa/freeipa-openshift-container/jobs/721666706#L179-L180

Encrypted environment variables have been removed for security reasons.
See https://docs.travis-ci.com/user/pull-requests/#pull-requests-and-security-restrictions

1 Like

I am blind. Thank you, now everything make sense, sorry for any inconvenience. I have limited that stage in PR.

Imprint