Security and CI Pull Requests question

So I was looking at Travis ci to do some integration testing though same question applies to any solution.

I would like each pull request to be tested and validated then upon merge I’d like that merge to generate an artifact so let’s say a docker image in this example.

Since I want to publish the image I have $DOCKER_USER and $DOCKER_PASSWORD defined in my travis env.

My concern is that since this is an Open Source project anyone can do a push request and since $DOCKER_PASSWORD exists they can easily change the .travis.yml which drives the behavior of the build to do anything they like.

like deleting an image, inject malicious code and publish the image and so on.

Is there a way to prevent changes to or require authorization before executing a build that modify the job’s config?

How do people address these type of potential security risks.

(Note: Yes I know I can just turn off CI on PRs but I don’t think that’s a valid fix)

PRs don’t have access to them. Read this:

Awesome. Thanks.