Explicitly disable secrets in forked PRs #445
Conversation
Seems that CircleCI was using a deploy key with forked PR builds. However, they were not exposing the secret environment variables before. Though now it appears that they are exposing secret environment variables too. This is a bit strange as the CircleCI defaults to having the setting for secret environment variables disabled by default. In other words, it appears this default is not respected by CircleCI currently. As a workaround, we seem to be able to fix this by explicitly disabling secret environment variables as well. A little bit of testing verifies this works as intended. While it is a workaround, it is a good thing to keep should CircleCI ever change the default value of this setting. Thus we have added this change to the configuration of CircleCI on new feedstocks right after project creation in this commit. Should note this also uses a non-public portion of the API as does enabling PRs from forks. However, we have gotten assurances from CircleCI before that this is ok to use.
|
cc @isuruf |
| response = requests.put(url, headers=headers, json={'feature_flags':{'forks-receive-secret-env-vars':False}}) | ||
| if response.status_code != 200: | ||
| response.raise_for_status() | ||
| # Enable CircleCI builds on forked PRs. | ||
| response = requests.put(url, headers=headers, json={'feature_flags':{'build-fork-prs':True}}) |
There was a problem hiding this comment.
Is it possible to send both options as one request?
There was a problem hiding this comment.
Possibly. Also wanted to make sure that they were done in this order just in case.
Edit: Fixed grammar.
|
Thanks @isuruf. I'm going to put this in version Also have ran this on all existing feedstocks. As a quick final test, PR ( conda-forge/ijroi-feedstock#2 ) demonstrates this is now working correctly. Please let me know if you see anything that isn't. |
|
Added a few more PRs of my own to verify this was acting correctly and it seems to be ok. |
|
This is being released ATM. Linux releases, which staged-recipes and the re-rendering service rely on, are already released. Also Mac releases are out. Windows releases are queued. |
Seems that CircleCI was using a deploy key with forked PR builds. However, they were not exposing the secret environment variables before. Though now it appears that they are exposing secret environment variables too. This is a bit strange as the CircleCI defaults to having the setting for secret environment variables disabled by default. In other words, it appears this default is not respected by CircleCI currently.
As a workaround, we seem to be able to fix this by explicitly disabling secret environment variables as well. A little bit of testing verifies this works as intended. While it is a workaround, it is a good thing to keep should CircleCI ever change the default value of this setting. Thus we have added this change to the configuration of CircleCI on new feedstocks right after project creation in this commit.
Should note this also uses a non-public portion of the API as does enabling PRs from forks. However, we have gotten assurances from CircleCI before that this is ok to use.