Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project option to disable passing variables to PR #38

Closed
sgotti opened this issue Jul 11, 2019 · 0 comments · Fixed by #198
Closed

Project option to disable passing variables to PR #38

sgotti opened this issue Jul 11, 2019 · 0 comments · Fixed by #198
Labels
enhancement New feature or request

Comments

@sgotti
Copy link
Member

sgotti commented Jul 11, 2019
edited
Loading

Currently the variable system let user filter variables by branch, tag, ref so just setting a when condition on all branches/tags or specific refs makes possible to not pass any variable to pull requests. This is very useful since a malicious user could just open a pr adding a run step that executes the env command to print all the environment variables and if some of these variables is defined in the config as from_variable it could leak some secrets.

To make all of this simpler and less error prone and avoid users explicitly define a when condition to exclude pull request we could just add a project option (perhaps enabled by default) to not pass any variable when the run is triggered by a pull request.

This should probably be done only on forked pull requests since pull request from the same repos means that the users have access to the main repo.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

cmd: project option to disable passing variables to PR from forked repo camandel/agola
1 participant
@sgotti